Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip

Overview

General Information

Sample name:sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip
Analysis ID:1585206
MD5:38d2a1b1bbff49eb73a28fec2dc80282
SHA1:294749e3fbd32386a5bcac50f8ce59b85eb9f20d
SHA256:fde085813fef08180b4e42af2cc210e731419a08041496cf3d284ae9d6240d0d
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)
Installs new ROOT certificates
Modifies Internet Explorer zone settings
Modifies Internet Explorer zonemap settings
Modifies the hosts file
Modifies the windows firewall
Overwrites Mozilla Firefox settings
Possible COM Object hijacking
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses regedit.exe to modify the Windows registry
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Searches the installation path of Mozilla Firefox
Sigma detected: IE Change Domain Zone
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses cacls to modify the permissions of files

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 5924 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • svchost.exe (PID: 6864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7036 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 7076 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7020 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • sasdriver_2.0.20.119.exe (PID: 5980 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe" MD5: C7DE7E1824745AC58E805EA696C69F11)
  • svchost.exe (PID: 3024 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • sasdriver_2.0.20.119.exe (PID: 6460 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe" MD5: C7DE7E1824745AC58E805EA696C69F11)
    • pingan_sign_control.exe (PID: 6964 cmdline: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe /S MD5: EB9012112B7D1D07FF3290E4CE1B5CD3)
      • pingan_sign_control.tmp (PID: 6580 cmdline: "C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp" /SL5="$170130,385304,57856,C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe" /S MD5: 832DAB307E54AA08F4B6CDD9B9720361)
        • regsvr32.exe (PID: 736 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ \ \npkoalii_svs_acx.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
        • regsvr32.exe (PID: 6420 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ \ \koalii_svs_acx_x64.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • iProtectSetup.exe (PID: 6216 cmdline: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe /S MD5: B7911D3187EB2B80E4AA9B247A1CC250)
      • iProtectSetup.tmp (PID: 6308 cmdline: "C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp" /SL5="$60348,6640809,121344,C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe" /S MD5: 1EC906C3A8B6D4D2778218A7E0AB9931)
        • CheckNetIsolation.exe (PID: 2868 cmdline: "CheckNetIsolation.exe" LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe" MD5: 712F673ACF999A475D49976CC0ADE71E)
          • conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cacls.exe (PID: 5492 cmdline: "cacls.exe" C:\Windows\system32\drivers\etc\hosts /t /e /c /g Users:r MD5: 00BAAE10C69DAD58F169A3ED638D6C59)
          • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 5292 cmdline: "ipconfig.exe" /flushdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
          • conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • iSignExecutor.exe (PID: 1608 cmdline: "C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe" MD5: B7B8C614717DD02C27CB3E30C4809064)
        • iProtectSvc.exe (PID: 2144 cmdline: "C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe" -install MD5: B26DD61E9A1AD0F17AEF4E0BB0734473)
          • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 6192 cmdline: "netsh.exe" advfirewall firewall add rule name=iProtectSvc dir=in action=allow program="C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net.exe (PID: 1764 cmdline: "net.exe" start iProtectSvc MD5: 31890A7DE89936F922D44D677F681A7F)
          • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • net1.exe (PID: 3312 cmdline: C:\Windows\system32\net1 start iProtectSvc MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • pajdbskey.exe (PID: 2868 cmdline: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe /S MD5: 3A9DF5A936D5CCC8957B64A408FDB337)
      • regsvr32.exe (PID: 7024 cmdline: "regsvr32.exe" /s SZPAPluto.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • gmMgr_szpa.exe (PID: 7036 cmdline: "C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe" -i -s MD5: CF36EF2286264C75AC0180DD71610F68)
      • gmMgr_szpa.exe (PID: 640 cmdline: "C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe" -r MD5: CF36EF2286264C75AC0180DD71610F68)
    • NetCertEnroll.exe (PID: 6988 cmdline: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exe /S MD5: 136685E9653FF75BA6322B3AA073718B)
      • NetCertEnroll.tmp (PID: 4004 cmdline: "C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp" /SL5="$E01F8,199498,56832,C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exe" /S MD5: FFCF263A020AA7794015AF0EDEE5DF0B)
        • cmd.exe (PID: 4808 cmdline: "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 1948 cmdline: C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq firefox.exe" /FO CSV MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • tasklist.exe (PID: 2424 cmdline: tasklist /FI "IMAGENAME eq firefox.exe" /FO CSV MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • cmd.exe (PID: 2092 cmdline: "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 2352 cmdline: C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq firefox.exe" /FO CSV MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • tasklist.exe (PID: 2292 cmdline: tasklist /FI "IMAGENAME eq firefox.exe" /FO CSV MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • regsvr32.exe (PID: 2876 cmdline: "regsvr32" /s "C:\Program Files (x86)\NetCertEnroll\NetCertEnroll.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
    • AddTrustSite.exe (PID: 2064 cmdline: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.orangebank.com.cn MD5: A3BD4C9AED40F4775077F911F8D042EF)
    • AddTrustSite.exe (PID: 3252 cmdline: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.cloudcore.cn MD5: A3BD4C9AED40F4775077F911F8D042EF)
    • AddTrustSite.exe (PID: 3492 cmdline: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.sdb.com.cn MD5: A3BD4C9AED40F4775077F911F8D042EF)
    • AddTrustSite.exe (PID: 2336 cmdline: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.pingan.com.cn MD5: A3BD4C9AED40F4775077F911F8D042EF)
    • EsWebSocketKit.exe (PID: 4200 cmdline: EsWebSocketKit.exe MD5: 43A8D586CC87ECF98E62B60D224059C3)
      • CheckNetIsolation.exe (PID: 4616 cmdline: CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe" MD5: 712F673ACF999A475D49976CC0ADE71E)
        • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • regFirefox64.exe (PID: 4064 cmdline: C:\Users\user\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\user\AppData\Local\Temp\ca.crt MD5: 8B26D23ED0026EAF0A58B3A082195AE2)
      • EsWebSocket.exe (PID: 676 cmdline: "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe" MD5: 8F0000D6D409D9E3446C12B35C1F1244)
      • FirefoxMOIT.exe (PID: 1544 cmdline: "C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe" MD5: 9682C9E322B2D3D3F46AB484B434ECE9)
    • ePass3000GM.exe (PID: 4864 cmdline: ePass3000GM.exe /S MD5: F7E6529A1E658C41DAAB02244799A381)
      • certd3kGM.exe (PID: 4516 cmdline: "C:\Program Files (x86)\3000GM\certd3kGM.exe" MD5: 56606C0CD203DCBE461815F5ACBBA75C)
    • regsvr32.exe (PID: 4016 cmdline: C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\ft_pactrl.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • regsvr32.exe (PID: 4828 cmdline: C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\ft_pactrl.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
    • regedit.exe (PID: 4840 cmdline: regedit.exe /s "C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sdbCsp11_s.reg" MD5: BD63D72DB4FA96A1E0250B1D36B7A827)
    • sascertd.exe (PID: 848 cmdline: "C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exe" MD5: A3D725181B41BB8F59FF6060047C5394)
  • svchost.exe (PID: 6528 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 6672 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • iProtectSvc.exe (PID: 6244 cmdline: "C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe" MD5: B26DD61E9A1AD0F17AEF4E0BB0734473)
    • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • iSignExecutor.exe (PID: 6164 cmdline: "C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe" MD5: B7B8C614717DD02C27CB3E30C4809064)
  • rundll32.exe (PID: 5088 cmdline: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SYSTEM32\SHUTTL~2.DLL,eb_service MD5: 889B99C52A60DD49227C5E485A016679)
  • rundll32.exe (PID: 680 cmdline: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SYSTEM32\sdbCsp11.DLL,eb_service MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: IE Change Domain Zone
Source: Registry Key setAuthor: frack113: Data: Details: 2, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\regedit.exe, ProcessId: 4840, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sdb.com.cn\www\http
Sigma detected: Use NTFS Short Name in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SYSTEM32\SHUTTL~2.DLL,eb_service, CommandLine: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SYSTEM32\SHUTTL~2.DLL,eb_service, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SYSTEM32\SHUTTL~2.DLL,eb_service, ProcessId: 5088, ProcessName: rundll32.exe
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe" -silence, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp, ProcessId: 6308, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iSignExecutor
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 67, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe, ProcessId: 6460, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
Sigma detected: Net.exe Execution
Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "net.exe" start iProtectSvc, CommandLine: "net.exe" start iProtectSvc, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp" /SL5="$60348,6640809,121344,C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe" /S, ParentImage: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp, ParentProcessId: 6308, ParentProcessName: iProtectSetup.tmp, ProcessCommandLine: "net.exe" start iProtectSvc, ProcessId: 1764, ProcessName: net.exe
Sigma detected: Start Windows Service Via Net.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "net.exe" start iProtectSvc, CommandLine: "net.exe" start iProtectSvc, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp" /SL5="$60348,6640809,121344,C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe" /S, ParentImage: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp, ParentProcessId: 6308, ParentProcessName: iProtectSetup.tmp, ProcessCommandLine: "net.exe" start iProtectSvc, ProcessId: 1764, ProcessName: net.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6864, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\ \
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\ \ \unins000.dat
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\ \ \is-EV702.tmp
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\ \ \is-PIA1V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\ \ \is-F4HQP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PABANKSignTool_is1
Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_08e1c10da83fbc83\MSVCR90.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\UserInfo.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_E3DA6A93A9D1E8B54B541D1774D4A2F9Jump to dropped file
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_6A97884DB14EB9A72E484523E5BFEEFCJump to dropped file
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

barindex
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile written: C:\Windows\System32\drivers\etc\hosts

System Summary

barindex
Uses regedit.exe to modify the Windows registry
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s "C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sdbCsp11_s.reg"
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Windows\system32\drivers\CCInputProtect_x64.SYS
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Windows\system32\drivers\CCInputProtect_x64.SYS
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Windows\system32\drivers\CCInputProtect_x64.SYS
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_6A97884DB14EB9A72E484523E5BFEEFC
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_6A97884DB14EB9A72E484523E5BFEEFC
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_E3DA6A93A9D1E8B54B541D1774D4A2F9
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_E3DA6A93A9D1E8B54B541D1774D4A2F9
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\gmcsp_szpa.csp
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\gmcsp_szpa.sig
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\gmcsp_szpa.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\gmcsp_szpa_2052.ini
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\SZPAPluto.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\system32\sdbCsp11.sig
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\system32\sdbCsp11_s.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\system32\sdbCsp11.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\SysWOW64\npft_pactrl.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\SysWOW64\sdbCsp11_s.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\SysWOW64\sdbCsp11.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\SysWOW64\sdbCsp11.sig
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\system32\ShuttleCsp11_3000GM_PINGAN.sig
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\system32\ShuttleCsp11_3000GM_PINGAN_s.dll
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\system32\ShuttleCsp11_3000GM_PINGAN.dll
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\system32\ft_pactrl.dll
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN.sig
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN_s.dll
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN.dll
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\SysWOW64\ft_pactrl.dll
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\118.0.1 (x64 en-US)\Main Install Directory
Source: classification engineClassification label: mal92.phis.adwa.spyw.evad.winZIP@99/130@0/17
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Program Files (x86)\SAS USB Key Manager(Feitian)
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpFile created: C:\Users\user\AppData\Local\Programs
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeMutant created: \Sessions\1\BaseNamedObjects\Global\693B478E-23E5-492b-A991-1DD5E89E3B3C_global_mtx
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeMutant created: \Sessions\1\BaseNamedObjects\Global\693B478E-23E5-492b-A991-1DD5E89E3B3C_process_notify_mtx
Source: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exeMutant created: \Sessions\1\BaseNamedObjects\Global\gmipc_656D53467824473EAE5760455B3B60BD_MgrInstance
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6288:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_03
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeMutant created: \Sessions\1\BaseNamedObjects\Global\693B478E-23E5-492b-A991-1DD5E89E3B3Ces_hid_monitor_start_mtx
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_03
Source: C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exeMutant created: \Sessions\1\BaseNamedObjects\asio-58CCDC44-6264-4842-90C2-F3C545CB8AA7-676-00E16C54
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeMutant created: \Sessions\1\BaseNamedObjects\ePass3000GM_PINGAN_InstallMutex
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeMutant created: \Sessions\1\BaseNamedObjects\Global\693B478E-23E5-492b-A991-1DD5E89E3B3C_slot_1_mtx
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6660:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{66363829-8F0D-46e4-8A6C-E33839C5CFB1}
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeMutant created: \Sessions\1\BaseNamedObjects\Global\693B478E-23E5-492b-A991-1DD5E89E3B3C_slotmgr_mtx
Source: C:\Program Files (x86)\3000GM\certd3kGM.exeMutant created: \Sessions\1\BaseNamedObjects\090DF880-F850-428e-A421-D8CFB32096C9_certreg_single_instance
Source: C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exeMutant created: \Sessions\1\BaseNamedObjects\{9CB30B15-B17D-47FE-A017-7C08715198C7}
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeMutant created: \Sessions\1\BaseNamedObjects\693B478E-23E5-492b-A991-1DD5E89E3B3C_certreg_single_instance
Source: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exeMutant created: \Sessions\1\BaseNamedObjects\Global\gmipc_656D53467824473EAE5760455B3B60BD_TokenOperation
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Users\user\AppData\Local\Temp\nseB9BE.tmp
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile read: C:\Users\user\Desktop\desktop.ini
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile read: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe "C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe"
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe "C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe /S
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeProcess created: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp "C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp" /SL5="$170130,385304,57856,C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe" /S
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ \ \npkoalii_svs_acx.dll"
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ \ \koalii_svs_acx_x64.dll"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe /S
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp "C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp" /SL5="$60348,6640809,121344,C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe" /S
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\CheckNetIsolation.exe "CheckNetIsolation.exe" LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe /S
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe /S
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeProcess created: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp "C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp" /SL5="$170130,385304,57856,C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe" /S
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ \ \npkoalii_svs_acx.dll"
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ \ \koalii_svs_acx_x64.dll"
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\cacls.exe "cacls.exe" C:\Windows\system32\drivers\etc\hosts /t /e /c /g Users:r
Source: C:\Windows\SysWOW64\cacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\ipconfig.exe "ipconfig.exe" /flushdns
Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe "C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe "C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe" -install
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name=iProtectSvc dir=in action=allow program="C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe"
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\net.exe "net.exe" start iProtectSvc
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp "C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp" /SL5="$60348,6640809,121344,C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe" /S
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start iProtectSvc
Source: unknownProcess created: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe "C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\CheckNetIsolation.exe "CheckNetIsolation.exe" LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeProcess created: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe "C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe /S
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s SZPAPluto.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess created: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe "C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe" -i -s
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess created: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe "C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe" -r
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exe /S
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exeProcess created: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp "C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp" /SL5="$E01F8,199498,56832,C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exe" /S
Source: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq firefox.exe" /FO CSV
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq firefox.exe" /FO CSV
Source: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq firefox.exe" /FO CSV
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq firefox.exe" /FO CSV
Source: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32" /s "C:\Program Files (x86)\NetCertEnroll\NetCertEnroll.dll"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.orangebank.com.cn
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.cloudcore.cn
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.sdb.com.cn
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.pingan.com.cn
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe EsWebSocketKit.exe
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeProcess created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeProcess created: C:\Users\user\AppData\Local\Temp\regFirefox64.exe C:\Users\user\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\user\AppData\Local\Temp\ca.crt
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeProcess created: C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeProcess created: C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe "C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe ePass3000GM.exe /S
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Windows\SysWOW64\CheckNetIsolation.exe "CheckNetIsolation.exe" LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exe /S
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.orangebank.com.cn
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.cloudcore.cn
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.sdb.com.cn
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe *.pingan.com.cn
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe EsWebSocketKit.exe
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\SYSTEM32\SHUTTL~2.DLL,eb_service
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeProcess created: C:\Program Files (x86)\3000GM\certd3kGM.exe "C:\Program Files (x86)\3000GM\certd3kGM.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\cacls.exe "cacls.exe" C:\Windows\system32\drivers\etc\hosts /t /e /c /g Users:r
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\ipconfig.exe "ipconfig.exe" /flushdns
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe "C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe "C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe" -install
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name=iProtectSvc dir=in action=allow program="C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\net.exe "net.exe" start iProtectSvc
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\ft_pactrl.dll"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\ft_pactrl.dll"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s "C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sdbCsp11_s.reg"
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\SYSTEM32\sdbCsp11.DLL,eb_service
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exe "C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exe"
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start iProtectSvc
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeProcess created: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe "C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe"
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s SZPAPluto.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess created: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe "C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe" -i -s
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess created: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe "C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe" -r
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe ePass3000GM.exe /S
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\ft_pactrl.dll"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\ft_pactrl.dll"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s "C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sdbCsp11_s.reg"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess created: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exe "C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeProcess created: C:\Program Files (x86)\3000GM\certd3kGM.exe "C:\Program Files (x86)\3000GM\certd3kGM.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: reghiddevice.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeSection loaded: msvcp60.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpSection loaded: cscapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: oleacc.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpSection loaded: cscapi.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: acgenral.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: uxtheme.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: winmm.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: samcli.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: msacm32.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: version.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: dwmapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: urlmon.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: mpr.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: winmmbase.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: winmmbase.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: iertutil.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: srvcli.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: netutils.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: aclayers.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: sfc.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: sfc_os.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: textshaping.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeSection loaded: dbghelp.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: acgenral.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: uxtheme.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: winmm.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: samcli.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: msacm32.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: version.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: dwmapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: urlmon.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: mpr.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: winmmbase.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: winmmbase.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: iertutil.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: srvcli.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: netutils.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: aclayers.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: sfc.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: sfc_os.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: textshaping.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: dbghelp.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: wlanapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: textshaping.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: dbghelp.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: version.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: wlanapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: cryptnet.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: winnsi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: winhttp.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: webio.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq firefox.exe" /FO CSV
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile written: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3003Auto_SAS_1033.ini
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpWindow found: window name: TMainForm
Source: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLL
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\ \
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\ \ \unins000.dat
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\ \ \is-EV702.tmp
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\ \ \is-PIA1V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDirectory created: C:\Program Files\ \ \is-F4HQP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PABANKSignTool_is1
Source: sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zipStatic file information: File size 11863511 > 1048576
Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_08e1c10da83fbc83\MSVCR90.dll
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ \ \npkoalii_svs_acx.dll"

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31BD6AEF73031C5A49338E7A06040DD815EF7512 Blob
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\077DF3781794F59CCE44FF062D8C1E46E6A5EB3E Blob
Possible COM Object hijacking
Source: c:\windows\system32\ft_pactrl.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{0debcbce-b7b3-43ba-8b98-f0566fbbe625}\inprocserver32
Source: c:\windows\system32\ft_pactrl.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{0debcbce-b7b3-43ba-8b98-f0566fbbe625}\inprocserver32
Source: c:\windows\system32\ft_pactrl.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{0debcbce-b7b3-43ba-8b98-f0566fbbe625}\inprocserver32
Source: c:\windows\system32\ft_pactrl.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{0debcbce-b7b3-43ba-8b98-f0566fbbe625}\inprocserver32
Source: c:\windows\system32\ft_pactrl.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{0debcbce-b7b3-43ba-8b98-f0566fbbe625}\inprocserver32
Sample is not signed and drops a device driver
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Windows\system32\drivers\CCInputProtect_x64.SYS
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\ipconfig.exe "ipconfig.exe" /flushdns
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\SetupUtil.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\ESNsisPlugin.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmpFile created: C:\Program Files (x86)\NetCertEnroll\is-LNN03.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmpFile created: C:\Users\user\AppData\Local\Temp\is-AM6E0.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Windows\System32\drivers\CCInputProtect_x64.SYSJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpFile created: C:\Program Files\ \ \is-F4HQP.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\System32\ShuttleCsp11_3000GM_PINGAN_s.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\UserInfo.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exeFile created: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeFile created: C:\Users\user\AppData\Local\Temp\nst29EF.tmp\KillProcDLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Program Files (x86)\Cloud Core\iProtect\is-NNODT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\SysWOW64\sdbCsp11_s.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpFile created: C:\Program Files\ \ \is-PIA1V.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeFile created: C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exeJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeFile created: C:\Users\user\AppData\Local\Temp\nst29EF.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\System32\ShuttleCsp11_3000GM_PINGAN.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Program Files (x86)\3000GM\certd3kGM.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Program Files (x86)\Gemini\SZPA\uninst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmpFile created: C:\Program Files (x86)\NetCertEnroll\is-QE7I4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\ProcessMgr.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN.dllJump to dropped file
Source: C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exeFile created: C:\Users\user\AppData\Local\Temp\nssFirefox.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN_s.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeFile created: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeFile created: C:\Users\user\AppData\Local\Temp\regFirefox64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\SysWOW64\sdbCsp11.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\SZPAPluto.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpFile created: C:\Users\user\AppData\Local\Temp\is-16ENA.tmp\_isetup\_isdecmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\SysWOW64\npft_pactrl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\uninst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpFile created: C:\Program Files\ \ \is-EV702.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Program Files (x86)\3000GM\uninst.exeJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Users\user\AppData\Local\Temp\nsm328A.tmp\ESNsisPlugin.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeFile created: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\gmcsp_szpa.cspJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\SysWOW64\ft_pactrl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Users\user\AppData\Local\Temp\RegHidDevice.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\System32\sdbCsp11.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\System32\ft_pactrl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Program Files (x86)\Cloud Core\iProtect\is-CN6T6.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeFile created: C:\Users\user\AppData\Local\Temp\nssFirefox64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Program Files (x86)\Cloud Core\iProtect\is-EM6FU.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeFile created: C:\Program Files (x86)\EsWebSocketKit\IActiveXCtrl.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeFile created: C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exeJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeFile created: C:\Users\user\AppData\Local\Temp\nst29F0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\gmcsp_szpa.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\gmcsp_szpa.cspJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\SysWOW64\sdbCsp11_s.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\SysWOW64\ft_pactrl.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN_s.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\System32\sdbCsp11.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\System32\ft_pactrl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\SysWOW64\sdbCsp11.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\SZPAPluto.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\System32\ShuttleCsp11_3000GM_PINGAN.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\Windows\System32\drivers\CCInputProtect_x64.SYSJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\Windows\SysWOW64\npft_pactrl.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\Windows\System32\ShuttleCsp11_3000GM_PINGAN_s.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\gmcsp_szpa.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\Windows\SysWOW64\gmcsp_szpa.cspJump to dropped file
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\iProtectSvc
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ \
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ \ \ .lnk
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cloud Core
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cloud Core\iProtect
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cloud Core\iProtect\Uninstall iProtect.lnk
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SZPA USBKEY Tools
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SZPA USBKEY Tools\USBKEY Tool.lnk
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SZPA USBKEY Tools\Uninstall.lnk
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAS USB Key Manager(Feitian)
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAS USB Key Manager(Feitian)\USB Key Manager.lnk
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAS USB Key Manager(Feitian)\Uninstall.lnk
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnterSafe
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnterSafe\Token Manager.lnk
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnterSafe\Uninstall.lnk
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iSignExecutor
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iSignExecutor
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SAS_certd
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SAS_certd
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ePass3000GM_PINGAN
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ePass3000GM_PINGAN
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\cacls.exe "cacls.exe" C:\Windows\system32\drivers\etc\hosts /t /e /c /g Users:r
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\3000GM\certd3kGM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\3000GM\certd3kGM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\3000GM\certd3kGM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\3000GM\certd3kGM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regedit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regedit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\ProcessMgr.dllJump to dropped file
Source: C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssFirefox.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeDropped PE file which has not been started: C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN_s.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\SetupUtil.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-16ENA.tmp\_isetup\_isdecmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\ESNsisPlugin.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmpDropped PE file which has not been started: C:\Program Files (x86)\NetCertEnroll\is-LNN03.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AM6E0.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpDropped PE file which has not been started: C:\Windows\System32\drivers\CCInputProtect_x64.SYSJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeDropped PE file which has not been started: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\uninst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDropped PE file which has not been started: C:\Program Files\ \ \is-F4HQP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exeJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeDropped PE file which has not been started: C:\Windows\System32\ShuttleCsp11_3000GM_PINGAN_s.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDropped PE file which has not been started: C:\Program Files\ \ \is-EV702.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeDropped PE file which has not been started: C:\Program Files (x86)\3000GM\uninst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\UserInfo.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst29EF.tmp\KillProcDLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cloud Core\iProtect\is-NNODT.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm328A.tmp\ESNsisPlugin.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeDropped PE file which has not been started: C:\Windows\SysWOW64\gmcsp_szpa.cspJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeDropped PE file which has not been started: C:\Windows\SysWOW64\sdbCsp11_s.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpDropped PE file which has not been started: C:\Program Files\ \ \is-PIA1V.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst29EF.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssFirefox64.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeDropped PE file which has not been started: C:\Program Files (x86)\EsWebSocketKit\IActiveXCtrl.dllJump to dropped file
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst29F0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeDropped PE file which has not been started: C:\Program Files (x86)\Gemini\SZPA\uninst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmpDropped PE file which has not been started: C:\Program Files (x86)\NetCertEnroll\is-QE7I4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeDropped PE file which has not been started: C:\Windows\SysWOW64\gmcsp_szpa.dllJump to dropped file
Source: C:\Windows\System32\svchost.exe TID: 6796Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe TID: 7000Thread sleep time: -90000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\UserInfo.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exeProcess queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

barindex
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile written: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start iProtectSvc
Source: C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmpQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
Modifies Internet Explorer zone settings
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Flags
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 2201
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1201
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1004
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1001
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1209
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 120A
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Flags
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 2201
Source: C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1201
Modifies Internet Explorer zonemap settings
Source: C:\Windows\SysWOW64\regedit.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sdb.com.cn\www http
Source: C:\Windows\SysWOW64\regedit.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sdb.com.cn\ebank https
Source: C:\Windows\SysWOW64\regedit.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sdb.com.cn\cert http
Source: C:\Windows\SysWOW64\regedit.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cfca.com.cn\www http
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpFile written: C:\Windows\System32\drivers\etc\hosts
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name=iProtectSvc dir=in action=allow program="C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe"
Overwrites Mozilla Firefox settings
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name=iProtectSvc dir=in action=allow program="C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe"
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile opened: C:\Users\user\AppData\Roaming\mozilla\firefox\Profiles\m8f4v4pw.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile opened: C:\Users\user\AppData\Roaming\mozilla\firefox\Profiles\m8f4v4pw.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile opened: C:\Users\user\AppData\Roaming\mozilla\firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile opened: C:\Users\user\AppData\Roaming\mozilla\firefox\Profiles\m8f4v4pw.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile opened: C:\Users\user\AppData\Roaming\mozilla\firefox\Profiles\m8f4v4pw.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile opened: C:\Users\user\AppData\Roaming\mozilla\firefox\Profiles\m8f4v4pw.default\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\regFirefox64.exeFile opened: C:\Users\user\AppData\Roaming\mozilla\firefox\profiles.ini
Source: C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
File and Directory Permissions Modification		1
OS Credential Dumping		3
File and Directory Discovery		Remote Services31
Browser Session Hijacking		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Component Object Model Hijacking		1
Component Object Model Hijacking		5
Disable or Modify Tools		LSASS Memory33
System Information Discovery		Remote Desktop Protocol1
Data from Local System		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt21
Windows Service		21
Windows Service		1
Install Root Certificate		Security Account Manager1
Query Registry		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron11
Registry Run Keys / Startup Folder		11
Process Injection		1
DLL Side-Loading		NTDS4
Security Software Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd1
Services File Permissions Weakness		11
Registry Run Keys / Startup Folder		43
Masquerading		LSA Secrets4
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Services File Permissions Weakness		1
Modify Registry		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
Virtualization/Sandbox Evasion		DCSync2
System Owner/User Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
Process Injection		Proc Filesystem1
Remote System Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Regsvr32		/etc/passwd and /etc/shadow1
System Network Configuration Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Services File Permissions Weakness		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Rundll32		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\ \ \is-EV702.tmp4%ReversingLabs
C:\Program Files\ \ \is-F4HQP.tmp0%ReversingLabs
C:\Program Files\ \ \is-PIA1V.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\RegHidDevice.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-16ENA.tmp\_isetup\_isdecmp.dll2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp3%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\ProcessMgr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\SetupUtil.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp3%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\UserInfo.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe0%ReversingLabs
C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe (copy)3%ReversingLabs
C:\Program Files (x86)\Cloud Core\iProtect\iProtectUI.dll (copy)0%ReversingLabs
C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe (copy)0%ReversingLabs
C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe0%ReversingLabs
C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe2%ReversingLabs
C:\Program Files (x86)\EsWebSocketKit\IActiveXCtrl.dll2%ReversingLabs
C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe0%ReversingLabs
C:\Program Files (x86)\Gemini\SZPA\uninst.exe0%ReversingLabs
C:\Program Files (x86)\NetCertEnroll\is-LNN03.tmp0%ReversingLabs
C:\Program Files (x86)\NetCertEnroll\is-QE7I4.tmp5%ReversingLabs
C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-AM6E0.tmp\_isetup\_shfoldr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp4%ReversingLabs
C:\Users\user\AppData\Local\Temp\nssFirefox.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nssFirefox64.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nst29EF.tmp\KillProcDLL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nst29EF.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nst29F0.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\regFirefox64.exe0%ReversingLabs
C:\Windows\SysWOW64\SZPAPluto.dll0%ReversingLabs
C:\Windows\SysWOW64\gmcsp_szpa.csp0%ReversingLabs
C:\Windows\SysWOW64\gmcsp_szpa.dll0%ReversingLabs
C:\Windows\System32\drivers\CCInputProtect_x64.SYS0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm328A.tmp\ESNsisPlugin.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\ESNsisPlugin.dll0%ReversingLabs
C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN_s.dll0%ReversingLabs
C:\Windows\SysWOW64\ft_pactrl.dll0%ReversingLabs
C:\Windows\SysWOW64\sdbCsp11_s.dll0%ReversingLabs
C:\Windows\System32\ShuttleCsp11_3000GM_PINGAN_s.dll0%ReversingLabs
C:\Windows\System32\ft_pactrl.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
fp2e7a.wpc.phicdn.net
192.229.221.95
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    192.229.221.95
    		fp2e7a.wpc.phicdn.netUnited States
    		15133EDGECASTUSfalse
    23.56.254.164
    		unknownUnited States
    		42961GPRS-ASZAINKWfalse

    Private

    IP
    127.0.0.1

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1585206
    Start date and time:2025-01-07 10:06:38 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:72
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:1
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Sample name:sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip
    Detection:MAL
    Classification:mal92.phis.adwa.spyw.evad.winZIP@99/130@0/17
    Cookbook Comments:
    • Found application associated with file extension: .zip

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 192.229.221.95
    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Timeout during stream target processing, analysis might miss dynamic analysis data
    • VT rate limit hit for: C:\Program Files\ \ \is-EV702.tmp

    Created / dropped Files

    C:\Program Files (x86)\3000GM\certd3kGM.exe

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):180808
    Entropy (8bit):6.374766080984763
    Encrypted:false
    SSDEEP:
    MD5:56606C0CD203DCBE461815F5ACBBA75C
    SHA1:F7BD6AA52BD6E17CF2569E5E8F6BFDD4E01BF66E
    SHA-256:3B4AF005A0DED144314B7808A1F1CF83B2F61EDC235C86DDB00E3F379470B9B6
    SHA-512:001ABBAB10F2DB033A4D91A17B61CBC695967AD71B4EB3CCF57FFCDAABAA550C1FA2E9ECCCFB67A26F692B06F4F0646DEDAE8BBFD5E6B931C886521EC000E0E7
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i......................Z.............`...........V...`.......`.......0.......Rich............................PE..L....A.f.................X...$.......e.......p....@.................................!.......................................h...........H............p..HR...........................................................p..P............................text....W.......X.................. ..`.rdata...9...p...:...\..............@..@.data....)..........................@....rsrc...H...........................@..@................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files (x86)\3000GM\lang\escertd_1028.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):1726
    Entropy (8bit):5.567322409491149
    Encrypted:false
    SSDEEP:
    MD5:84B4764946497D8F70A98D8808DB0DC3
    SHA1:F7BA194839F8D527685FCF49DB5C35E999439113
    SHA-256:5B3EA8DEEFE98DAD562128926DC99ECCB84A464AAC66AD60FD28DD02D502D8FA
    SHA-512:34BFCD9F3D68A4DE407A896D43464AEBF24A8FAD4AAA1BEAB276CEED4BC05F674F9BC455F850813991DAF70CFEB174DEFDFFD5247061E16EB2340C4FE37841FD
    Malicious:false
    Reputation:unknown
    Preview:[settings]..; 1028 = 0x0404..CodePage=1028..Language=TradChinese..FontFace=......FontHeight=9....[strings]..;==============================================================..; Dialog Box String..;==============================================================..1=.T.w..2=......1008=...A......T..1010=....z.u....1012=.d.....T....;==============================================================..; Runtime String..;==============================================================..10000=USBKey.w.g...J..10001=USBKey.w.g.Q.....10002=..._..10003=.p._..10004=.....10005=...b.O.s%s.A ..y.......10006=%s.O.s...\.I..10007=%s.O.s....I..10008=...b....K._..A..y.......10009=....K._...\..10010=....K._......10011=...b.C...l..USBKey.A..y.......10012=USBKey.C...l.......10013=USBKey.C...l.......10014=...b..l..USBKey.A..y.......10015=USBKey..l.......10016=USBKey..l.......10017=.L.k..O..USBKey.w...J..10018=...w.....]..R......10019=USBKey.......Y.N.L...]..w.g.L...^.A.....

    C:\Program Files (x86)\3000GM\lang\escertd_1033.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):4572
    Entropy (8bit):5.160790245621459
    Encrypted:false
    SSDEEP:
    MD5:EB31C6E5994333AEC1B4C86BD2248E81
    SHA1:6BDDE092930A1DDD46E8BCBF07B56F031C416C61
    SHA-256:EA2778CCA48AFF7B0FDB52A1A96E443F77E4209925550E3C4A758051837BC392
    SHA-512:C4112C8AD6AD681AB8C1613F9AC36842190B11BA83DBF14B507E6F075C93AED211F14855A08A4F025F56C623ABF06DEE3B67AAA6B5E17DB1E2709D98FE81D709
    Malicious:false
    Reputation:unknown
    Preview:[settings]..; 1033 = 0x0409..CodePage=1033..Language=English..FontFace=Tahoma..FontHeight=8....[strings]..;==============================================================..; Dialog Box String..;==============================================================..1=OK..2=Cancel..102=Certificate Manager..1000=Error..1001=Information..1015=Change User &PIN..1016=&View Cert..1017=&Register Cert..1018=&Unregister Cert..2000=Change Token &Name..2001=New Token Name(at most %d characters)..2002=Change Token Name..1021=Certificates..1019=Certificate Manager..1020=We build Security!..1008=Don't show anymore..1010=Run Manager..1012=View detail..136=EnterSafe CertD..135=Please Change User PIN..1039=Don't prompt this dialog again..500=Your %s's User PIN has not been changed after initialized. Please change!..61216=Sorry, please select one certificate firstly!..61212=Parameter Error!..61217=Register certificate successfully!..61218=Register certificate failed!..61214=Unregister certificate successfully!..

    C:\Program Files (x86)\3000GM\lang\escertd_2052.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):4913
    Entropy (8bit):6.278386064028406
    Encrypted:false
    SSDEEP:
    MD5:47BA3B1D98D4C821871DD2F4DFE1EF3E
    SHA1:8FF69B2F90FACD574FC73F697854274FB94B4624
    SHA-256:461824B84E66D0874E606A2528FD5217B0943CB49B6683500500371587250470
    SHA-512:E67B8055526E080A64591BEDBFD092F318AC9B01737DB31AA48F7E7696FC34EF3F84065EEA2B1A4C3ECD82791685DB76A84CF03588E9B00E91B6E7851B7778A5
    Malicious:false
    Reputation:unknown
    Preview:[settings]..CodePage=2052..Language=Simplified Chinese..FontFace=......FontHeight=9....[strings]..;==============================================================..; Dialog Box String..;==============================================================..1=.....2=.....102=..........Key........1000=......1001=.....1015=......USBKEY....(&P)..1016=......(&V)..1017=......(&R)..1018=......(&U)..2000=...USB Key..(&N)..2001=...USB Key.................\r\n............2002=.......USB Key........2003=...(&L)..2004=.....(&O)..2005=...(&D)..2006=..........(&E)..2007=...(&X)..2008=.........USBKEY......2010=.....KEY(&I)..2012=....USB Key..............2013=....USB Key..............2017=....V.110210127..2018=.....UKEY.......KEY...............1021=.....1019=..........1020=USBKey........1008=..............1010=............1012=..........136=EnterSafe..........135=........USBKEY......1039=............500=ePass Token.....PIN..........

    C:\Program Files (x86)\3000GM\lang\escfg_1028.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):4350
    Entropy (8bit):5.967699674445644
    Encrypted:false
    SSDEEP:
    MD5:AF1468634DEB3DAFF910018290907E11
    SHA1:9FC2FE1ECC385F95FB340F3157B9E199C3B5B5C7
    SHA-256:4CCDF406136CFF36A3F78DB66AABE8E6EB564570A6AFD8522680B99AF6FD1DAD
    SHA-512:E22784133E5071B660FC6E2133AA37D7ADEC135B14CC24A159F4A4AACE6293B961D669116D1B8660705C3A01DC888E1E0A856FD7001774BDCCD5ECD51BF82F8C
    Malicious:false
    Reputation:unknown
    Preview:[settings]..; 1028 = 0x0404..CodePage=1028..Language=TradChinese..FontFace=......FontHeight=9....[strings]....;==============================================================..; Common strings..;==============================================================..;101=&About EnterSafe Config Tool.....101=....EnterSafe.t.m.u..(&A).....;100=About EnterSafe Config Tool..100=....EnterSafe.t.m.u....1011=EnterSafe.t.m.u..1.0....;1011=EnterSafe Config Tool Version 1.0..1012=.}.o.GEnterSafe\n\n...v...(C) 2008-2009 EnterSafe..;1012=Developer: EnterSafe\n\nCopyright(C) 2008 EnterSafe....;==============================================================..; Dialog box strings..;==============================================================..1=.T.w..;1=OK..2=......;2=Cancel....;1071=Save without encryption..1071=.O.s....[.K..;1023=Application..1023=....].m..;1026=Login again required after.G..1026=.W..].m(...G..).G..;1028=Access the website when token inserted:..1028=...J...X..H.U...}.G..;1030=Clos

    C:\Program Files (x86)\3000GM\lang\escfg_1033.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):4352
    Entropy (8bit):6.016364615217479
    Encrypted:false
    SSDEEP:
    MD5:531BC40DFA47A848BF5DCDBCC16D3524
    SHA1:AF998BC192390DD6913A894A3F8529F7217681A5
    SHA-256:15E7EFC5FACC90024ADB75815C1611D6F10B8B1124B165637AF09418B345114F
    SHA-512:BCFB3DEDA6C642A616FF6D165927C0DE4A325BE85D5E931F9B1CE4AECE2651CCEE166CA80D6D1EE7A88BCDCB13808D120ED7AF943AD3D19200846F3661F3A5F9
    Malicious:false
    Reputation:unknown
    Preview:[settings]..; 2052 = 0x0804..CodePage=1033..Language=English (...)..FontFace=......FontHeight=9....[strings]....;==============================================================..; Common strings..;==============================================================..101=&About EnterSafe Config Tool.....;101=....EnterSafe.......(&A).....100=About EnterSafe Config Tool..;100=....EnterSafe.........;1011=EnterSafe.......1.0....1011=EnterSafe Config Tool Version 1.0..;1012=....:EnterSafe\n\n.......(C) 2008 EnterSafe..1012=Developer: EnterSafe\n\nCopyright(C) 2008-2009 EnterSafe....;==============================================================..; Dialog box strings..;==============================================================..;1=.....1=OK..;2=.....2=Cancel....1071=Save without encryption..;1071=.............1023=Application..;1023=.........1026=Login timeout(in seconds):..;1026=...........:..:..1028=Access the website when token inserted:..;1028=..................:..1030=Close

    C:\Program Files (x86)\3000GM\lang\escfg_2052.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):4359
    Entropy (8bit):6.013202650528731
    Encrypted:false
    SSDEEP:
    MD5:67BE308E60FB370B9784C39D3CF1FF1A
    SHA1:188A7B870A4D784FB82AD52296527C3D98C8764D
    SHA-256:1F48F19AEF47361D293CB1C3641872AC87E63104CE27A04F0C512C09892BFD1E
    SHA-512:E40DFDB5428B993C42FF268678993F2AA0B9B2F121BCCD3CFFB1C1E86A2AB711BBF4790060888E9A418F8C74690AE4B74A63B4DE992CDFF2A6F1DC3F269F0A98
    Malicious:false
    Reputation:unknown
    Preview:[settings]..; 2052 = 0x0804..CodePage=2052..Language=Simplified Chinese..FontFace=......FontHeight=9....[strings]....;==============================================================..; Common strings..;==============================================================..;101=&About EnterSafe Config Tool.....101=....EnterSafe.......(&A).....;100=About EnterSafe Config Tool..100=....EnterSafe.........1011=EnterSafe.......1.0....;1011=EnterSafe Config Tool Version 1.0..1012=......EnterSafe\n\n.......(C) 2008-2009 EnterSafe..;1012=Developer: EnterSafe\n\nCopyright(C) 2008 EnterSafe....;==============================================================..; Dialog box strings..;==============================================================..1=.....;1=OK..2=.....;2=Cancel....;1071=Save without encryption..1071=.............;1023=Application..1023=.........;1026=Login again required after....1026=.......(.......)....;1028=Access the website when token inserted:..1028=......................;10

    C:\Program Files (x86)\3000GM\lang\escsp_1028.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):1451
    Entropy (8bit):4.878983104649652
    Encrypted:false
    SSDEEP:
    MD5:E4F2A2EA0924A4E70F80622723BC2F42
    SHA1:D4AA54276DD7C7DA782A108B96150D922B3FC53A
    SHA-256:5A9F722474BBA4123F7EE2E39457CF49D740113EF166773E5FFEE589711FD5B7
    SHA-512:FFB0F04D31DBB622A1ECEEEDC9B033D8E4D29B17C4A8FF055008D5E366D6B6F1B161C08FEDAA7F622E95FF6C848AED91AC2D85A9049A0C8D62302CD88851BB67
    Malicious:false
    Reputation:unknown
    Preview:[settings]..CodePage=1028..Language=TradChinese..FontFace=......FontHeight=9....[strings]..;==============================================================..; Common strings..;==============================================================..1=.T.w..2=......;==============================================================..; Select Slot Dialog..;==============================================================..106=...USBKey..1007=....@..USBKey.i...@.G..10000=.W....10001=..C....;==============================================================..; PIN Logon Dialog..;==============================================================..107=.T.w..1010=.{.b..n....z..... PIN .X.G..1011=...PIN.X.G..2000=.n....2001=......2003=...n..L..2008=...PIN..20001=.... PIN .X..20002=...PIN.X.Q..w..20003=...PIN.X.......! ..l....G..20004=.z..J.....PIN.X...b.i..........d...A....d....s..J.I..20005=.z..J...S..K.X.t...L..r...A....d....s..J.I..20006=.z..J...S..K.X........T.A....d....s..

    C:\Program Files (x86)\3000GM\lang\escsp_1033.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):1632
    Entropy (8bit):4.355235840187303
    Encrypted:false
    SSDEEP:
    MD5:EC18E43108BAA90001CF1C483236FABF
    SHA1:8A22A51635C0D18ACA48C5BDD9A40CA47C235A22
    SHA-256:BA1CD99C329C3C3E5F2502DA16A589F521A1D87C592032FF85CD47BA9EE63EBB
    SHA-512:65811A477E0E7831F0277D7C04392D0D732A988803516A7B96A337012C9CB980BAB4D2F47B1919657F6D512DD98DFC8549E31F3FFAC0E1126200BCB5C1E5AED8
    Malicious:false
    Reputation:unknown
    Preview:[settings]..CodePage=1033..Language=English..FontFace=Tahoma..FontHeight=8....[strings]..;==============================================================..; Common strings..;==============================================================..1=OK..2=Cancel..;==============================================================..; Select Slot Dialog..;==============================================================..106=Select USBKey..1007=Select a USBKey to continue:..10000=Name..10001=Serial Number..;==============================================================..; PIN Logon Dialog..;==============================================================..107=OK..1010=Now need verify your User PIN:..1011=User PIN:..2000=Login..2001=Cancel..2003=Enable soft keyboard..2008=Change PIN..20001=Verify User PIN..20002=User Pin has been blocked !..20003=User Pin is Wrong! Retry times : %d..20004=The length of PIN is out of range, please check and input again!..20005=The initial password has invalid characters, plea

    C:\Program Files (x86)\3000GM\lang\escsp_2052.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):1583
    Entropy (8bit):5.080020627456983
    Encrypted:false
    SSDEEP:
    MD5:BAC4A3A1D2C56EF342F05520062EEB40
    SHA1:32674F1811302F8817998361F5D66F6A3FAE420F
    SHA-256:9491508BE32A7818848B4EE3E48AEA992BD58AE80BC93015F7083973E96BB098
    SHA-512:E9233B887AC549E972C6D8624F0ACE4E9A314E8CE0EF96873AA9A435C82A9DEDC3676E5FA0CA56D2496E9E19DF75B041C9F860F15A68441B7539B0A9D8B64447
    Malicious:false
    Reputation:unknown
    Preview:[settings]..CodePage=2052..Language=Simplified Chinese..FontFace=......FontHeight=9....[strings]..;==============================================================..; Common strings..;==============================================================..1=.....2=.....;==============================================================..; Select Slot Dialog..;==============================================================..106=...USBKey..1007=........USBKey...........10000=......10001=.......;==============================================================..; PIN Logon Dialog..;==============================================================..107=.....1010=.........USBKEY......1011=......USBKEY......2000=.....2001=.....2003=..........2008=...PIN..2010=...USBKEY......20001=.......USB Key........20002=..................!..20003=........USBKEY...........................%d.......20004=USBKEY............1..............7.........20005=............................

    C:\Program Files (x86)\3000GM\lang\esmgr_1028.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):14301
    Entropy (8bit):5.960158768395291
    Encrypted:false
    SSDEEP:
    MD5:686E2FA1D798071F4AD87E0AC7970C87
    SHA1:154FB9A64682920BF3F43FADB835BF6CF8C986A2
    SHA-256:76DDBC4DB13D6CEC1F9E8BCA206DDA609C50E6C058229F6B0519D7A66D8C4E36
    SHA-512:85AB058209DCEC11C4CD7C3C19BF084F651349876A6FADAC4D509E5A49187ED10680736C0895B2BA92131BA570FAA2F6D40620B0E6AAB920ECABB084952E0A6F
    Malicious:false
    Reputation:unknown
    Preview:[settings]..;1028 = 0x0404..CodePage=1028..Language=TradChinese..FontFace=......FontHeight=9....[strings]..;==============================================================..; Common strings..;==============================================================..10000=EnterSafe PKI ..z.u....;10000=EnterSafe PKI Manager..10001=..z......;10001=Admin Version....;==============================================================..; Common Dialog box strings..;==============================================================..1=.T.w..;1=OK..2=......;2=Cancel....;==============================================================..; About Box..;==============================================================..;100=About EnterSafe PKI Manager..100=....EnterSafe PKI ..z.u....;101=&About EnterSafe PKI Manager.....101=....EnterSafe PKI ..z.u..(&A).....;1057=EnterSafe PKI Manager V1.1..1057=EnterSafe PKI ..z.u.. V1.1..;1058=Developer.G EnterSafe\n\nCopyright(C) 2007-2009 EnterSafe..1058=.}.o.GEnterSafe\n\n...v..

    C:\Program Files (x86)\3000GM\lang\esmgr_1033.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):14222
    Entropy (8bit):5.997126737329458
    Encrypted:false
    SSDEEP:
    MD5:AEE0341DED3C7949A08B6900C16F36EA
    SHA1:D5776276E89E7E4DC4C4095C8DF84F94E46C1197
    SHA-256:3449E5EAEB21DB05FFC9F953BF3C569097C281CA18DB03D6EB5FBA6C9B523D50
    SHA-512:37026C9C9AC4DF2D8930363CC51B8B2748C0A6C256769878C3184857309B92A544451A6C21AD995EE214D4A37FEC7A8D7CDFFA737C1E2A0A8E021B832D318A4F
    Malicious:false
    Reputation:unknown
    Preview:[settings]..;1033 = 0x0409..CodePage=1033..Language=English..FontFace=......FontHeight=9....[strings]..;==============================================================..; Common strings..;==============================================================..;10000=EnterSafe PKI ........10000=EnterSafe PKI Manager..;10001=.........10001=Admin Version....;==============================================================..; Common Dialog box strings..;==============================================================..;1=.....1=OK..;2=.....2=Cancel....;==============================================================..; About Box..;==============================================================..100=About EnterSafe PKI Manager..;100=....EnterSafe PKI ........101=&About EnterSafe PKI Manager.....;101=....EnterSafe PKI ......(&A).....1057=EnterSafe PKI Manager V1.1..;1057=EnterSafe PKI ...... V1.1..1058=Developer: EnterSafe\n\nCopyright(C) 2007-2009 EnterSafe..;1058=....:EnterSafe\n\n.......(C) 2

    C:\Program Files (x86)\3000GM\lang\esmgr_2052.lng

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:Generic INItialization configuration [strings]
    Category:dropped
    Size (bytes):14404
    Entropy (8bit):6.020213309399714
    Encrypted:false
    SSDEEP:
    MD5:973B01630981A90C6CAB75641B424706
    SHA1:FAC55AA63622CD673616D8E0664BFFB6C2E94DFF
    SHA-256:775DA198CD7E498E157647865AD9262A3CC099FC8DD88DF18CC693C6CAC6E23B
    SHA-512:598952423A1103B468115BC4B712F93F75DA42B10900B658FA4E86CF842ADFF4A16B8B9E1D8396F053C6245FE8A8FC943BE8E55C8B125B63D87365F8D39C3FD3
    Malicious:false
    Reputation:unknown
    Preview:[settings]..;2052 = 0x0804..CodePage=2052..Language=Simplified Chinese..FontFace=......FontHeight=9....[strings]..;==============================================================..; Common strings..;==============================================================..10000=EnterSafe PKI ........;10000=EnterSafe PKI Manager..10001=.........;10001=Admin Version....;==============================================================..; Common Dialog box strings..;==============================================================..1=.....;1=OK..2=.....;2=Cancel....;==============================================================..; About Box..;==============================================================..;100=About EnterSafe PKI Manager..100=....EnterSafe PKI ........;101=&About EnterSafe PKI Manager.....101=....EnterSafe PKI ......(&A).....;1057=EnterSafe PKI Manager V1.1..1057=EnterSafe PKI ...... V1.1..;1058=Developer.. EnterSafe\n\nCopyright(C) 2007-2009 EnterSafe..1058=......EnterSafe\n\n

    C:\Program Files (x86)\3000GM\uninst.exe

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
    Category:dropped
    Size (bytes):79635
    Entropy (8bit):7.34098195285298
    Encrypted:false
    SSDEEP:
    MD5:64CA9184213A53AD1FE31927F5C6081F
    SHA1:EABFBFD76DAD41F4BFE1111B4F5D69BD72D7A2BA
    SHA-256:96AA9A58551062029C09ABE3A077D0D3D3DD2E600FBC4FFF5F0D7ED1AC0C8E95
    SHA-512:9694FDDA73535C8711397975E894B9821C1538BCABD81B389FE6E98FB4D2C68E58F11D9078189BCD6E6D2ABAF83DD5083BB4ED14379395D741C33BE246413B6F
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@.......................... ......6........................................s..........P#..............HR...........................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...P#.......$...v..............@..@................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files (x86)\Cloud Core\iProtect\Readme.txt (copy)

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):0
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:BD4413C6BBCA70CED4B10F92E3D2BEEB
    SHA1:5688E36CEB44D5B1A01D30B093579B6F6E7586A6
    SHA-256:1B51B551B2DC7BC731A1F77A753A803C44567D0E966485AFEB4285E8EFA7675B
    SHA-512:7B159D1AC82AC76A0C9ECE46BDFC5BC36A34FCD551B7B2EB785B3BA5E3C0BEFDB22A59683F0418C0DFD9A64BEEF8360EF91674D0C8623F66E7AB9EF776DBE654
    Malicious:false
    Reputation:unknown
    Preview:...c:y......T.i.p.s...........".i.P.r.o.t.e.c.t.Q....[hQ.g.R"./fQ..N..L..[hQ..eQ.c.N.OV..v.g.R.z.^..xS}..T.\.S.. ..b.Y.[..L..vQ..N..L..|.~.]\O._8^.0....".i.P.r.o.t.e.c.t. .o.n.l.i.n.e. .b.a.n.k.i.n.g. .s.e.c.u.r.i.t.y. .s.e.r.v.i.c.e.". .i.s. .a.n. .o.n.l.i.n.e. .b.a.n.k.i.n.g. .s.y.s.t.e.m. .d.e.p.e.n.d.e.n.t. .s.e.r.v.i.c.e.,. .u.n.i.n.s.t.a.l.l. .i.t. .m.a.y. .b.e. .c.a.u.s.e. .t.h.e. .s.y.s.t.e.m. .c.a.n. .n.o.t. .w.o.r.k. .p.r.o.p.e.r.l.y............S.N.N8hQ..~.b/g.gP.lQ.S....B.e.i.j.i.n.g. .C.l.o.u.d. .C.o.r.e. .N.e.t.w.o.r.k. .T.e.c.h.n.o.l.o.g.y. .C.o...,. .L.t.d...........

    C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe (copy)

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:PE32 executable (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):0
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:B26DD61E9A1AD0F17AEF4E0BB0734473
    SHA1:B6F6187468FA089BEBD7811AB4CD33A5C06DFD76
    SHA-256:210A5674B36FB8EDA9655A4DF2EC0D43C501AEB6061F22A3AEE42509DA04306F
    SHA-512:62730E1B3C11F6E11016AABA9F67A7F8D42412F8C8C8717CC9AEC8A4B4244FB718475A673463FD9155A23EDB930A688716DC860E854A7E167F7EC517AC5D4807
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 3%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... o., o., o.,.!.,"o.,O..,.o.,O.9,.o.,O.8,oo., o.,5o.,;.9,.m.,)..,5o., o.,.n.,O.<,Ao.,O..,!o., o.,!o.,O..,!o.,Rich o.,........................PE..L...r..f.................~..........C.............@...................................M...@.................................Lf........................L.`R...p.......................................i..@............[..t............................text....|.......................... ..`.rdata..8...........................@..@.data...H.....'.....................@....VMP0...p.3..`(.....................`....VMP1...<.L..`\...L.................`....reloc.......p........L.............@..@.rsrc.................L.............@..@........................................................................................................................................................................................................

    C:\Program Files (x86)\Cloud Core\iProtect\iProtectUI.dll (copy)

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):0
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:249C15D1A6F145460CF76EC24CD32F93
    SHA1:B045BD9479520282F42E3B4CF7A1B8210F1035E1
    SHA-256:3F4DF0510145F27B0343D2830C4E70357C9CDAA2BA5650714859DAD8684D318E
    SHA-512:BB51A369FB9A94EF02551ABB63AA0B25496B9F8F6A687BCF5853F82749DF8D8B5C083598068F0743A19ED0909BE30A4D8AB01BE187549AB66FE41B0E15C244C4
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.."..."..."..L-.."....."....."......("......."..L-.."..."... ....."....."....."....."..Rich."..................PE..L......^...........!................n........................................`......................................1..h............@...................3...0.......................................'..@............Z..|............................text...]........................... ..`.rdata..............................@..@.data....e..........................@....VMP0...8F...P......................`..`.VMP1..............................`....reloc.......0......................@..@.rsrc........@...0..................@..@........................................................................................................................................................................................................................

    C:\Program Files (x86)\Cloud Core\iProtect\iSignExecutor.exe (copy)

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):0
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:B7B8C614717DD02C27CB3E30C4809064
    SHA1:D330ED4AA4FD350FB967C3E2A75A18702431C102
    SHA-256:8A5B2FC399E87B9C3BFB193B44BD5A090B961DC18568F26F603234721DC34C71
    SHA-512:C35965F7FFE128CD44B66D10B455761F35A77746A3C19D37E5577838AC3389F6DA94329E77DA1C8C73D48A921F21F9175AFFDCDE966E03BFD39B354797F2A5C1
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...Ad.Ad.Ad.....Ad....Ad..../Ad.....Ad..7..Ad.9..Ad.Ae.QAd.....Ad....Ad....Ad.Rich.Ad.........PE..L......d.....................0......rc............@..........................p......aU....@..........................................@..l............... H......<B......................................@...................,...`....................text...A........................... ..`.rdata..V...........................@..@.data....M......."..................@....rsrc...l....@......................@..@.reloc...V.......X..................@..B........................................................................................................................................................................................................................................................................................................................

    C:\Program Files (x86)\Cloud Core\iProtect\is-CN6T6.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:PE32 executable (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):5008992
    Entropy (8bit):7.8910579585421585
    Encrypted:false
    SSDEEP:
    MD5:B26DD61E9A1AD0F17AEF4E0BB0734473
    SHA1:B6F6187468FA089BEBD7811AB4CD33A5C06DFD76
    SHA-256:210A5674B36FB8EDA9655A4DF2EC0D43C501AEB6061F22A3AEE42509DA04306F
    SHA-512:62730E1B3C11F6E11016AABA9F67A7F8D42412F8C8C8717CC9AEC8A4B4244FB718475A673463FD9155A23EDB930A688716DC860E854A7E167F7EC517AC5D4807
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... o., o., o.,.!.,"o.,O..,.o.,O.9,.o.,O.8,oo., o.,5o.,;.9,.m.,)..,5o., o.,.n.,O.<,Ao.,O..,!o., o.,!o.,O..,!o.,Rich o.,........................PE..L...r..f.................~..........C.............@...................................M...@.................................Lf........................L.`R...p.......................................i..@............[..t............................text....|.......................... ..`.rdata..8...........................@..@.data...H.....'.....................@....VMP0...p.3..`(.....................`....VMP1...<.L..`\...L.................`....reloc.......p........L.............@..@.rsrc.................L.............@..@........................................................................................................................................................................................................

    C:\Program Files (x86)\Cloud Core\iProtect\is-EM6FU.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):479264
    Entropy (8bit):6.44158367113307
    Encrypted:false
    SSDEEP:
    MD5:B7B8C614717DD02C27CB3E30C4809064
    SHA1:D330ED4AA4FD350FB967C3E2A75A18702431C102
    SHA-256:8A5B2FC399E87B9C3BFB193B44BD5A090B961DC18568F26F603234721DC34C71
    SHA-512:C35965F7FFE128CD44B66D10B455761F35A77746A3C19D37E5577838AC3389F6DA94329E77DA1C8C73D48A921F21F9175AFFDCDE966E03BFD39B354797F2A5C1
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...Ad.Ad.Ad.....Ad....Ad..../Ad.....Ad..7..Ad.9..Ad.Ae.QAd.....Ad....Ad....Ad.Rich.Ad.........PE..L......d.....................0......rc............@..........................p......aU....@..........................................@..l............... H......<B......................................@...................,...`....................text...A........................... ..`.rdata..V...........................@..@.data....M......."..................@....rsrc...l....@......................@..@.reloc...V.......X..................@..B........................................................................................................................................................................................................................................................................................................................

    C:\Program Files (x86)\Cloud Core\iProtect\is-NNODT.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):463832
    Entropy (8bit):7.841841547519735
    Encrypted:false
    SSDEEP:
    MD5:249C15D1A6F145460CF76EC24CD32F93
    SHA1:B045BD9479520282F42E3B4CF7A1B8210F1035E1
    SHA-256:3F4DF0510145F27B0343D2830C4E70357C9CDAA2BA5650714859DAD8684D318E
    SHA-512:BB51A369FB9A94EF02551ABB63AA0B25496B9F8F6A687BCF5853F82749DF8D8B5C083598068F0743A19ED0909BE30A4D8AB01BE187549AB66FE41B0E15C244C4
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.."..."..."..L-.."....."....."......("......."..L-.."..."... ....."....."....."....."..Rich."..................PE..L......^...........!................n........................................`......................................1..h............@...................3...0.......................................'..@............Z..|............................text...]........................... ..`.rdata..............................@..@.data....e..........................@....VMP0...8F...P......................`..`.VMP1..............................`....reloc.......0......................@..@.rsrc........@...0..................@..@........................................................................................................................................................................................................................

    C:\Program Files (x86)\Cloud Core\iProtect\is-P8U4V.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):588
    Entropy (8bit):4.503487535778046
    Encrypted:false
    SSDEEP:
    MD5:BD4413C6BBCA70CED4B10F92E3D2BEEB
    SHA1:5688E36CEB44D5B1A01D30B093579B6F6E7586A6
    SHA-256:1B51B551B2DC7BC731A1F77A753A803C44567D0E966485AFEB4285E8EFA7675B
    SHA-512:7B159D1AC82AC76A0C9ECE46BDFC5BC36A34FCD551B7B2EB785B3BA5E3C0BEFDB22A59683F0418C0DFD9A64BEEF8360EF91674D0C8623F66E7AB9EF776DBE654
    Malicious:false
    Reputation:unknown
    Preview:...c:y......T.i.p.s...........".i.P.r.o.t.e.c.t.Q....[hQ.g.R"./fQ..N..L..[hQ..eQ.c.N.OV..v.g.R.z.^..xS}..T.\.S.. ..b.Y.[..L..vQ..N..L..|.~.]\O._8^.0....".i.P.r.o.t.e.c.t. .o.n.l.i.n.e. .b.a.n.k.i.n.g. .s.e.c.u.r.i.t.y. .s.e.r.v.i.c.e.". .i.s. .a.n. .o.n.l.i.n.e. .b.a.n.k.i.n.g. .s.y.s.t.e.m. .d.e.p.e.n.d.e.n.t. .s.e.r.v.i.c.e.,. .u.n.i.n.s.t.a.l.l. .i.t. .m.a.y. .b.e. .c.a.u.s.e. .t.h.e. .s.y.s.t.e.m. .c.a.n. .n.o.t. .w.o.r.k. .p.r.o.p.e.r.l.y............S.N.N8hQ..~.b/g.gP.lQ.S....B.e.i.j.i.n.g. .C.l.o.u.d. .C.o.r.e. .N.e.t.w.o.r.k. .T.e.c.h.n.o.l.o.g.y. .C.o...,. .L.t.d...........

    C:\Program Files (x86)\Cloud Core\iProtect\unins000.dat

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:InnoSetup Log iProtect Online Banking Security Service {96B38E70-D8BB-4649-90EC-AB4F74D58F9D}, version 0x418, 8980 bytes, 639509\37\user\376\, C:\Program Files (x86)\Cloud Core\iProtect
    Category:dropped
    Size (bytes):8980
    Entropy (8bit):3.946094252545048
    Encrypted:false
    SSDEEP:
    MD5:F26F701C97103663577124D910C53E26
    SHA1:A61F332783C28C54136D45B0EB3B15223E72B0B2
    SHA-256:9437BF973F9900CCA8BC76EA158C64F72DCE79956E8453978FA05BAE8853599D
    SHA-512:F13BBD7E9CC81E4A62061948310C68644F5550DB7C795291E0249750B4807551F2239B898757AE7C4732305777DFA4C05EA17347372E52102E6D50CD295D1139
    Malicious:false
    Reputation:unknown
    Preview:Inno Setup Uninstall Log (b)....................................{96B38E70-D8BB-4649-90EC-AB4F74D58F9D}..........................................................................................iProtect Online Banking Security Service.................................................................................................#..%.................................................................................................................+...........?................6.3.9.5.0.9......c.a.l.i......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.l.o.u.d. .C.o.r.e.\.i.P.r.o.t.e.c.t..................#.... .....2........IFPS....!...............................................................................................................................................................BOOLEAN..................................................TWINDOWSVERSION.........TEXECWAIT.........TSETUPSTEP.........TMSGBOXTYPE.....[...........!MAIN....-1..(...dll:setup:files:SetupUtil.dll.DoAll.......4

    C:\Program Files (x86)\Cloud Core\iProtect\unins000.msg

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:InnoSetup messages, version 5.5.3, 221 messages (UTF-16), &About Setup...
    Category:dropped
    Size (bytes):22709
    Entropy (8bit):3.2704486925356004
    Encrypted:false
    SSDEEP:
    MD5:79173DA528082489A43F39CF200A7647
    SHA1:AA253B477CE2BF9D886D07694CD5DDB7C7FE9EEC
    SHA-256:4F36E6BE09CD12E825C2A12AB33544744E7256C9094D7149258EA926705E8FFD
    SHA-512:C46EB9DD3D03A993FDC4F65AE2751ECFDCB1FB6E1FB69A119105FD40290CE5EC4427B04F813EED47415390689943D05B5432D4571B1ACA0CE37EE52391790D18
    Malicious:false
    Reputation:unknown
    Preview:Inno Setup Messages (5.5.3) (u).....................................hX..........&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s... .A.f.

    C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):2194864
    Entropy (8bit):6.634419474952914
    Encrypted:false
    SSDEEP:
    MD5:8F0000D6D409D9E3446C12B35C1F1244
    SHA1:64110DE92F7E3C847232F1C1D7D7B2BFA7F9F3F8
    SHA-256:15F42E2D851DB2919C1104BFF8617681B10E50A613F0C422C8CFEC63667C3000
    SHA-512:37A58FCF6E4F25A4ACA9E31283E88F688A50A48BED941534BCAE19659C4D9823AF672C2420A2C748EA3D83F829C10CA153DC5D904183A6ADD9AF275EB157B6F7
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......LY...8...8...8...<..8...>.8...?..8..3f...8..3f...8..3f..-8...@^..8...8...8...8...8..fe...9..f...8..f2..8...8Z..8..f...8..Rich.8..........................PE..L.....Y.................B...T...............`....@...........................!......N"...@.................................<4..x..... ..............f!....... .H...@...p...............................@............`...............................text....A.......B.................. ..`.rdata.......`.......F..............@..@.data...T....P.......,..............@....gfids..(....p ....... .............@..@.tls.......... ......, .............@....rsrc......... ....... .............@..@.reloc..H..... .. ...F .............@..B........................................................................................................................................................................................

    C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
    Category:dropped
    Size (bytes):88960
    Entropy (8bit):7.53937706583338
    Encrypted:false
    SSDEEP:
    MD5:9682C9E322B2D3D3F46AB484B434ECE9
    SHA1:3D96E245631F5EF6770BD8B6984B219999D45D2B
    SHA-256:AF35E70AE3256B573028C69581015B11DFCA5CA60AB93B1855C71316A6BEDBC0
    SHA-512:0B680138BCA8A74E1242F65DDB51CFB8A812EED6DA77C7EA68E7F7660B26B6CD00263723D8C473DDD3EED544BB087A133304B51CD64E0D271CEB030B5A27CAAB
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 2%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L...?..I.................h...@...B...4............@..................................................................................................C...............................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................

    C:\Program Files (x86)\EsWebSocketKit\IActiveXCtrl.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):519600
    Entropy (8bit):6.562828020217511
    Encrypted:false
    SSDEEP:
    MD5:077C2A4D4681E648B0473C59C3A37C08
    SHA1:79FBB182FAF2E47BBABDF3B8852CBAA2492B65A6
    SHA-256:5B289B955C250AC6D995AE55256BB96DB2D0E34121794A5D229B4D79DE1CCD28
    SHA-512:2602A7E07E9B47D7C87A63EB783726582B8468B65FA490C2C61A35EB0103775433FF477A6C47276BC6AEFD00F32451DC9E9007FA0D60A42BA140CE31DEF1CDDE
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 2%
    Reputation:unknown
    Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$..........V..e...e...e.CL....e.CL..`.e.CL....e...`...e.*/....e.*/....e.*/....e.*/....e...d...e..f...e..a...e..`.s.e.`.l...e.`.e...e.e.....e.......e.`.g...e.Rich..e.........................PE..L...I.Z...........!.....b..........D........................................p......>.....@.............................L...<............]......................lP......p...................l...........@............................................text....a.......b.................. ..`.rdata..$............f..............@..@.data....R.......$..................@....gfids.......p......................@..@.giats..............."..............@..@.tls.................$..............@....rsrc....].......^...&..............@..@.reloc..lP.......R..................@..B........................................................................................................................

    C:\Program Files (x86)\EsWebSocketKit\dh.pem

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:ASCII text
    Category:dropped
    Size (bytes):424
    Entropy (8bit):5.896129543763998
    Encrypted:false
    SSDEEP:
    MD5:1B704FC9204C3C1BEC64A8DB2EDAE6CD
    SHA1:B31D2237EE9003511A6B835E59E23DDC472EE964
    SHA-256:65798F2C1D0F2C4719A8434BC93BC7DABEA50C6F28E30B4EBDA32E9DFD705BA0
    SHA-512:F9DC8AA3FD8A058A731BE949DE3FA225807B3207A335C78412E4D80C7FB54D2E654EFA8B70D19BAA40384D0C692CD3D80D45D51D8AD42DE3D797A5C10D7DFCDB
    Malicious:false
    Reputation:unknown
    Preview:-----BEGIN DH PARAMETERS-----.MIIBCAKCAQEArTeGXMeKKVBTc4BdQUEbPb4tqYH6GfZ1JbTApcUSD7WaD54C9241./SW0owJ2HWQmzMruL52i1WtEfS5mnfhjDXT+gUyryE40txZ3HoT0PjK4bMeaRv1e.F1VtdB+1KvVB0eX0nO6WaPqPUNXk5588QGal2PLU7b1uJ0llI8rQ2GQLiIh9UUaa.syBvw5khc8QzoV06e1Rfwdt71TanPFClE4BY54vBdaIVQWMyl3XoCh6+h73LTtoH.pEc1r/NiRR5TK2oyJE8p7VmfZJS6ThzybLCvJCBhizbdTTLGngwaTzd8LkKFRfE2.CMyRe/IVq6t4E26tQMXFfMrxXP8sfAd9GwIBAg==.-----END DH PARAMETERS-----.

    C:\Program Files (x86)\EsWebSocketKit\server.crt

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PEM certificate
    Category:dropped
    Size (bytes):1472
    Entropy (8bit):5.909448883058967
    Encrypted:false
    SSDEEP:
    MD5:AE1785E32240EF1E7A298D7E21754276
    SHA1:BA5DEB1906E89BB8B98C721AA5AF18BD5BC8E2D1
    SHA-256:D91CFD498C130219E4D581A507F906EA95645EEEE118B77B29998F03E6B89B3C
    SHA-512:0F2858B921F1E5A549772C14D63951B6C0892813C60053E80A5386CB9B5AF6AB5773794064F5661760C1E6A2AFC60062D8152D1FFCFC172A35477BCECD4A509F
    Malicious:false
    Reputation:unknown
    Preview:-----BEGIN CERTIFICATE-----.MIIEEjCCAvqgAwIBAgIRANTEGJu9W9NMyh+5oMgTbrkwDQYJKoZIhvcNAQELBQAw.fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh.biBGcmFuY2lzY28xHDAaBgNVBAoME3dlYnNvY2tldEBsb2NhbGhvc3QxIjAgBgNV.BAMMGXRsc2NhLndlYnNvY2tldEBsb2NhbGhvc3QwHhcNMTcwOTIyMDE0MTQwWhcN.MjcwOTIwMDE0MTQwWjBiMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p.YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEmMCQGA1UEAwwdbG9jYWxob3N0Lndl.YnNvY2tldEBsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB.AQC77+2FmcsyPiqhgp0BIsNslbZE5Xg2LBYxNVyUZd4kgud7QWnTFrjcMhppkrMm.oiVL+bEcnQuobMWmcjJaPN9xO5ormpjXOArs5cTngRDBqdv176uRhL0tiC5ybqqr.hx3mZk76nwAeoulEhgDvlhGQt6h5OAkYk+8LOfXghW3SFOKJsSu1Lr0mgrBaybdE.8Xd6Xp5zufKG+YdLnTmHapUp3g4bPo6JnO6+CjnWzbFw6Z/mZl0QNRY7YG4qirZM.JL8+/O1FL8nrRv8qYsEsJ17nEDEJ/sa3V883mXzqsNUlcoGewoyLKwDEBY2y2vXv.EegKdA3ahTNrhTE1nntRD6e3AgMBAAGjgagwgaUwDgYDVR0PAQH/BAQDAgUgMB0G.A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCsGA1Ud.IwQkMCKAIDHB3Lh7RecoYb3qQDjjCfBS/IMRXDDaTPtfv7bqCud3MDkGA1UdEQ

    C:\Program Files (x86)\EsWebSocketKit\server.key

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PEM RSA private key
    Category:dropped
    Size (bytes):1679
    Entropy (8bit):6.032734019367354
    Encrypted:false
    SSDEEP:
    MD5:566BFA59C8B00E4001CA266431B7F9E4
    SHA1:03797FFFE99606324494D4E094093F89DD0C3ACA
    SHA-256:5512F9BFB547FFDF70917716167EF69D3B5EC34AE314F4640A1394472AC739D1
    SHA-512:B06A738C17D3FFE68BD9BF1935AB06DF52F2DC53067FBD85E8F55134D084B583635922E219967606169046F2DD59F5A68FAB5034F5AA5C0DCD59CFD078800C64
    Malicious:false
    Reputation:unknown
    Preview:-----BEGIN RSA PRIVATE KEY-----.MIIEpQIBAAKCAQEAu+/thZnLMj4qoYKdASLDbJW2ROV4NiwWMTVclGXeJILne0Fp.0xa43DIaaZKzJqIlS/mxHJ0LqGzFpnIyWjzfcTuaK5qY1zgK7OXE54EQwanb9e+r.kYS9LYgucm6qq4cd5mZO+p8AHqLpRIYA75YRkLeoeTgJGJPvCzn14IVt0hTiibEr.tS69JoKwWsm3RPF3el6ec7nyhvmHS505h2qVKd4OGz6OiZzuvgo51s2xcOmf5mZd.EDUWO2BuKoq2TCS/PvztRS/J60b/KmLBLCde5xAxCf7Gt1fPN5l86rDVJXKBnsKM.iysAxAWNstr17xHoCnQN2oUza4UxNZ57UQ+ntwIDAQABAoIBAQCe2/c1eEOnS58z.eLmILT9teLtiT2mmuOtlWwrPsa/twu0yZZ+zO8C0+HEVDlj67hKCvyQz4JfrHU6R.HHRtjIj/KPdvpjVNruSlTK99VL66RP9WSuoGjmJuq28/cUY4yXS/vXlDJcWvH9v3./SGrY3mjj2sMVA50RQ/JuIua5o5nBadqeWFX7Pm2gn3bDzv059/ZV9U7VDRreyZ3.7yg31KnK+WzdKpvF0D/DUqIPm/zIIEIE502BbRoyqIrZoIZfotWxEjjXGkJdmfhm.T5xoolXB0JYC2LFiLqEH2auPbzuDp0PQnhAQF9cPteqV23LWXGVfbLxvoGECUYpM.fnDLYHXJAoGBAOET8zdwYbBfdgFIVww91+vB88CaJsZ5zmlvAf13f5dsQqNORSLr.2poFNAqgSQYy/1H0msN07uxPX9HTwHjWn4X5e/SPj+ReuLpQEi8Jf19mLTj77Jlw.ciaiFoLUJQTT0hcN/EYV2LDYVmyrP7wmPSPj2Rzvv0Hdc+mo5vUkKa2LAoGBANXB.uqor05vqp6T+zYZzS+UPkeYtMXs2v0uY5gE3TN11bYB2St+s6qADLQdV6h

    C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):624120
    Entropy (8bit):6.678421986748233
    Encrypted:false
    SSDEEP:
    MD5:CF36EF2286264C75AC0180DD71610F68
    SHA1:B37D2E650145B2B47E1D1E9DE217FFDE0F5363F8
    SHA-256:F70F8810DEB196406145EA64880D5E8053188D71073407B6E63C4BF2029C1FBB
    SHA-512:D79DC5E1360DE3F19B6D193C17713817DC079102FA584664363925DBD4D4416DAFB1EC8D2A6AA0D7D10C51E82B1075B1993A845F6C3BCFEF7AA7612B9D81CD20
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?...Q...Q...Q...8...Q.?.....Q.......Q......Q.......Q...P...Q.../...Q.......Q......Q.......Q.Rich..Q.........................PE..L....]X`............................x.............@.....................................................................................@............`...%..............................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...@...........................@..@................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files (x86)\Gemini\SZPA\gmmgr_szpa_2052.ini

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:ISO-8859 text, with CRLF line terminators
    Category:dropped
    Size (bytes):2257
    Entropy (8bit):6.262404455749891
    Encrypted:false
    SSDEEP:
    MD5:DD12C5D335C1FAC4C2D82A40FA171A02
    SHA1:E40E5FCF1C1264FBFA4AE2DE419C7A5AD4E171E2
    SHA-256:21F03BC521E15AF31D944418EB11C54C2EE7919E895835A9E142A3829524B138
    SHA-512:32AD3BC4E143D5BB3CCB919A8BB92B648D7DF187DB6C22FE748CDE56AA07C1D45E884DEF34CD0B6DC293C31C8981DB513732B5EE192E1D132D50F6AAFDF0DE97
    Malicious:false
    Reputation:unknown
    Preview:[string]....1=.....2=.......1001=.....1000=..........;main dlg..130=..........1006=.....1003=...USBKEY......1107=.....USBKEY......1005=.......1007=....USBKEY..1108=........1109=.......1110=.....1024=...USBKEY......1026=.........10001=.....10002=..........10003=........10004=.........!..10005=........!......;change pin dlg..132=......USBKEY......1010=..............................USBKEY..............USBKEY..............1012=...........6-16....+..........pa6666..1008=......USBKEY....:..1009=......USBKEY....(......................12345678):..1029=...USBKEY....(6-16.........):..1011=......USBKEY....:..11001=...........11002=...USBKEY..........................11003=USBKEY............................11004=USBKEY.................\n\n...................USBKEY..........USBKEY...........11005=USBKEY.......................... %d .....11006=...USBKEY..........11007=...USBKEY........

    C:\Program Files (x86)\Gemini\SZPA\uninst.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
    Category:dropped
    Size (bytes):69797
    Entropy (8bit):6.984021556504055
    Encrypted:false
    SSDEEP:
    MD5:AB97A339B4952AE56EF0143A71BCBD3F
    SHA1:031C9521F88AD63BB9FE213E3482261EA268C1B1
    SHA-256:81C740FB3A34DA4EC3EB34BF91C50818C4B5FBC86A07BA519D9234997B46D320
    SHA-512:1DEF9F9F5E5624E8D7A2A3DB901D68436834F974A5BCB1914DE6A77343EDF8F003293469BA7F2F5226274812CDB06BBEC22553809D1035A35A05CADCE2AB1C7F
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t...........E...........K...?...........................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....E.......F...z..............@..@................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files (x86)\NetCertEnroll\is-LNN03.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):400232
    Entropy (8bit):6.531557459176068
    Encrypted:false
    SSDEEP:
    MD5:F53BEEA6DD25267A6FE9D898410ACA5B
    SHA1:93592C0296E94D98613C0290ACBBB548D2A12502
    SHA-256:8DDC9F823D413634660B7AE8148D5281D980AFDA887C887F6D708588F6EFF9D3
    SHA-512:9BC0297E7A66B91CCA1A7F372E90A00B9F95FC7CF395812DF34D70FA4B737DDDACBFBDE0E009C645C3AD10D7FF658608E976E6B97238512BBCFC645BA849AE71
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E...+..+..+....+....+..F..+..P..+..*.f.+.....+...&.+....+....+....+.Rich..+.................PE..L......Z...........!.........@..............................................@......g.....@..........................w......hf..........................h........<......................................@...............<............................text...b........................... ..`.rdata..............................@..@.data...@:...........v..............@....rsrc...............................@..@.reloc..,O.......P..................@..B................................................................................................................................................................................................................................................................................................................

    C:\Program Files (x86)\NetCertEnroll\is-QE7I4.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):718648
    Entropy (8bit):6.537031108193351
    Encrypted:false
    SSDEEP:
    MD5:5C0DE708F9D8715D501F93C8964F9A88
    SHA1:8EAD1596428B115F7E64F32E58070FFB33D0A162
    SHA-256:71EBCD1DD3A73FF3700795BC852288A05E30AFD49047CC7C6A37AA2EA84F7707
    SHA-512:6870039A297AF421EEC710844FB2BECB4EA92E14FFF172D7FE7E3EA9D9E0FA531EAE8DA7DF8CA0EAD3602276B5DFEAB20D2A41EB34F4AA0D4775B6621702D443
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 5%
    Reputation:unknown
    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&........................................................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc...............................@..P.....................f..............@..P........................................................................................................................................

    C:\Program Files (x86)\NetCertEnroll\unins000.dat

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp
    File Type:InnoSetup Log NetCertEnroll, version 0x30, 11551 bytes, 639509\user, "C:\Program Files (x86)\NetCertEnroll"
    Category:dropped
    Size (bytes):11551
    Entropy (8bit):4.80507289065723
    Encrypted:false
    SSDEEP:
    MD5:2537D9CF9F10D223476243250C7B82A8
    SHA1:5296E9940EB27AFDD3AC1522F6F0365DD61FCAB6
    SHA-256:AA4987FFE8DF562F5868A43052C8D54775967ECAF1B12C030D2073D538C412E1
    SHA-512:2A4C37172D4AA4506EFF7EA3A88DAE10A77F8394921416062B16781CC376452E8AB72F163C046E151D09D36EF71ADA89270D23A9666F79D4F61CFD40E6031EE8
    Malicious:false
    Reputation:unknown
    Preview:Inno Setup Uninstall Log (b)....................................NetCertEnroll...................................................................................................................NetCertEnroll...................................................................................................................0........-..%................................................................................................................y..........;........C....639509.user$C:\Program Files (x86)\NetCertEnroll.............1.... ......$...."IFPS.............................................................................................................BOOLEAN..............TSTRINGLIST....TSTRINGLIST.........TOBJECT....TOBJECT......................................TWIZARDFORM....TWIZARDFORM..............TNEWBUTTON....TNEWBUTTON............................!MAIN....-1.............ISX64....16..ISWIN64..................ISX86....16.....n.......CHECKFIREFOXPROFILESEXIST....16..EXPANDCONSTANT

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
    Category:dropped
    Size (bytes):1112664
    Entropy (8bit):7.973000260119249
    Encrypted:false
    SSDEEP:
    MD5:43A8D586CC87ECF98E62B60D224059C3
    SHA1:F67AD1B755B6A161C8BBB1D4B33147B7556F0E63
    SHA-256:C3592DD089C71450BFF32F17A5C1EA821B9A1FBB2E5727667AACB93A281D0711
    SHA-512:98E3C0880B94C052E74223DB8958366E9C36BC3727D4C22E94CC52331B122709C08B20F2DEB1971ADAD6F6814D118A3BC8E4E96234640C99CA3B5D32814FF06E
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 2%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L...4..I.................d.......B..B5............@..........................0......Q....................................................@...........................................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data....f..........................@....ndata...................................rsrc....@.......B..................@..@........................................................................................................................................................................................................................................................................................................................................

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3003Auto_SAS_1033.ini

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:data
    Category:dropped
    Size (bytes):856
    Entropy (8bit):7.744867700429516
    Encrypted:false
    SSDEEP:
    MD5:82338E4AE9775DF15FFC1FE56126F1D7
    SHA1:1E002B4CDA2E4991F32D31733D639C2014877DE5
    SHA-256:2AD60E10AB481CED409844330686AA7E1D58BAAD88D6132C55F96CFA1665894C
    SHA-512:F4579E8DB445AF874119DD1E28A348B32A8A4E7122E1794BA999767519684A1497F63DB2BC090CDEB294724B2E19E6095BFCBB15B2E799D1C50D3D85434C925B
    Malicious:false
    Reputation:unknown
    Preview:.).X2..l`.k..nV..MuK...7...ISb8.-...........+......y....'...&...R.+.D..lzPA...n7e......@6.w.&..#........}.t.k~.....~..$....}2p......S.'.8...?..s.^3.b..`.Ue.[I....:..o..0.....,.....{x...p.r..+....a.oh.<.bSP.RP.&d!..c...S.14:....!..c...S.W....qHB...I...%...}9|.d7.l........srn0.^-..F.\F....QN. ....F.\F...>/r.i...y..$....?q/.3I.... ....+,k.P>..v.9M..v.s..n.v...........P...u.c4=....Fs..o..7.L .Q/.h..Dt.3....k......>...".x,...\..Ee........L.....9...,.pq....m.n.h.....>.2K1:.....y.9......#......=.....0..8....~vSOT...37+:.b.~e..]R.)...O;..0...g..Qs.%....S...S.u!..\B..?".7g|.Hh......c.:..@'..G%..mg9_....$.9.#{.Y....."S..Z.:..8.]=U../[..2...].1.F.m.c"i"7/..H"...N...v.,$..*...q|..F..y:...M.......KQ.L$.X.C..xK{8!.a.7...P=..P.`....#......r.......LS.8&|.....;b.[..l.5...BOu...N..=..[.[..l.5...BOu....W..G.2p..jJ.R..

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3003Auto_sas.ini (copy)

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:data
    Category:dropped
    Size (bytes):0
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:82338E4AE9775DF15FFC1FE56126F1D7
    SHA1:1E002B4CDA2E4991F32D31733D639C2014877DE5
    SHA-256:2AD60E10AB481CED409844330686AA7E1D58BAAD88D6132C55F96CFA1665894C
    SHA-512:F4579E8DB445AF874119DD1E28A348B32A8A4E7122E1794BA999767519684A1497F63DB2BC090CDEB294724B2E19E6095BFCBB15B2E799D1C50D3D85434C925B
    Malicious:false
    Reputation:unknown
    Preview:.).X2..l`.k..nV..MuK...7...ISb8.-...........+......y....'...&...R.+.D..lzPA...n7e......@6.w.&..#........}.t.k~.....~..$....}2p......S.'.8...?..s.^3.b..`.Ue.[I....:..o..0.....,.....{x...p.r..+....a.oh.<.bSP.RP.&d!..c...S.14:....!..c...S.W....qHB...I...%...}9|.d7.l........srn0.^-..F.\F....QN. ....F.\F...>/r.i...y..$....?q/.3I.... ....+,k.P>..v.9M..v.s..n.v...........P...u.c4=....Fs..o..7.L .Q/.h..Dt.3....k......>...".x,...\..Ee........L.....9...,.pq....m.n.h.....>.2K1:.....y.9......#......=.....0..8....~vSOT...37+:.b.~e..]R.)...O;..0...g..Qs.%....S...S.u!..\B..?".7g|.Hh......c.:..@'..G%..mg9_....$.9.#{.Y....."S..Z.:..8.]=U../[..2...].1.F.m.c"i"7/..H"...N...v.,$..*...q|..F..y:...M.......KQ.L$.X.C..xK{8!.a.7...P=..P.`....#......r.......LS.8&|.....;b.[..l.5...BOu...N..=..[.[..l.5...BOu....W..G.2p..jJ.R..

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\lang\escertd_sas_1028.lng

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):10648
    Entropy (8bit):4.8843794620787415
    Encrypted:false
    SSDEEP:
    MD5:A904C0D5DCA78241DD587714A310657F
    SHA1:36330A2306E43381AEB3249FC4C158991674BA67
    SHA-256:9F7E2EA50165454D3F43C783DAAE6CE7EA19F5EE702BC53F102DC13EECB33D5C
    SHA-512:6264CA49A109F2EF1343CF0E018D9244F52E235927AFF80A29FA5DC27427B66F80FC8D1A4210797200D60C51CE6A4A6BF483C61DBBD3FB2ABC31360CEADC71F0
    Malicious:false
    Reputation:unknown
    Preview:..[.s.e.t.t.i.n.g.s.].....;. .2.0.5.2. .=. .0.x.0.8.0.4.....C.o.d.e.P.a.g.e.=.1.0.2.8.....L.a.n.g.u.a.g.e.=.T.r.a.d.i.t.i.o.n.a.l. .C.h.i.n.e.s.e.....F.o.n.t.F.a.c.e.=..[.....F.o.n.t.H.e.i.g.h.t.=.9.........[.s.t.r.i.n.g.s.].....;.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....;. .D.i.a.l.o.g. .B.o.x. .S.t.r.i.n.g.....;.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....1.=..x.[....2.=..S.m....;.1.0.2.=.C.e.r.t.i.f.i.c.a.t.e. .M.a.n.a.g.e.r.....1.0.2.=..O.a....U.S.B.K.e.y..{.t.]wQ....;.1.0.0.0.=.E.r.r.o.r.....1.0.0.0.=./.......;.1.0.0.1.=.I.n.f.o.r.m.a.t.i.o.n.....1.0.0.1.=..Oo`....;.1.0.1.5.=.C.h.a.n.g.e. .U.s.e.r. .&.P.i.n.....1.0.1.5.=..O9eU.K.E.Y..[.x(.&.P.).....;.1.0.1.6.=.&.V.i.e.w. .C.e.r.t.....1.0.1.6.=..g.wI..f.Oo`(.&.V.).....;.1.0.1.7.=.&.R.e.g.i.s.t.e.r. .C.e.r.t.....1.0.1.7.=..l.QI..f(.&.R.).....;.1.0.1.8.=.&.U.n.r.

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\lang\escertd_sas_1033.lng

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):10786
    Entropy (8bit):3.6592945728722097
    Encrypted:false
    SSDEEP:
    MD5:AD5DDE04600D38B9BA1BEECE94A7482E
    SHA1:199085BE68E15D62DC8F820261106EDF97F58E03
    SHA-256:DF9499623CBFC237C247078E0402161C2A7AF69FB345A1058B3C4BA6FECF5DF1
    SHA-512:C30B358EE76A938BBBDF0875CF372DF71C770F7C37472923AF4E11A3E5AC8AF15D00B84EED8D363812BAA61E1AB360A11E61408A7B7D69725D04332100A3B308
    Malicious:false
    Reputation:unknown
    Preview:..[.s.e.t.t.i.n.g.s.].....;. .1.0.3.3. .=. .0.x.0.4.0.9.....C.o.d.e.P.a.g.e.=.1.0.3.3.....L.a.n.g.u.a.g.e.=.E.n.g.l.i.s.h.....F.o.n.t.F.a.c.e.=.T.a.h.o.m.a.....F.o.n.t.H.e.i.g.h.t.=.8.........[.s.t.r.i.n.g.s.].....;.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....;. .D.i.a.l.o.g. .B.o.x. .S.t.r.i.n.g.....;.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....1.=.O.K.....2.=.C.a.n.c.e.l.....1.0.2.=.S.A.S. .U.S.B. .K.e.y. .M.a.n.a.g.e.r.....1.0.0.0.=.E.r.r.o.r.....1.0.0.1.=.I.n.f.o.r.m.a.t.i.o.n.....1.0.1.5.=.C.h.a.n.g.e. .U.s.e.r. .&.P.i.n.....1.0.1.6.=.&.V.i.e.w. .C.e.r.t.....1.0.1.7.=.&.R.e.g.i.s.t.e.r. .C.e.r.t.....1.0.1.8.=.&.U.n.r.e.g.i.s.t.e.r. .C.e.r.t.....1.0.2.1.=.C.e.r.t.i.f.i.c.a.t.e.s.....1.0.1.9.=.e.B.a.n.k.....1.0.2.0.=.U.S.B.K.e.y. .M.a.n.a.g.e.r.....1.0.0.8.=.D.o.n.'.t. .s.h.o.w. .a.n.y.m.o.r.e.....1.0.1.0.=.R.u.n. .M.

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\lang\escertd_sas_2052.lng

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):10562
    Entropy (8bit):4.878939920395973
    Encrypted:false
    SSDEEP:
    MD5:4E4AA416449690CB30BCB4C815DD057C
    SHA1:C921C19C70B86883655BE34E061FD3AEB48F9CFD
    SHA-256:589149E952CD5CF1005195869C45F884E8A71AE0BFD59EAC0C4B9B158A53F518
    SHA-512:4FBAD21E700F026696C096B70E138E869A59D6F36AAACF615F9CBACC0D82A99381E425DB60FFB7E54F2E241852ADFF132FF5693066056A9B92FE9C199AA43174
    Malicious:false
    Reputation:unknown
    Preview:..[.s.e.t.t.i.n.g.s.].....;. .2.0.5.2. .=. .0.x.0.8.0.4.....C.o.d.e.P.a.g.e.=.2.0.5.2.....L.a.n.g.u.a.g.e.=.S.i.m.p.l.i.f.i.e.d. .C.h.i.n.e.s.e.....F.o.n.t.F.a.c.e.=..[SO....F.o.n.t.H.e.i.g.h.t.=.9.........[.s.t.r.i.n.g.s.].....;.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....;. .D.i.a.l.o.g. .B.o.x. .S.t.r.i.n.g.....;.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....1.=.nx.[....2.=..S.m....;.1.0.2.=.C.e.r.t.i.f.i.c.a.t.e. .M.a.n.a.g.e.r.....1.0.2.=..O.^.....U.S.B. .K.e.y..{.t.]wQ....;.1.0.0.0.=.E.r.r.o.r.....1.0.0.0.=........;.1.0.0.1.=.I.n.f.o.r.m.a.t.i.o.n.....1.0.0.1.=..Oo`....;.1.0.1.5.=.C.h.a.n.g.e. .U.s.e.r. .&.P.i.n.....1.0.1.5.=..O9eU.K.E.Y..[.x(.&.P.).....;.1.0.1.6.=.&.V.i.e.w. .C.e.r.t.....1.0.1.6.=..g.w..fN.Oo`(.&.V.).....;.1.0.1.7.=.&.R.e.g.i.s.t.e.r. .C.e.r.t.....1.0.1.7.=..l.Q..fN(.&.R.).....;.1.0.1.8.=.&.U.n.r.

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\lang\escsp_sas_1028.lng

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):1480
    Entropy (8bit):5.323087578364593
    Encrypted:false
    SSDEEP:
    MD5:6B870172F6CAFBA482EF7D57002A9283
    SHA1:74E9951B4B5EB2B8172130E3EDF751407DA79E62
    SHA-256:B5FABB2A33F76054BBE1850C9AC0443896C8990A1CA507FDFA01AC804C9E4CEF
    SHA-512:D0100C6B2853445966A993120EFE82E5FC7CE26086D03A9CB09F4E7A55AD8614577461FEF8A49149176EF04D05A8EC94CE97044CBB773B812C26B178B9717137
    Malicious:false
    Reputation:unknown
    Preview:..[.s.e.t.t.i.n.g.s.].....C.o.d.e.P.a.g.e.=.2.0.5.2.....L.a.n.g.u.a.g.e.=.T.r.a.d.i.t.i.o.n.a.l. .C.h.i.n.e.s.e.....F.o.n.t.F.a.c.e.=..[.....F.o.n.t.H.e.i.g.h.t.=.9.........[.s.t.r.i.n.g.s.].....1.=..x.[(.&.O.).....2.=..S.m(.&.C.).........1.0.6.=.x..dU.S.B.K.e.y.....1.0.0.7.=..x..d.N.PU.S.B.K.e.y.2.L..d\O......1.0.0.0.0.=..T1z....1.0.0.0.1.=..^.R_.........1.0.7.=.{v......1.0.1.0.=..s(W....W.I..`.vU.K.E.Y..[.x......1.0.1.1.=.U.K.E.Y..[.x......2.0.0.0.=.{v..(.&.L.).....2.0.0.1.=..S.m(.&.C.).....2.0.0.3.=..u..v....2.0.0.0.1.=.W.I.U.K.E.Y..[.x......2.0.0.0.2.=.U.K.E.Y..[.x.].}....OO.....s^.[.y.bo.k~.0....2.0.0.0.3.=.U.K.E.Y..[.xW.I.1YWe.. .iR...Vf.!kxe......2.0.0.0.4.=..`8.eQ.vU.K.E.Y..[.x*Yw......e8.eQ......2.0.0.0.5.=..`8.eQ.vU.K.E.Y..[.x+T.g!qHeW[CQ.....e8.eQ......2.0.0.0.6.=..`8.eQ.vU.K.E.Y..[.xw..^.Nck.x.....e8.eQ......2.0.0.0.7.=.U.S.B.K.e.y..].}...b.Q......2.0.0.0.8.=.|v.u.N*g.w/.......f..b.S.m..........1.1.0.0.3.=..O.a....U.S.B. .K.e.y..{.t.]wQ....3.3.0.0.0.=..b.R....

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\lang\escsp_sas_1033.lng

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):2902
    Entropy (8bit):3.5374666873670573
    Encrypted:false
    SSDEEP:
    MD5:129C29260A5388F798D1090F063CD269
    SHA1:3FCADC29049C3FF2A7C358B0FBB6419CFEB710EA
    SHA-256:9F18C1C70F8E54398AB95EA67D26CB606EDF9C496F32D230C80594B6DA1D5B7F
    SHA-512:DD0BFB477CF557A7082626C0A3EC2754F88C9640FD0851B37152B70375B41E368FF8CBC66C782F0CD6190AB1D8EB1E1295588040BB532754A1210537069BED31
    Malicious:false
    Reputation:unknown
    Preview:..[.s.e.t.t.i.n.g.s.].....C.o.d.e.P.a.g.e.=.1.0.3.3.....L.a.n.g.u.a.g.e.=.E.n.g.l.i.s.h.....F.o.n.t.F.a.c.e.=.T.a.h.o.m.a.....F.o.n.t.H.e.i.g.h.t.=.8.........[.s.t.r.i.n.g.s.].....1.=.&.O.K.....2.=.&.C.a.n.c.e.l.........1.0.6.=.S.e.l.e.c.t. .U.S.B.K.e.y.....1.0.0.7.=.S.e.l.e.c.t. .a. .U.S.B. .K.e.y. .t.o. .o.p.e.r.a.t.e.:.....1.0.0.0.0.=.N.a.m.e.....1.0.0.0.1.=.S.e.r.i.a.l. .N.u.m.b.e.r.........1.0.7.=.L.o.g.o.n.....1.0.1.0.=.N.o.w. .n.e.e.d. .v.e.r.i.f.y. .y.o.u.r. .u.s.e.r. .P.I.N.:.....1.0.1.1.=.U.s.e.r. .P.I.N.:.....2.0.0.0.=.&.L.o.g.i.n.....2.0.0.1.=.&.C.a.n.c.e.l.....2.0.0.3.=.S.o.f.t. .k.e.y.b.o.a.r.d.....2.0.0.0.1.=.V.e.r.i.f.y. .U.s.e.r. .P.I.N.....2.0.0.0.2.=.U.s.e.r. .P.i.n. .h.a.s. .b.e.e.n. .l.o.c.k.e.d.!. .P.l.e.a.s.e. .c.o.n.t.a.c.t. .P.i.n.g.a.n. .K.e.J.i.......2.0.0.0.3.=.U.s.e.r. .P.i.n. .i.s. .W.r.o.n.g.!. .R.e.t.r.y. .t.i.m.e.s.:. .....2.0.0.0.4.=.T.h.e. .l.e.n.g.t.h. .o.f. .P.I.N. .i.s. .o.u.t. .o.f. .r.a.n.g.e.,.p.l.e.a.s.e. .c.h.e.c.k. .a.n.d. .r.e.i.n.p.u.t.!...

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\lang\escsp_sas_2052.lng

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):1486
    Entropy (8bit):5.2973749281400035
    Encrypted:false
    SSDEEP:
    MD5:95A092F0FD3CE2B91EBA4512B2B672DA
    SHA1:161727AFCBFA32628899A4900914FBBC36CEE2B1
    SHA-256:E8189AE134C54C9F63F3B5607B79809A61DF1CD7CF1A82F943D794FBCFCD738D
    SHA-512:986BD32CBC562CEBAA8E81F4F38E1C212A55D48EB17D52D955E0038096638798EFAF2591A82260051869845484A44C5C7996D8E8CA6900C2F59EA5308D7A153C
    Malicious:false
    Reputation:unknown
    Preview:..[.s.e.t.t.i.n.g.s.].....C.o.d.e.P.a.g.e.=.2.0.5.2.....L.a.n.g.u.a.g.e.=.S.i.m.p.l.e.C.h.i.n.e.s.e. .(..{SO-N.e).....F.o.n.t.F.a.c.e.=..[SO....F.o.n.t.H.e.i.g.h.t.=.9.........[.s.t.r.i.n.g.s.].....1.=.nx.[(.&.O.).....2.=..S.m(.&.C.).........1.0.6.=....bU.S.B.K.e.y.....1.0.0.7.=......b.N*NU.S.B.K.e.y..L..d\O......1.0.0.0.0.=..T.y....1.0.0.0.1.=..^.R.S........1.0.7.=.{vU_....1.0.1.0.=..s(W.........`.vU.K.E.Y..[.x......1.0.1.1.=.U.K.E.Y..[.x......2.0.0.0.=.{vU_(.&.L.).....2.0.0.1.=..S.m(.&.C.).....2.0.0.3.=.o....v....2.0.0.0.1.=.....U.K.E.Y..[.x......2.0.0.0.2.=.U.K.E.Y..[.x.].~....OO.....Ns^.[.y.bT..|.0....2.0.0.0.3.=.U.K.E.Y..[.x....1Y%... .iRYO.\.!kpe......2.0.0.0.4.=..`..eQ.vU.K.E.Y..[.x*Y........e..eQ......2.0.0.0.5.=..`..eQ.vU.K.E.Y..[.x+T.g.eHeW[&{......e..eQ......2.0.0.0.6.=..`..eQ.vU.K.E.Y..[.x...^.Ncknx......e..eQ......2.0.0.0.7.=.U.S.B.K.e.y..].~...b.Q......2.0.0.0.8.=..S.u.N*g.w..........b.S.m..........1.1.0.0.3.=..O.^.....U.S.B. .K.e.y..{.t.]wQ....3.3.0.0.0.=..b.R..

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):240056
    Entropy (8bit):5.566889202231568
    Encrypted:false
    SSDEEP:
    MD5:A3D725181B41BB8F59FF6060047C5394
    SHA1:ECE3EA635CFDBB73EFA1AB50B2D3CE5F15000772
    SHA-256:A33E3D9B06FB7FA40D11BAECA6DCEDB7B9A7EF6EAE670DC7D9CC6CEA7FA06A25
    SHA-512:D6DA67A7F4506849E4B9BE6A6159DAF5064C82C426FA36960D4D2A38EE9A5A98713A4F2D60EE41E8B31EB7ECBFB627A4EB06FB784F96AE82A59F9B39D36CD529
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..pu..#u..#u..#...#w..#...#w..#...#~..#...#q..#u..#..#...#b..#...#U..#..#t..#Richu..#........PE..L...j..f.............................y............@.........................................................................p........@...:...............)...........................................................................................text............................... ..`.rdata..Fg.......p..................@..@.data....(.......0..................@....rsrc....:...@...@...@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sdbCsp11_s.reg

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:Windows Registry little-endian text (Win2K or above)
    Category:dropped
    Size (bytes):1808
    Entropy (8bit):3.6184024768232996
    Encrypted:false
    SSDEEP:
    MD5:980486DA732120524F85AFC8C5B267B9
    SHA1:3BA3B2DCFF0B826D468E77CACCBB4F87BC276E1A
    SHA-256:38EB4AA237E8AF0B3AE5F497EFB23772B0A1ED8EA6B2A4C94E0835E0491D865F
    SHA-512:54E59C25FB568C5E487501A43383C55546D1CBD7BA16B6A8CA7F5D5092C982A27258B820C0BBE64574573504714900F905848B0CCD15E098BDAE053BF11B08A8
    Malicious:true
    Reputation:unknown
    Preview:..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.................[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.E.n.t.e.r.S.a.f.e.\.e.P.a.s.s.3.0.0.3.A.u.t.o._.S.D.B.].....".f.l.a.g.s.".=.d.w.o.r.d.:.0.0.0.0.0.0.7.f.........[.H.K.E.Y._.C.U.R.R.E.N.T._.U.S.E.R.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.I.n.t.e.r.n.e.t. .S.e.t.t.i.n.g.s.\.Z.o.n.e.M.a.p.\.D.o.m.a.i.n.s.\.s.d.b...c.o.m...c.n.].........[.H.K.E.Y._.C.U.R.R.E.N.T._.U.S.E.R.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.I.n.t.e.r.n.e.t. .S.e.t.t.i.n.g.s.\.Z.o.n.e.M.a.p.\.D.o.m.a.i.n.s.\.s.d.b...c.o.m...c.n.\.w.w.w.].....".h.t.t.p.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.2.........[.H.K.E.Y._.C.U.R.R.E.N.T._.U.S.E.R.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.I.n.t.e.r.n.e.t. .S.e.t.t.i.n.g.s.\.Z.o.n.e.M.a.p.\.D.o.m.a.i.n.s.\.s.d.b...c.o.m...c.n.\.e.b.a.n.k.].....".h.t.t.p.s.".=.d.

    C:\Program Files (x86)\SAS USB Key Manager(Feitian)\uninst.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
    Category:dropped
    Size (bytes):60460
    Entropy (8bit):6.717363410015457
    Encrypted:false
    SSDEEP:
    MD5:8AD553A4A7D3BC4364059304D9CFC621
    SHA1:084248200ABB8D88767E6F4FABE4D2FA05EE405B
    SHA-256:8029A1E3FB71B679ED0AB78E38A1A18D2A602BDFFB4BC686F5540CF351BB14F8
    SHA-512:9FCB639A36A47C96AF6F5DEB7FD515B0E046A1EDA0381D941865CE61896322CA339C10D8E41B8D90932BA4B1D1F4584CEEF4A40F5A736DB3527650C66FD66B6F
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7..7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................d.......B..K5............@..........................0......i....................................................@..........8 ...)...........................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data....f..........................@....ndata...................................rsrc....@.......B..................@..@........................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ \ \is-EV702.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):720781
    Entropy (8bit):6.5375460180889196
    Encrypted:false
    SSDEEP:
    MD5:008CE43C032EDD2CE425854D624EDB64
    SHA1:1DCA8542AFAB0FEDA5F194FD314221CCC2EDE739
    SHA-256:3B9B62D9C7C264BD5D70A3B682CBD248CB6F692FC88C6B4E7B43D29F49679412
    SHA-512:D0F56C32F5D1FCAD7FAF36B42E6CF5493A808405D09899AB29CD681544A916AACF63CF6840A463FE7B9F385B8550BC25E8756E922DE7781931620982B4EEBFB2
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 4%
    Reputation:unknown
    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&...........................................................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc...............................@..P.....................r..............@..P........................................................................................................................................

    C:\Program Files\ \ \is-F4HQP.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):345088
    Entropy (8bit):6.096535035732757
    Encrypted:false
    SSDEEP:
    MD5:EEF55CC43EC77A18BB026B8A773DBEC3
    SHA1:3B3495251B99784550D64FE9DB7971EFB646B140
    SHA-256:12249CF71C9CFA74828B907A0068AEF2CD2DA08E1F04BBD2992E273869C2327C
    SHA-512:D75DFA92C3CB337D3FB7761EFA56AF852C16F15463DA5D8270CE23D80CFDBFC7EF0CE530070082B0660E447B8652F2A7A8EC404F7FCF8AA3E4CE5EFCA37A26BA
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q..J0..J0..J0....(.K0..Tb+.H0..Tb=.F0..Tb-.N0..m..I0..CH7.S0..m..E0..J0...1..Tb:.E0..CH:.B0..CH=.I0..CH,.K0..Tb*.K0..CH/.K0..RichJ0..........PE..d......`.........." .................................................................J......................................................8{.......P..p6.......@..............t....J...............................................@.. ............................text....,.......................... ..`.rdata..._...@...`...2..............@..@.data....W.......*..................@....pdata...@.......B..................@..@.rsrc...p6...P...8..................@..@.reloc...............6..............@..B................................................................................................................................................................................................................................

    C:\Program Files\ \ \is-PIA1V.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):410624
    Entropy (8bit):6.5947998124693115
    Encrypted:false
    SSDEEP:
    MD5:171EB6B81B6BC75C9BA96F9011098907
    SHA1:F70D86C7031E70B2E2034F60DA7BAF6A85B7215A
    SHA-256:828AF4AF120E3BD8F53F0E76236F40227400ECF8FFAAD5E8530E7D60321AC3E2
    SHA-512:560BB9DE7E0688B238F8AEBA55A2131E3ADADEC911F87D6B425594F2A46DADEB140E3FF6F99EFF3AD4477085C17DFBCAA6916952EA86F85FE7C2615775A0468C
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8d..|...|...|...u}n.g...[......u}r.e...[..s...|...L...[..}...bW..y...u}..(...u}x.....u}i.}...bWo.}...u}j.}...Rich|...........................PE..L......`...........!................v0..............................................................................`........y....... ...6...................`...F.................................0-..@............................................text.............................. ..`.rdata..X...........................@..@.data...<}.......4..................@....rsrc....6... ...6..................@..@.reloc...X...`...Z..................@..B........................................................................................................................................................................................................................................................................................

    C:\Program Files\ \ \unins000.dat

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp
    File Type:InnoSetup Log 64-bit \306\275\260\262\322\370\320\320, version 0x30, 6705 bytes, 639509\user, "C:\Program Files\\306\275\260\262\322\370\320\320\260\262\310\253\327\351\274\376\\306\275\260\262\322\370\320\320\307\251\303\373\277\330\274\376"
    Category:dropped
    Size (bytes):6705
    Entropy (8bit):5.32774022057848
    Encrypted:false
    SSDEEP:
    MD5:F5DFF1A825AD708B2E75D0F656FD30F3
    SHA1:48FE17236AB2894F172FB9578827FEDD0E69D146
    SHA-256:5710EC6BF68F9A3F57C3ABC688D77623C7EC817E400E2BE74D05EAF0DE083E0E
    SHA-512:2CE457D602C72A607A6D4C450873F24F4391B4BA674D099C64EA079305643574BAFEFE9A6B7F67E3C5002AB9F1BBB283CC6F53189857A7265EAC545A95F66DDA
    Malicious:false
    Reputation:unknown
    Preview:Inno Setup Uninstall Log (b) 64-bit.............................PABANKSignTool.................................................................................................................................................................................................................................................0.......1...%.................................................................................................................EA..................Q....639509.user2C:\Program Files\............\............................w.. ..........N.IFPS.............................................................................................................BOOLEAN........................TWIZARDFORM....TWIZARDFORM..............TNEWBUTTON....TNEWBUTTON.........TOBJECT....TOBJECT............................!MAIN....-1.....0.......GROUPDIRROOT....8 @8..REMOVEBACKSLASHUNLESSROOT........EXTRACTFILEPATH...........S.......INITIALIZESETUP....16..REGQUERYSTRINGVALUE...........REMOVEQ

    C:\Program Files\................\................\koalii_svs_acx_x64.dll (copy)

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):0
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:EEF55CC43EC77A18BB026B8A773DBEC3
    SHA1:3B3495251B99784550D64FE9DB7971EFB646B140
    SHA-256:12249CF71C9CFA74828B907A0068AEF2CD2DA08E1F04BBD2992E273869C2327C
    SHA-512:D75DFA92C3CB337D3FB7761EFA56AF852C16F15463DA5D8270CE23D80CFDBFC7EF0CE530070082B0660E447B8652F2A7A8EC404F7FCF8AA3E4CE5EFCA37A26BA
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q..J0..J0..J0....(.K0..Tb+.H0..Tb=.F0..Tb-.N0..m..I0..CH7.S0..m..E0..J0...1..Tb:.E0..CH:.B0..CH=.I0..CH,.K0..Tb*.K0..CH/.K0..RichJ0..........PE..d......`.........." .................................................................J......................................................8{.......P..p6.......@..............t....J...............................................@.. ............................text....,.......................... ..`.rdata..._...@...`...2..............@..@.data....W.......*..................@....pdata...@.......B..................@..@.rsrc...p6...P...8..................@..@.reloc...............6..............@..B................................................................................................................................................................................................................................

    C:\Program Files\................\................\npkoalii_svs_acx.dll (copy)

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):0
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:171EB6B81B6BC75C9BA96F9011098907
    SHA1:F70D86C7031E70B2E2034F60DA7BAF6A85B7215A
    SHA-256:828AF4AF120E3BD8F53F0E76236F40227400ECF8FFAAD5E8530E7D60321AC3E2
    SHA-512:560BB9DE7E0688B238F8AEBA55A2131E3ADADEC911F87D6B425594F2A46DADEB140E3FF6F99EFF3AD4477085C17DFBCAA6916952EA86F85FE7C2615775A0468C
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8d..|...|...|...u}n.g...[......u}r.e...[..s...|...L...[..}...bW..y...u}..(...u}x.....u}i.}...bWo.}...u}j.}...Rich|...........................PE..L......`...........!................v0..............................................................................`........y....... ...6...................`...F.................................0-..@............................................text.............................. ..`.rdata..X...........................@..@.data...<}.......4..................@....rsrc....6... ...6..................@..@.reloc...X...`...Z..................@..B........................................................................................................................................................................................................................................................................................

    C:\Program Files\................\................\unins000.exe (copy)

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):0
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:008CE43C032EDD2CE425854D624EDB64
    SHA1:1DCA8542AFAB0FEDA5F194FD314221CCC2EDE739
    SHA-256:3B9B62D9C7C264BD5D70A3B682CBD248CB6F692FC88C6B4E7B43D29F49679412
    SHA-512:D0F56C32F5D1FCAD7FAF36B42E6CF5493A808405D09899AB29CD681544A916AACF63CF6840A463FE7B9F385B8550BC25E8756E922DE7781931620982B4EEBFB2
    Malicious:false
    Reputation:unknown
    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&...........................................................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc...............................@..P.....................r..............@..P........................................................................................................................................

    C:\Program Files\Mozilla Firefox\defaults\pref\root_cert_setting_for_websocket.js

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):48
    Entropy (8bit):4.204448698502606
    Encrypted:false
    SSDEEP:
    MD5:4350D5130EB65AFDEEDDA296B703974E
    SHA1:C611C56D2F61E834B601539E96C144B6D1B3B8D9
    SHA-256:DE1C8D23BAE11503F84C7C02084D114C311773AE6FE9A30977ADB80E3F9C0582
    SHA-512:087EFD219B2987A681941EBA4198F480840F34DCB8F452451CC414DB2293A2E82EA0A44DF3D4B2EE2816BB6F89208A4F6D206B56FC1A53D7D6D6E8F39F0224A8
    Malicious:false
    Reputation:unknown
    Preview:pref("security.enterprise_roots.enabled", true);

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ \ \ .lnk

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jan 7 08:07:24 2025, mtime=Tue Jan 7 08:07:24 2025, atime=Tue Jan 7 08:07:24 2025, length=720781, window=hide
    Category:dropped
    Size (bytes):1120
    Entropy (8bit):4.675461171843023
    Encrypted:false
    SSDEEP:
    MD5:5B4AEAC4F3901ADF98972E0B63625730
    SHA1:78E422C8CA32829A60AFB0478FABB4BAE1C24B2C
    SHA-256:AC095AAD5C3EA1EF963BC8B8D93992E503940C88500F53FDD0AE929FF2B19461
    SHA-512:3F97AE70DE1DAC48150FA96A5F7506634F3519675F6A0F5F1AADF86CCB3FDBF5E13D1FBEE107C2909496A1EFF150CDAE55F784B5FA440D3206B352784C4BDB71
    Malicious:false
    Reputation:unknown
    Preview:L..................F.... ..._.&..`....'..`...&..`...............................P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I'Z.H....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....'Z.H..3509~1..R......'Z.H'Z.H..........................Z.......................................h.1.....'Z.H..A7B7~1..R......'Z.H'Z.H...........................[......................................f.2.....'Z.H .unins000.exe..J......'Z.H'Z.H..........................it#.u.n.i.n.s.0.0.0...e.x.e.......n...............-.......m..............t.....C:\Program Files\............\.............\unins000.exe..Q.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.................................\.................................\.u.n.i.n.s.0.0.0...e.x.e.2.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.................................\.................................`.......X.......639509...........hT..CrF.f4... .$

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cloud Core\iProtect\Uninstall iProtect.lnk

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jan 7 08:07:35 2025, mtime=Tue Jan 7 08:07:35 2025, atime=Tue Jan 7 08:07:25 2025, length=1207624, window=hide
    Category:dropped
    Size (bytes):1253
    Entropy (8bit):4.617513815853766
    Encrypted:false
    SSDEEP:
    MD5:59F757B92ADECC24EBEE63D76274ACCE
    SHA1:D2B88817A736C206A25B1998B7EDBC05556F0CDF
    SHA-256:DD44A775B9E5914BAAEF32403FA50C47574C1048E9FC99590AB5471C1F082B99
    SHA-512:7CC589983A81551F4E91ECEF56BAD20A995F8AA2A65BD1B9F324A24FF0641ED1C153124864563D52A5E2B8F2EE61CC8761E7F06C82FA05ACA38D289F7E484142
    Malicious:false
    Reputation:unknown
    Preview:L..................F.... ...V..`..._...`......`..Hm...........................P.O. .:i.....+00.../C:\.....................1.....'Z.H..PROGRA~2.........O.I'Z.H....................V......[..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1.....'Z.H..CLOUDC~1..F......'Z.H'Z.H....4......................|-.C.l.o.u.d. .C.o.r.e.....Z.1.....'Z.H..iProtect..B......'Z.H'Z.H....5.........................i.P.r.o.t.e.c.t.....f.2.Hm..'Z.H .unins000.exe..J......'Z.H'Z.H....:.........................u.n.i.n.s.0.0.0...e.x.e.......f...............-.......e..............t.....C:\Program Files (x86)\Cloud Core\iProtect\unins000.exe..I.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.l.o.u.d. .C.o.r.e.\.i.P.r.o.t.e.c.t.\.u.n.i.n.s.0.0.0...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.l.o.u.d. .C.o.r.e.\.i.P.r.o.t.e.c.t.........*................@Z|...K.J.........`.......X.......639509...........hT..CrF.f4... .d.H......

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnterSafe\Token Manager.lnk

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Aug 20 06:16:18 2024, mtime=Tue Jan 7 08:07:58 2025, atime=Tue Aug 20 06:16:18 2024, length=180808, window=hide
    Category:dropped
    Size (bytes):1067
    Entropy (8bit):4.648596261658345
    Encrypted:false
    SSDEEP:
    MD5:97F8DC67E851BC5A0BA009DDEAC839C5
    SHA1:69237539458FE1E1A49E80A62D897B32F780A244
    SHA-256:4875DC444F5FA71DFFD5B5DB8AFDA4052AAA76FB7987884AF4EF53C8406C0E96
    SHA-512:83FF49CDBF7A249708F3EB850431FEA9FB786108D7A0005CF26ABF9FF470930EAC48CABD7CCD0255819B1111E192C0FA8BA165A47AD54F3A63E673F387286B51
    Malicious:false
    Reputation:unknown
    Preview:L..................F.... ...........p.a..`..........H............................P.O. .:i.....+00.../C:\.....................1.....'Z.H..PROGRA~2.........O.I'Z.H....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....'Z.H..3000GM..>......'Z.H'Z.H...........................}.3.0.0.0.G.M.....h.2.H....Y.: .CERTD3~1.EXE..L.......Y.:'Z.H.....\........................c.e.r.t.d.3.k.G.M...e.x.e.......Z...............-.......Y..............t.....C:\Program Files (x86)\3000GM\certd3kGM.exe..:.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.3.0.0.0.G.M.\.c.e.r.t.d.3.k.G.M...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z|...K.J.........`.......X.......639509...........hT..CrF.f4... .7.H...........%..hT..CrF.f4... .7.H...........%.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.......

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnterSafe\Uninstall.lnk

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jan 7 08:07:54 2025, mtime=Tue Jan 7 08:07:55 2025, atime=Tue Jan 7 08:07:55 2025, length=79635, window=hide
    Category:dropped
    Size (bytes):1050
    Entropy (8bit):4.659053945992794
    Encrypted:false
    SSDEEP:
    MD5:E2189A1D61F2508AF47EF3953EA61364
    SHA1:FF8BD8D89D10842E06090E42CD56574CE2385DCB
    SHA-256:A5AF2743B4C600CE32A97DE34198DDD01395B0C53412E647C4A00433E5630576
    SHA-512:CCC58BC3D6E17D5BCB3477395F19D42A79F6ACA215D0A046128892E82BCE58FC6178A4D0AA1910D829F16B15878F13BF2FF970D51903ED9B46677A47A56BA1F9
    Malicious:false
    Reputation:unknown
    Preview:L..................F.... ...ZZ9..`.."vQ..`.."vQ..`...7......................{....P.O. .:i.....+00.../C:\.....................1.....'Z.H..PROGRA~2.........O.I'Z.H....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....'Z.H..3000GM..>......'Z.H'Z.H...........................}.3.0.0.0.G.M.....`.2..7..'Z.H .uninst.exe..F......'Z.H'Z.H.............................u.n.i.n.s.t...e.x.e.......W...............-.......V..............t.....C:\Program Files (x86)\3000GM\uninst.exe..7.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.3.0.0.0.G.M.\.u.n.i.n.s.t...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z|...K.J.........`.......X.......639509...........hT..CrF.f4... .;.H...........%..hT..CrF.f4... .;.H...........%.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..p

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAS USB Key Manager(Feitian)\USB Key Manager.lnk

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Sep 25 08:02:48 2024, mtime=Tue Jan 7 08:08:01 2025, atime=Wed Sep 25 08:02:48 2024, length=240056, window=hide
    Category:dropped
    Size (bytes):1174
    Entropy (8bit):4.656340841322332
    Encrypted:false
    SSDEEP:
    MD5:13766079380875D8E42715FDD1655A93
    SHA1:4B7D505FF209076ED42FC77EBE58E1369ABC24A1
    SHA-256:2E3A82AE6C1C7DF285CF5917EFC9D523B342CD8668E3F3BF23AA6766165F2B4E
    SHA-512:CC6F446654D2DAB8AB24EF7ECCE15287763CE5A046C27A833323B90D470D7FCC8DA5841DF5A9B8382A6C9B64B74E777091A173AFE94A6B4968E4DEDB2CC50D40
    Malicious:false
    Reputation:unknown
    Preview:L..................F.... ....,I.)...>4..`...,I.)................................P.O. .:i.....+00.../C:\.....................1.....'Z.H..PROGRA~2.........O.I'Z.H....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.......1.....'Z.I..SASUSB~1..j......'Z.H'Z.I.........................8...S.A.S. .U.S.B. .K.e.y. .M.a.n.a.g.e.r.(.F.e.i.t.i.a.n.).....f.2.....9YXH .sascertd.exe..J......9YXH'Z.I...._U........................s.a.s.c.e.r.t.d...e.x.e.......o...............-.......n..............t.....C:\Program Files (x86)\SAS USB Key Manager(Feitian)\sascertd.exe..O.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.A.S. .U.S.B. .K.e.y. .M.a.n.a.g.e.r.(.F.e.i.t.i.a.n.).\.s.a.s.c.e.r.t.d...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z|...K.J.........`.......X.......639509...........hT..CrF.f4... ..H...........%..hT..CrF.f4... ..H...........%.............1SPS.XF.L8C....&.m.q.......

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAS USB Key Manager(Feitian)\Uninstall.lnk

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jan 7 08:07:22 2025, mtime=Tue Jan 7 08:07:23 2025, atime=Tue Jan 7 08:07:23 2025, length=60460, window=hide
    Category:dropped
    Size (bytes):1162
    Entropy (8bit):4.667268856941129
    Encrypted:false
    SSDEEP:
    MD5:E9651FCA32CCB0EAE9C2D335069B6D38
    SHA1:86E17E977166282A1CE6E1CF80DA212999F5FE1F
    SHA-256:767D5F8C4772CED940912B741927989A3C8826294A9DDB89E52829A0276D52C6
    SHA-512:78F08B4498D0F4EA9541E35257B7164629C65DE832AD2B7ED383C29EFA5251C9579630FD33D650BAF25BFC6242FA6A3DBD2D70C15CC476912E2AD0C55DFC0072
    Malicious:false
    Reputation:unknown
    Preview:L..................F.... ...)...`.....`.....`..,............................P.O. .:i.....+00.../C:\.....................1.....'Z.H..PROGRA~2.........O.I'Z.H....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.......1.....'Z.I..SASUSB~1..j......'Z.H'Z.I.........................8...S.A.S. .U.S.B. .K.e.y. .M.a.n.a.g.e.r.(.F.e.i.t.i.a.n.).....`.2.,...'Z.H .uninst.exe..F......'Z.H'Z.H...........................3.u.n.i.n.s.t...e.x.e.......m...............-.......l..............t.....C:\Program Files (x86)\SAS USB Key Manager(Feitian)\uninst.exe..M.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.A.S. .U.S.B. .K.e.y. .M.a.n.a.g.e.r.(.F.e.i.t.i.a.n.).\.u.n.i.n.s.t...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z|...K.J.........`.......X.......639509...........hT..CrF.f4... ..H...........%..hT..CrF.f4... ..H...........%.............1SPS.XF.L8C....&.m.q............/...S.-

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SZPA USBKEY Tools\USBKEY Tool.lnk

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Mar 22 08:10:10 2021, mtime=Tue Jan 7 08:07:47 2025, atime=Mon Mar 22 08:10:10 2021, length=624120, window=hide
    Category:dropped
    Size (bytes):1165
    Entropy (8bit):4.661348872038116
    Encrypted:false
    SSDEEP:
    MD5:26CE42C8077D9C59155016E37554C903
    SHA1:0A709599377F8C3A59867C5A4A439D8F824C5D10
    SHA-256:908AF55BF383B8C8FB9065082D225C756B95213DBA3B912EAE68EA464CF420D2
    SHA-512:23FF07DE847A9A673786A9FD2BD40B1D7F9C911EEB15F82CED4A641F139E753641CA2001A2FC882F74736BB1B72E1A64702FCDCB70415A1B8297C6412F09BB51
    Malicious:false
    Reputation:unknown
    Preview:L..................F.... .....(....;5...`....(.................................P.O. .:i.....+00.../C:\.....................1.....'Z.H..PROGRA~2.........O.I'Z.H....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....'Z.H..Gemini..>......'Z.H'Z.H.............................G.e.m.i.n.i.....N.1.....'Z.H..SZPA..:......'Z.H'Z.H..........................l7..S.Z.P.A.....j.2.....vREI .GMMGR_~1.EXE..N......vREI'Z.H..............................g.m.M.g.r._.s.z.p.a...e.x.e.......`...............-......._..............t.....C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe..@.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.e.m.i.n.i.\.S.Z.P.A.\.g.m.M.g.r._.s.z.p.a...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z|...K.J.........`.......X.......639509...........hT..CrF.f4... ..H...........%..hT..CrF.f4... ..H...........%.............1SPS.XF.L8C....&.m.q............/...

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SZPA USBKEY Tools\Uninstall.lnk

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
    Category:dropped
    Size (bytes):868
    Entropy (8bit):3.2814233254617338
    Encrypted:false
    SSDEEP:
    MD5:4EDFB460996933760B3066E939FB9BAE
    SHA1:63E47CAB105125C5A5E1A8AEB77B2D488C948F11
    SHA-256:650468BBB0EE5B62709DEF82C908A07832E97184C941E4DADFB9E6B324B58908
    SHA-512:34ED549E3CFBCC9BA1E706B06BF6C1940957E62791054EDFBF3E439591C9F2668DACF61F7D0EA7B9826E284AFA7FFFBA471322288A1F7E65613ED5662DF928B7
    Malicious:false
    Reputation:unknown
    Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".T.1...........Gemini..>............................................G.e.m.i.n.i.....N.1...........SZPA..:............................................S.Z.P.A.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......<.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.e.m.i.n.i.\.S.Z.P.A.\.u.n.i.n.s.t...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

    C:\Users\Public\Desktop\USBKEY Tool.lnk

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Mar 22 08:10:10 2021, mtime=Tue Jan 7 08:07:47 2025, atime=Mon Mar 22 08:10:10 2021, length=624120, window=hide
    Category:dropped
    Size (bytes):1147
    Entropy (8bit):4.67294302774659
    Encrypted:false
    SSDEEP:
    MD5:DAFFDED3B5F6036EB08D3ADE49A92688
    SHA1:844564283A5EF31D07E351176E6F199290EA77E6
    SHA-256:9866D38B5B5E552EFD1796BF82C466C047C023C8805009AFFC2E8EAC40BF873A
    SHA-512:085D1729D09B32BB08855099F871D5721DDEE72E371B3307B0071983D5BEB5DECC11E321D042ACB591071CC5C6A854615A0717C538CC57E7FC9B7DECB4DA9418
    Malicious:false
    Reputation:unknown
    Preview:L..................F.... .....(....dg...`....(.................................P.O. .:i.....+00.../C:\.....................1.....'Z.H..PROGRA~2.........O.I'Z.H....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....'Z.H..Gemini..>......'Z.H'Z.H.............................G.e.m.i.n.i.....N.1.....'Z.H..SZPA..:......'Z.H'Z.H..........................l7..S.Z.P.A.....j.2.....vREI .GMMGR_~1.EXE..N......vREI'Z.H..............................g.m.M.g.r._.s.z.p.a...e.x.e.......`...............-......._..............t.....C:\Program Files (x86)\Gemini\SZPA\gmMgr_szpa.exe..7.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.e.m.i.n.i.\.S.Z.P.A.\.g.m.M.g.r._.s.z.p.a...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z|...K.J.........`.......X.......639509...........hT..CrF.f4... ..H...........%..hT..CrF.f4... ..H...........%.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.

    C:\Users\user\AppData\Local\Temp\RegHidDevice.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):110592
    Entropy (8bit):5.854560948287787
    Encrypted:false
    SSDEEP:
    MD5:4DD57DF2E751FAB70103E105DEE7ECF8
    SHA1:878AFC03BE5BA7F8CD87638C2B6A1A048E00CAA7
    SHA-256:A5A7331A2524F51BA058204C06A31DF8DBB53D80FC33C9A9E2279E2042064A52
    SHA-512:E4EA0C71B8D9FAB9B6D521B001C0B2498AB04DA6BB2CE85388670ECD21F11EBAECC5201EF26CDFF4713055F1088979C2CAFE1DF815F1E41E7F85878EFF84ED8A
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........N..N..N..5..O.....L..!..J..!..O..!..J..N..~.....I..H..J....O....O..RichN..........PE..L....v.E...........!.....0...p......G2.......@.......................................................................M..]....D..x....`...;......................H....................................................@...............................text....%.......0.................. ..`.rdata..]....@.......@..............@..@.data........P.......P..............@....rsrc....;...`...@...`..............@..@.reloc..~...........................@..B........................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\ca.crt

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PEM certificate
    Category:dropped
    Size (bytes):1383
    Entropy (8bit):5.900630686823322
    Encrypted:false
    SSDEEP:
    MD5:2C4F4A547771E088E61346836DD1CFB3
    SHA1:33CD72B6E1F1157D6A536A75BAD6D4E0D91C5B86
    SHA-256:040072B3367930AC96B7BFC1F7366272EE9C18E85F5110119A4D7D07556EB296
    SHA-512:661266CF2C936E63558D6CD66D4FE51E4325287B293BB6BD06CAE282BB14A31764BAAED9914D79EC3A8E03D8C89F17180CC58DA1384EFCFB9C8DF4C54F8644A9
    Malicious:false
    Reputation:unknown
    Preview:-----BEGIN CERTIFICATE-----.MIID0TCCArmgAwIBAgIRAL0mH0NsYUMv1zXDAbt7/AUwDQYJKoZIhvcNAQELBQAw.fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh.biBGcmFuY2lzY28xHDAaBgNVBAoME3dlYnNvY2tldEBsb2NhbGhvc3QxIjAgBgNV.BAMMGXRsc2NhLndlYnNvY2tldEBsb2NhbGhvc3QwHhcNMTcwOTIyMDE0MTQwWhcN.MjcwOTIwMDE0MTQwWjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p.YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECgwTd2Vic29ja2V0QGxv.Y2FsaG9zdDEiMCAGA1UEAwwZdGxzY2Eud2Vic29ja2V0QGxvY2FsaG9zdDCCASIw.DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9MExQWaHam3XOoDNF3c5Q5CSL5.7c6w8szko93/lkEInCoGSabejGFU2zI2/BC6Or6aiFbSGP/0kmXK+pUNgulNLLCR.om2ytOuQSJofYJWBq2XamFjDzLd/1jPmsj3OND1CPqAxiu14fbhDWhCL0TNqIO56.44vn6UgsglcIKdqRH6fHSTfTiTC3ihsqbt4bwH57zsXWKA4lvKcQBkGEVuVRWYRy.GBuNfXxHUXeyJYE02T2qUbeWLt7QvWYk9kL/hFjC12KHyxmXWjzrJnFJllWhEM/C.UMP+dk+8PUNdk4a3i/BfkcRJHGP/C4GqmNLp9CvSu2qV8h6L6CbyQRx8WY8CAwEA.AaNOMEwwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0OBCIE.IDHB3Lh7RecoYb3qQDjjCfBS/IMRXDDaTPtfv7bqCud3MA0GCSqGSIb3DQEBCw

    C:\Users\user\AppData\Local\Temp\is-16ENA.tmp\_isetup\_isdecmp.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):24240
    Entropy (8bit):6.823338888710406
    Encrypted:false
    SSDEEP:
    MD5:77D6D961F71A8C558513BED6FD0AD6F1
    SHA1:122BB9ED6704B72250E4E31B5D5FC2F0476C4B6A
    SHA-256:5DA7C8D33D3B7DB46277012D92875C0B850C8ABF1EB3C8C9C5B9532089A0BCF0
    SHA-512:B0921E2442B4CDEC8CC479BA3751A01C0646A4804E2F4A5D5632FA2DBF54CC45D4CCCFFA4D5B522D42AFC2F6A622E07882ED7E663C8462333B082E82503F335A
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 2%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P......K................................;.......;..(....................4...*...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\is-AM6E0.tmp\CheckProc.cmd

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):122
    Entropy (8bit):4.772119696872531
    Encrypted:false
    SSDEEP:
    MD5:266E2E4E1AE814480277FAE9A13B17FB
    SHA1:B63ED5F02B4EA30DFF6340E520370DB2163D3C13
    SHA-256:377B76E8401A5E62DA0D89E1FCFC21AF73722AFD9C2EDBB6D8FD3E58B3BEE0EB
    SHA-512:01562196E76B9CE9E1115D7AAC0F0BEFF15CD20F6592F7EF25CB7B2BF1FAEF389E9CD50ACC831F0B274FAC340A2F2891560E4E9CA0CBB96D69E82F6CC5EFFC9B
    Malicious:false
    Reputation:unknown
    Preview:for /f "delims=," %%i in ('tasklist /FI "IMAGENAME eq firefox.exe" /FO CSV') do if "%%~i"=="firefox.exe" exit 1..exit /0..

    C:\Users\user\AppData\Local\Temp\is-AM6E0.tmp\_isetup\_shfoldr.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp
    File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):23312
    Entropy (8bit):4.596242908851566
    Encrypted:false
    SSDEEP:
    MD5:92DC6EF532FBB4A5C3201469A5B5EB63
    SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
    SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
    SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\is-IB1JI.tmp\pingan_sign_control.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):713728
    Entropy (8bit):6.516598351135674
    Encrypted:false
    SSDEEP:
    MD5:832DAB307E54AA08F4B6CDD9B9720361
    SHA1:EBD007FB7482040ECF34339E4BF917209C1018DF
    SHA-256:CC783A04CCBCA4EDD06564F8EC88FE5A15F1E3BB26CEC7DE5E090313520D98F3
    SHA-512:358D43522FD460EB1511708E4DF22EA454A95E5BC3C4841931027B5FA3FB1DDA05D496D8AD0A8B9279B99E6BE74220FE243DB8F08EF49845E9FB35C350EF4B49
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 3%
    Reputation:unknown
    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&...........................................................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc...............................@..P.....................r..............@..P........................................................................................................................................

    C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\ProcessMgr.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):1578496
    Entropy (8bit):6.4477741322276945
    Encrypted:false
    SSDEEP:
    MD5:D78CBFEC0B12EFE81ECF9502DB68790A
    SHA1:422280236E839FB18F1AEE0582CDF9C8DA068999
    SHA-256:EAF82DD907BA0AE0AECC3E9D3A3DD075D0D3769155B002BCBC781E9B15EDDD9B
    SHA-512:6CCE85CA8AE9D3C790754A6CB558DADF40B0A50EDEC2FDDD5FFBDABFC58862291FAD5BF26DAF76A029A40DC00E169A7B02EB884CE6A4AD0D09C4F40B0DA5E33D
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.J.#.$.#.$.#.$.*..".$.*../.$.*....$.#.%..$.82....$.82..$.82..Q.$.82.. .$.82..".$.82..".$.Rich#.$.........................PE..L....O.W...........!.....(..........^........@...........................................@..........................E..S.......T.... .......................0.......L..................................@............@...............................text...R&.......(.................. ..`.rdata.......@.......,..............@..@.data........P...X...4..............@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\SetupUtil.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):2131056
    Entropy (8bit):6.6168434256514335
    Encrypted:false
    SSDEEP:
    MD5:095D2DC2D2F20EFEFA93B5BAF7A5E001
    SHA1:33FD4C828D77472A79AD59A028CC550EDB5B6AC1
    SHA-256:F01598858B6CEC2D81662087A995D18A57499A00291FF4AB83DC6F3345663096
    SHA-512:D622BE8D11AE3B0D63E3544ABBE3422F22EA01C96477D75604B08B8493A3D362A8FA4180F011AB76CF2CF45FF0E0A8DDF3402225079CF1DFC295D59D5BCF2803
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<,..<,..<,...,..<,...,..<,.c.,..<,.c.,a.<,.c.,..<,...,..<,..=,..<,.c.,..<,.c.,..<,.c.,..<,.c.,..<,Rich..<,................PE..L....a...........!.....D...................`................................!.....*.!...@.........................P...........|........Q...........P .p4...`......@m..............................H~..@............`..X............................text...2B.......D.................. ..`.rdata.......`.......H..............@..@.data...d.... ...b..................@....rsrc....Q.......R...f..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\is-LU8SQ.tmp\_isetup\_setup64.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:PE32+ executable (console) x86-64, for MS Windows
    Category:dropped
    Size (bytes):6144
    Entropy (8bit):4.720366600008286
    Encrypted:false
    SSDEEP:
    MD5:E4211D6D009757C078A9FAC7FF4F03D4
    SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
    SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
    SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):1207624
    Entropy (8bit):6.437291779704638
    Encrypted:false
    SSDEEP:
    MD5:1EC906C3A8B6D4D2778218A7E0AB9931
    SHA1:AD5616FC1C5E67B8E21999EE295B28C081DFB334
    SHA-256:503AA7D88A4DA23563F356EA797B8DC2D9586A72486A52FBA8D183A715C010A8
    SHA-512:1F69E3F8E8AA305F67AA3DCAB389F936C10817A50DA06336F0C1042F6CA328BF5DA797356038CEE321801EBFF85342696FCF5CFE5F969671CBE5B12570837D3B
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 3%
    Reputation:unknown
    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...Rm"[.............................%.......0....@.................................0.....@......@..............................@8...@..................HQ...................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......L...................idata..@8.......:...L..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................

    C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):711168
    Entropy (8bit):6.513782388052726
    Encrypted:false
    SSDEEP:
    MD5:FFCF263A020AA7794015AF0EDEE5DF0B
    SHA1:BCE1EB5F0EFB2C83F416B1782EA07C776666FDAB
    SHA-256:1D07CFB7104B85FC0DFFD761F6848AD176117E146BBB4079FE993EFA06B94C64
    SHA-512:49F2B062ADFB99C0C7F1012C56F0B52A8850D9F030CC32073B90025B372E4EB373F06A351E9B33264967427B8174C060C8A6110979F0EAF0872F7DA6D5E4308A
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 4%
    Reputation:unknown
    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&........................................................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc...............................@..P.....................f..............@..P........................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nsm328A.tmp\ESNsisPlugin.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):15656
    Entropy (8bit):6.998291753736171
    Encrypted:false
    SSDEEP:
    MD5:E3780B61DB87B49440FC22360EEAEFFD
    SHA1:F4C1FD6083007B2440C5C5C2E9D288D2B0D875F7
    SHA-256:9266EA117FD5566B5EC23E1B8A4CADE7B08374336C9422DB50728D76D00198B9
    SHA-512:C6FA1706CAB72AEB86A08715D5DC80B4F48E67BE2A7FE2206CDD435930CE4EF3DC0450DE5C10C35994374A9227F1E0014AC9A847F87ACCEF7ED176E04117B200
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t....................................3.....3....p5....Rich...................PE..L....$.R...........!......................... ...............................P......$................................"..n...` ..d.......................()...@....................................................... ..`............................text...2........................... ..`.rdata....... ......................@..@.data...t....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nso29CF.tmp

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:data
    Category:dropped
    Size (bytes):3065841
    Entropy (8bit):6.61697731119794
    Encrypted:false
    SSDEEP:
    MD5:92A486396D29C3CC39370C6D38041C1C
    SHA1:1543FD31389C0C66316C46A88D6ADD2764CE298B
    SHA-256:C1015606F119D204A85B77E724235FDA136E35A022A5A40FA59F469F52914BEE
    SHA-512:DB416A1FB7DB1C5D294A2CC179C628EE4AE743BFD2601EA811B443A7FB2C604C109A708B523344A7F68E66DBC1E8CABA5092EBC857EA1D00B87D03412715A606
    Malicious:false
    Reputation:unknown
    Preview:V}......,.......,.......LA..n...Ti......x|......&}..............................................................................................................................................................................................................................................................................G...N...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nspB9FE.tmp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:data
    Category:dropped
    Size (bytes):14071777
    Entropy (8bit):7.7984925083160554
    Encrypted:false
    SSDEEP:
    MD5:F8D12BC212D8768F276262DA96EA3442
    SHA1:81313B590268F99917B30BCAD85063E89B5C6C6C
    SHA-256:C2D10BEA046DF093600EAB0FAC7289AE59FBC92D479FD6349A45F51D1F91C8BF
    SHA-512:9BFF44504DF7B3D23A41114621DF44E1AAB1F901644769C5DE2FCD20DB5DD37C278ACE5BB75A91736DDB2EDB6BC8B602C8F54B2D4A2E14A835E491D42D9AA0DE
    Malicious:false
    Reputation:unknown
    Preview:l.......,.......,.......LA..2....~..............<...........................@...............................................................................................................................................................................................................:...............x"..................4.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nssFirefox.dll

    Download File
    Process:C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):69632
    Entropy (8bit):6.219689198191372
    Encrypted:false
    SSDEEP:
    MD5:DD3A47083DF04500BBED296CAD50C17A
    SHA1:8479A361C83FF6A1AEEC222409F630D10B97ABAB
    SHA-256:057301B32288B473D16D494FAD6A933F1D80BDA5DEDDED6700DCFB98C0997EC3
    SHA-512:074715818BDE2C659C34C87CFE251E634365AB6B309A2150B1A50BA97291148286789C70D3F2AB7F0A09A3F7119F90FAC814590F1B49B88126DF4EAFAF86EB0C
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=M..S...S...S.......S......S..t(...S...R..S.......S.......S.......S.......S.Rich..S.........................PE..L...G..S...........!.........Z.......&.......................................`............@.....................................<....0.......................@......................................p...@...............<............................text............................... ..`.rdata..f/.......0..................@..@.data...`,..........................@....rsrc........0......................@..@.reloc..h....@......................@..B........................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nssFirefox64.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):101800
    Entropy (8bit):6.214953319795782
    Encrypted:false
    SSDEEP:
    MD5:F9D5E26985F3373C0CF6C81FC77282AA
    SHA1:EB583DB51757159AEAC8F763EB47769E00A1697E
    SHA-256:563A0662DC1FE246CD228A822D11EA3D00A7582B382E991C2AA6EFA1D8E44407
    SHA-512:85B5AB236EF0977E879638E6FBD0D7157BC030C5E5F63151A6373BD024E48228AB970B220A993CE59481B922AC9BB9891A9C69109D5BB29020D27BC4ECA51E99
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|.\+8.2x8.2x8.2x1..x..2x1..xT.2x1..x2.2x..Ix?.2x8.3xY.2x1..x;.2x1..x9.2x1..x9.2xRich8.2x................PE..d...Z..Z.........." .........t.......9..............................................'.....@.........................................@T......$K..P....................v.......... ... ................................................................................text............................... ..`.rdata..!E.......F..................@..@.data...P8...`.......H..............@....pdata...............`..............@..@.rsrc................n..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nst29EF.tmp\KillProcDLL.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):36864
    Entropy (8bit):4.849788705692745
    Encrypted:false
    SSDEEP:
    MD5:1CC87D2B5A79B18F133B4F944E2F2F74
    SHA1:98E0DDB727C76E06BE1668434D754E5B80A0C154
    SHA-256:DE1177A4BD1C56C3555F366D40B37D7DD9CB25E16C4973D0A4D22BF9A8AF7AED
    SHA-512:D8FEE1C09FEF9AF4E1F38BAAFFA3A6D059713B14ECAD900815C086CC22855644FCDEACD6BBA31EA6E6925831E650F7B0D34E6DEA4C57A978FB4F5BF0CD6D72A9
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>...m...m...mq..m..m...m...m...m...m...m..mq..m...mq..m...mRich...m................PE..L.....J...........!.....P...@...............`......................................................................pj..K....e..(...............................`....................................................`...............................text....D.......P.................. ..`.rdata.......`.......`..............@..@.data...h....p.......p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nst29EF.tmp\System.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):11264
    Entropy (8bit):5.649341344709636
    Encrypted:false
    SSDEEP:
    MD5:301A9C8739ED3ED955A1BDC472D26F32
    SHA1:A830AB9AE6E8D046B7AB2611BEA7A0A681F29A43
    SHA-256:6EC9FDE89F067B1807325B05089C3AE4822CE7640D78E6F32DBE52F582DE1D92
    SHA-512:41D88489ECB5EC64191493A1ED2ED7095678955D9FA72CCCEA2AE76DD794E62E7B5BD3AA2C313FB4BDF41C2F89F29E4CAFE43D564ECAD80FCE1BF0A240B1E094
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a..............lt.........................................Rich............PE..L......I...........!.................&.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata.......0......."..............@..@.data...@....@.......&..............@....reloc..>....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nst29F0.tmp

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):27136
    Entropy (8bit):6.0959595716695025
    Encrypted:false
    SSDEEP:
    MD5:8E83B78D2E265D29A6751DF565646DA6
    SHA1:F9A54B5F68D75A68391EBE8E56F2D4E6CFFD6F69
    SHA-256:CD7B928678E0AD3C6A325103AABA21D00D4BAC58FDF726F38C282F4F93DEF1B1
    SHA-512:7243A2487675B2F223747B77548BE6FB337F3D92C82EC854BECF422C84005096ED16E27D1AB7C6784F0B7BFE215C90EB65F0E2DA07EC31EB38219B48D4C54424
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.[...5...5...5...;...5..?.,.5...h...5...4.+.5..>...5..1...5.Rich..5.........................PE..L...j6.Z...........!.....J...0...............`.......................................................................i..K....d..<....................................................................................`...............................text....H.......J.................. ..`.rdata..[....`.......N..............@..@.data........p.......X..............@....reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\ESNsisPlugin.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):15656
    Entropy (8bit):6.999001818439209
    Encrypted:false
    SSDEEP:
    MD5:95B5E697F87BF43683C4291D9567A46A
    SHA1:4A9CC640F3ED27223B1E23432B076F4C27E386AF
    SHA-256:A2730394CA25FF4954C73E07DA55922E95439532B64A1C51A4B373679CDCB76B
    SHA-512:28593EBE086C2AAF10467B30A72B212449CA2FD1F8FE7F1697598287F6376B9731F4F1B8415D5A8232FCFE43E587B8CB9ACF88C73307D12F68713C76B6F65885
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t....................................3.....3....p5....Rich...................PE..L....$.R...........!......................... ...............................P.......z..............................."..n...` ..d.......................()...@....................................................... ..`............................text...2........................... ..`.rdata....... ......................@..@.data...t....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\System.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):11264
    Entropy (8bit):5.757244749345054
    Encrypted:false
    SSDEEP:
    MD5:959EA64598B9A3E494C00E8FA793BE7E
    SHA1:40F284A3B92C2F04B1038DEF79579D4B3D066EE0
    SHA-256:03CD57AB00236C753E7DDEEE8EE1C10839ACE7C426769982365531042E1F6F8B
    SHA-512:5E765E090F712BEFFCE40C5264674F430B08719940D66E3A4D4A516FD4ADE859F7853F614D9D6BBB602780DE54E11110D66DBB0F9CA20EF6096EDE531F9F6D64
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a..............lt.........................................Rich............PE..L.....K...........!................e'.......0...............................`.......................................3.......1..P............................P.......................................................0..\............................text...q........................... ..`.rdata.......0......."..............@..@.data...@....@.......&..............@....reloc..L....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nsuBA1E.tmp\UserInfo.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):4096
    Entropy (8bit):3.3053206244487083
    Encrypted:false
    SSDEEP:
    MD5:D16E06C5DE8FB8213A0464568ED9852F
    SHA1:D063690DC0D2C824F714ACB5C4BCEDE3AA193F03
    SHA-256:728472BA312AE8AF7F30D758AB473E0772477A68FCD1D2D547DAFE6D8800D531
    SHA-512:60502BB65D91A1A895F38BD0F070738152AF58FFA4AC80BAC3954AA8AAD9FDA9666E773988CBD00CE4741D2454BF5F2E0474CE8EA18CFE863EC4C36D09D1E27A
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-..-..-......*..-..8..$......$...,..$...,..Rich-..................PE..L....l.K...........!................l........ ...............................P......................................p"....... ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...0....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\AddTrustSite.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):44568
    Entropy (8bit):4.703073103477069
    Encrypted:false
    SSDEEP:
    MD5:A3BD4C9AED40F4775077F911F8D042EF
    SHA1:B129ECDC97D358F50B9A5A8EF7CAA779B94C0206
    SHA-256:3DE8FCAD1B5C65BD00AD617D403013E049043F281726881E42EE41FCAA0B35AC
    SHA-512:1E56D91DAC46858FBC9B83115F2A6B623112AAE67BA35D73AC17CFAB2AE59470985B777BE6CE77620EF25DC0953722D62602053BCEE5084C64BDED61E031F5DC
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u..$1.|w1.|w1.|w..rw=.|w..vw+.|w..#w3.|w..!w6.|w1.}w..|w..ww4.|wRich1.|w................PE..L...r.kJ.................@...@...............P....@.................................]........................................T..P....................................................................................P...............................text...87.......@.................. ..`.rdata..h....P.......P..............@..@.data....)...`...0...`..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\NetCertEnroll.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):454264
    Entropy (8bit):7.92844504741155
    Encrypted:false
    SSDEEP:
    MD5:136685E9653FF75BA6322B3AA073718B
    SHA1:2D02B6B82E55C7CC802A559BCE3B8A9717100FF4
    SHA-256:275438422FBAB02C40FBCD97BDB31907620A9F3605C2F3580818E8CB311D1720
    SHA-512:6739C805248D5ACB89BE881C9DEA2DE9C60BDBF1EF67E769E4DB813E08B8A65CECEFA095CA3BF9935F40E87092BACA69C49E3A2A2AB0ECF1B8DEA6A86C280169
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 2%
    Reputation:unknown
    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...........@......@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\iProtectSetup.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):7063944
    Entropy (8bit):7.995234281062332
    Encrypted:true
    SSDEEP:
    MD5:B7911D3187EB2B80E4AA9B247A1CC250
    SHA1:E5FA83AB4855751A83840E66565626988C192F12
    SHA-256:021DECA0D8DF8F405801020EED0AB3B6E7B39CA9EE12AFE21C2D5E9AD48443C4
    SHA-512:9B4593905DFA49DE36D54C417B018202240FB33DE3E592AB9EAE51AE32A70521548FDC3C81A9469A30EEAFD20FBEC61839130D86913C70221C6A01B6326C58E6
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...Rm"[..................................... ....@.................................+.l...@......@..................................................(wk.`R...........................................................................................text...\........................... ..`.itext.............................. ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc................(..............@..@....................................@..@........................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
    Category:dropped
    Size (bytes):625448
    Entropy (8bit):7.958118557526249
    Encrypted:false
    SSDEEP:
    MD5:3A9DF5A936D5CCC8957B64A408FDB337
    SHA1:BC8A301652CC55A19145FFCC0FB569019525A1A1
    SHA-256:390B243D0FF197EABD54814A638A82731DD4ADEF038D03C044BE0545B8C4724B
    SHA-512:0AF4EC3A161F3E40739CE4E2FA0B1B44D098DE88D54E9D9AEEB302013418C0E59B314C1DF683BA88BE008B22E18F05CAB65BC2ABE4408CD19C601E53C3BFFEF7
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t...........E...........K...?...........................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....E.......F...z..............@..@................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pingan_sign_control.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):652208
    Entropy (8bit):7.959324213412686
    Encrypted:false
    SSDEEP:
    MD5:EB9012112B7D1D07FF3290E4CE1B5CD3
    SHA1:5723E4E59924EA61603F7B2AEC55CC82502E0156
    SHA-256:AFD137DE5206FB9032E92D990F86CBEB4FCF00CBD8AD855A5ACFFA478EABD7D7
    SHA-512:49C0BDC803C8078E0904B95D63FDB45B789C5A0E13B7BC787F68C25F43A7F22E7088BEF583286481E60FAFC83F6966664B07878284B4D430AD0FD3ABB3081F49
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................P............@......@..............................|.... ...,..........................................................................................................CODE............................... ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,... ...,..................@..P.............P......................@..P........................................................................................................................................

    C:\Users\user\AppData\Local\Temp\nsx327A.tmp

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:data
    Category:dropped
    Size (bytes):3483385
    Entropy (8bit):6.493216966069482
    Encrypted:false
    SSDEEP:
    MD5:6EF4CF881111207C900B8FA99A86AA11
    SHA1:BDD0D7DAA46C26918C51C49D30EDD88E177E2883
    SHA-256:7196DA37C25BBBF3D943CBB0BD234E6BAC44724C5277DB69C23641C064D56CD2
    SHA-512:DE4686AE80F3C1C7524326FC6664DA1BC20E1D2D592F981539963152BA80B67824E2BAC75FD69854283A4C6A49F0BD701E2ECEC6BB8CD449C8FED4FD206AC912
    Malicious:false
    Reputation:unknown
    Preview:$.......,.......,.......D...k....e......H..................................R...........................V...................................................................................................................................................................................J...............@...................C...............................................j.......D...I...J.......U...............................................................................................................W...............U.......................................................-.......................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\regFirefox64.exe

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\EsWebSocketKit.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):47016
    Entropy (8bit):6.050451698026942
    Encrypted:false
    SSDEEP:
    MD5:8B26D23ED0026EAF0A58B3A082195AE2
    SHA1:5B97C588F10CF7CF81FB6364247A94D59DB0F908
    SHA-256:39E74E20DE6B3BE080F1454293546A50D0EF2F3A78B96B23C02BB35003A62833
    SHA-512:5853AF3874FC4FA2A93B1F8EF3E42A78ED6451A13476696FBFF188311099ADDBD9DABD87688A1C2BBA75C8F57624AA5913CC37659D753969E20CDBD073854ECB
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z...;i..;i..;i..C.;i..C...;i......;i..C...;i..;h..;i..C..;i..C...;i.Rich.;i.........................PE..d..._..Z.........."......\...@.................@..........................................@.....................................................<....................................................................................p...............................text...!Z.......\.................. ..`.rdata... ...p..."...`..............@..@.data....!..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal

    Download File
    Process:C:\Users\user\AppData\Local\Temp\regFirefox64.exe
    File Type:data
    Category:dropped
    Size (bytes):197168
    Entropy (8bit):0.12900035859959016
    Encrypted:false
    SSDEEP:
    MD5:4D10DB61E731A2DC52CB52F8008A019B
    SHA1:DBCC42CC4665E6F463BA97D668A290669BFFCAB6
    SHA-256:505534A0177023E71DC3305E72260487896F132C5188B6D344B99A21881D2A27
    SHA-512:558C4A8B33426B3A003F8227210D6E914E3089EC8F54E3B73C93093A4CF5DC7616C1A11C987F170A1FD0234A2FEC9A7C235F75B3C16D657561AB2F318F88D82C
    Malicious:true
    Reputation:unknown
    Preview:............~2.m........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key4.db-journal

    Download File
    Process:C:\Users\user\AppData\Local\Temp\regFirefox64.exe
    File Type:SQLite Rollback Journal
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.28499812076190567
    Encrypted:false
    SSDEEP:
    MD5:93659489264F163B306A236BC67F7ACA
    SHA1:613ECEE35460F1F270AB1936B3EADD81DC80FAB3
    SHA-256:66A1397F85C9A98ADC95BD022527DAD86EAF84B9602C1F7F2007280CA4261392
    SHA-512:FE75F413878D77BF384B031DFF6234CAE8B5A44C40CB047BE73FEFCD4AB75C41F34F947BC1AB7555C2240E6A4CF5748AF25362CA76E5444D9294E243D6FECA99
    Malicious:true
    Reputation:unknown
    Preview:.... .c.....k..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\pkcs11.txt

    Download File
    Process:C:\Users\user\AppData\Local\Temp\regFirefox64.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):490
    Entropy (8bit):5.385881781582374
    Encrypted:false
    SSDEEP:
    MD5:EE4EA7FD261107006C2DD1D38768A783
    SHA1:836E60216D149FF4D5FFC731E26DD9369EDC31D8
    SHA-256:09B55473E36FB4C983A459ACE9C4154D8C22562751F8109C531BDA58DB9D2331
    SHA-512:E8AD593E6CFB59179D37B4E8BBE8D47E122D5FFF2FA9F805DD0504076A34A82102C1FFA644CB7855A2DC53BC6C361A5880EC4FE0361A9ADD8C5EDED527A5A159
    Malicious:true
    Reputation:unknown
    Preview:library=..name=NSS Internal PKCS #11 Module..parameters=configdir='C:\\Users\\user\\AppData\\Roaming\\mozilla\\firefox\\Profiles/m8f4v4pw.default' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})....

    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\prefs.js

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):66
    Entropy (8bit):4.553145871061936
    Encrypted:false
    SSDEEP:
    MD5:5A26042052497AE9DD7C0E1B6B612BE9
    SHA1:C7A5C8FB5966AEABD0C77F88C31A89D48629B642
    SHA-256:C8CBD898A42C4DD7151C589D5B7BBD3245A5468ACCE90F79F70DDB11E6C3EA5D
    SHA-512:C2277A1CC7018A13E03283A040D4053D38866ADA8D0B3A8495CCBEDBF00505FE230A915AC1D52A0AC69D283800A9ACEC22D898C37506FC4C87FC44EF492B7C24
    Malicious:false
    Reputation:unknown
    Preview:user_pref("dom.ipc.plugins.enabled.npNetCertEnroll.dll", false);..

    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs.js

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-ST82F.tmp\NetCertEnroll.tmp
    File Type:ASCII text, with very long lines (1717), with CRLF line terminators
    Category:dropped
    Size (bytes):9384
    Entropy (8bit):5.525004026855656
    Encrypted:false
    SSDEEP:
    MD5:4A99C1A3A7C01D671CAEA4D34D5C45EA
    SHA1:7C0EB161CB0E04687EA28C93ABEC6FAC82470A26
    SHA-256:E6A6F80F44836269F9CDE77F148E729C10054C0FC7A73955A01E3960AC81BB0A
    SHA-512:4140882F3DA74D0B6BEBECFD34CB7192E47318E8937D73DFADD81322AF0DF9BA5B391A0EA0D6097D6349B2B31BEE0A14A87F338BA42C01B9E946976A01832EBD
    Malicious:false
    Reputation:unknown
    Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "0dbf219f-4e18-464a-957c-ae336603cdcc");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696583305);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696583311);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

    Download File
    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:modified
    Size (bytes):4926
    Entropy (8bit):3.2452506016660854
    Encrypted:false
    SSDEEP:
    MD5:DF4DD5AC7DBF52629788F350F23E52AF
    SHA1:19CAEBCCA571CBB1A09D243FC414FB5E237F7D15
    SHA-256:789FDC8CEF46E8A1B6B1ABDACA41FD34F9A69873DA1CE70E5308D2EF8D1B5D98
    SHA-512:5827743B847725E7E01BFA51B9A0D214789B3B807EC276A9469A9DF88C8AB7F0DEEF00E8376DBCD1453B3285A61665D441B9075104DEEB11238EE511999F1569
    Malicious:false
    Reputation:unknown
    Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

    C:\Windows\SysWOW64\SZPAPluto.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):299512
    Entropy (8bit):6.544473955501152
    Encrypted:false
    SSDEEP:
    MD5:9FF05D9F2DBD93AEB35D9CFDDBA6E93D
    SHA1:4C0EAD5861821DA44944B6B2C3F10107DC80AA03
    SHA-256:17A87376D6955A2F2FE60991304A7E152197EB473DAA9E72FB5AE72DAEDC22EE
    SHA-512:2B2863DF5E5667480698A7309454CA4271ACF8010A6D5B6DFE9DCEBCE77B8BF51131BCC886CB9B671928C0BED11E29913327DFB4FA3B53419B55C7F795F71FE7
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ge..&...&...&...^...&...t...&...^..&...^...&...&...'...^..&...^...&...t...&...^...&..Rich.&..........................PE..L...'^X`...........!.........V......n8.......0..........................................................................*...l........@...9...........l...%......d/...................................p..@............0..`............................text...p........................... ..`.rdata......0......................@..@.data....Q.......4..................@....rsrc....9...@...:..................@..@.reloc..v@.......B...*..............@..B................................................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):984656
    Entropy (8bit):6.5815188301818
    Encrypted:false
    SSDEEP:
    MD5:CDB272777D0785C5CF6172CAF23EB9F1
    SHA1:0BA9E802B9C51D8D4BAFA514F07F9933CC498F10
    SHA-256:472F4547FE81E385DEABECA47F00B596BC41BBD633A7BFBB7791F93B0D6EDE6C
    SHA-512:E7A9FAC5F87DC5B255196E29DC0FDEAE37F9F0DA26ACD07DEF93D12160AA7BF214A1849E5D9205452A6B130B2172A1EB6CFF48710536AB6E9C6369F035A7E65D
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)..IH..IH..IH..2T..HH...k..KH...T..NH..IH..[J...@..XH..W..H..W..$H...N..HH..W..NH..RichIH..................PE..L....A.f...........!.........z.......+.......................................@......wy...............................................P..x-..............PR......8.......................................................x............................text...N........................... ..`.rdata..............................@..@.data...4s.......(..................@...ve_share ....@......................@....rsrc...x-...P......................@..@.reloc..*...........................@..B................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN.sig

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:data
    Category:dropped
    Size (bytes):256
    Entropy (8bit):7.175009314400863
    Encrypted:false
    SSDEEP:
    MD5:D5E0E67C5938132A83864F455C57C1F8
    SHA1:B7E8A360EFF7A4F643147DF9429D821D794B8EEE
    SHA-256:4046A45715CCDEAAAF8DDE25D8D5768E1D4CE943E70290B9A6D57285BB51DC4E
    SHA-512:FD4E794815F88D5E1CE4775648AA76F9387C14CEC0AF1B42ABA37C6780CFE24E772EEEB13913222E5F9AB82EAF4735BD54983A54F30FFF4F2B4E920976D3D109
    Malicious:false
    Reputation:unknown
    Preview:.....?.1.x..Y.....F...N.HB...1a.........| ..,j&.."....y..Q.\3*m.#.N.c.......l..B.'./..U...s7....ZW,|d>>...5L..../..UP.Io.:..w..S..~...!.. iIxV......mXQ...A=.N8.+.Y_.%.2\k....n.H,...$b...,5.1.(........A..O.&.....Z....x .[..o+....PO...../.H..8.k..

    C:\Windows\SysWOW64\ShuttleCsp11_3000GM_PINGAN_s.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):49152
    Entropy (8bit):4.351608136007874
    Encrypted:false
    SSDEEP:
    MD5:7828978C60977CE61C65906F22FB215E
    SHA1:A8960DBF317A153950F298A84A3265BEAC69E479
    SHA-256:2922F9888B2B13D20AFD6F3E5633595C8867A701006CFB1BBB19E1A2513B038C
    SHA-512:5400A03C18AE03B09FB004E97580397AF78148B96F5F5B4DDB189117B8A45D4BE9CADCF5D2C814CF25E9AF33803F4643AE7DF4F448071FA9E23651D02458C495
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6F..W(.W(.W(..H#.W(.,K&.W(..H".W(.,_u.W(.W)..W(.t#.W(.hQ..W(.Pw,.W(.Rich.W(.................PE..L...p<.E...........!.....P...p......\........`.......................................................................j..Q....f..(.......x.......................D....................................................`...............................text....H.......P.................. ..`.rdata..1....`.......`..............@..@.data....3...p...0...p..............@....rsrc...x...........................@..@.reloc..:...........................@..B................................................................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):114187
    Entropy (8bit):6.4520048651660495
    Encrypted:false
    SSDEEP:
    MD5:0FED9DD3C152D468DEEBB944AA95E8DA
    SHA1:99EBE3C5A052992B6E493819EEF66B693A7E241D
    SHA-256:431F216AB5FDD698644D4602DF19B7DFDD5DA54745D76B86EAB98CAB5DE422D8
    SHA-512:95F80C44FD6B2EF0EAE3C08B8DAFD542D167466047CB4B5678D259793292CBF169A3FC382554785D7D6CFADC2C2CFCDB9E0A8295D277B02CF830A1E2F782C2CA
    Malicious:false
    Reputation:unknown
    Preview:0....0.......0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..250106130202Z..250113130202Z0....0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!..."f...\..N.....X..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):471
    Entropy (8bit):7.173502830374321
    Encrypted:false
    SSDEEP:
    MD5:41AE33BB74635F6A70B909F88C993EF9
    SHA1:005AEBE35B5F8D4036F0CECB5970F8D16C0041DF
    SHA-256:9CDEBDDB240A8202B0C21D61780A0E94BF11B6AE1AA0140AD731D5EF4CDEB7FB
    SHA-512:0D014CA2BFDDF8A019FE87B76C3621152B02DC40C961A947341D087CFA86EA2FBEE255F5EFC6130CF4AAE6ECCC69BFFB1C25E5DA68B761E30E0FDCBAA7CFD563
    Malicious:false
    Reputation:unknown
    Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20250105192252Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m........_.fuSC.o.P.....20250105192252Z....20250112192252Z0...*.H.............!...........+Cx.bMR( ..L...D..d.-...Y.(.^....lv..k.<.<...Of.....Z.}.....(..l..E.......2.Pd.:..8f...E......2.9"?o.{z.T.np~. h.r(.-!PP.^uz..!....~:....r.R....~.b7.E`%.zV.O......^P\.......X..86L.U.d?.3....)..!.i.....-.vud.)....o.m:.zw2{.8.#(.Ir.pl?.

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_E3DA6A93A9D1E8B54B541D1774D4A2F9

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):471
    Entropy (8bit):7.172155552773876
    Encrypted:false
    SSDEEP:
    MD5:194CA267935BBDA57F0D63CA243C16B0
    SHA1:1FA6A37EAACA2CE43C7A5696C5BD203166D8D65E
    SHA-256:64A4F77004C92E42017FA7AF575B3BA9496D6CD6E3E6AADB3F569B0A0E59C21D
    SHA-512:EF5410AF3A4C14A8FC50E014AE74EDA16219C112CB275BDFCB003E1A7DC5EC520E05197AC3E24EA7400D96360CFC2A127139FB200A6C7795EB1E4B5DE65F41F3
    Malicious:false
    Reputation:unknown
    Preview:0..........0.....+.....0......0...0......Z.{*....q..`.-.eu.X..20250106123706Z0s0q0I0...+.........G.h..#.....Vm.Q....Z.{*....q..`.-.eu.X......:..af.........20250106122101Z....20250113112101Z0...*.H.............)...WFn..T`..].T.BF..!...L...`......+uV.dc.......U..|..9.$Z.t.E.......@.....5..@....1.'...Ku.....b.g.vo.}...s..a.9BP6....a....X...w.1Z..4..b"...v..K>....Z".]...862~T~..9.......!.../D).6..............0/oU.m_zVP.&...2.;.r..9...l.u.._L.S...

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):471
    Entropy (8bit):7.191948373158639
    Encrypted:false
    SSDEEP:
    MD5:5A388D10B8DD4FF342DE769C13E4A110
    SHA1:34F526F7A230BFCCC0F0E9DDC3C137A7AC4523DB
    SHA-256:C2F9CD95933D813471D9E626F7B926BDCFDB5606451FE765D220E05033ACF10B
    SHA-512:9AB38ECCC07953DB67C0DC29E81BE014907B83DEF51CAFEFEFDFD741EC12A763DE4AF562C8B0F8D6EA83C6E51AF91479EC46785574E1A345C9E332FD77316997
    Malicious:false
    Reputation:unknown
    Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20250106190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20250106190516Z....20250113190516Z0...*.H...............bkb...VUne...S%..}T)z9....).............sO@.....B.LIH.].........vW...E..~^H.....\.$t........T.&..d.Q5..;e.#W2.`bSq..%....6+..M^J.W..D.:Qh...'....Gx....t.M0.\..I.x.R.........*...cK\..[.....RyM.@...Z.Yi.?..)..O.<j.c.:.%R..\:L.?..oD.x.fZ.jj4...

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_6A97884DB14EB9A72E484523E5BFEEFC

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):727
    Entropy (8bit):7.596490563225594
    Encrypted:false
    SSDEEP:
    MD5:CFA329DB1CD697B7DC3450779043BEAB
    SHA1:9D4A2495FF52E1E0081D91DAC3E47EBAD374C090
    SHA-256:0CD94E289E3610184DEC833416C8EEAF5A6D614B20A6002F0E058DDB516AD311
    SHA-512:F54B5C4DD629429FE842BCB66D5A10028EC86CA6E4A3D20258D239A4F748AACF2B9F2F20345B6BC092E3E95A3BD3D2B8F61828A979EA9061847B9BDAB3E8B9DD
    Malicious:false
    Reputation:unknown
    Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20250107033105Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB....S._.F@%Ij...H....20250107031502Z....20250114021502Z0...*.H.............Q.......m~......M-W.UG..9^..T...YN.*.z...,..fX...V^.R.o.K..........2}O..1........(.C.J3.9<q............)....CV..O...{dw..#..3[..e....<\ _S..|..v:|.)0.Uj.)E..C..=".H.c1.=8$......j.....GCfo.._p..W...t|W...t.;....S.r5..d..3..Jq.n.y.ob..0...CC.M.2..~..6O._..0....e.f#...^..a..Q..p...I..p...".....X5.%.%..h.S.....$..%0...P...;[....jn........FWr...;/...`v..'r..&.$pF.4............`......48&Y...F...d]).h]m|..=(..........Fib.....R.^x......F.........c.:....-..t...]2=.....k......."..V..u....=

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):727
    Entropy (8bit):7.55032117090481
    Encrypted:false
    SSDEEP:
    MD5:ECFC080250045654D0779203E07485AA
    SHA1:89815F291F1262BA2BA8E12446B1AA078C079725
    SHA-256:6C865709966696C3D381E362DFFC5EA97A16E3CAB10F4F73E19DA0E30D0E5323
    SHA-512:D923D678368970D624D32BE11FCE1CB3129D1F5412998609813B8BD580FEF62CD61CA694D4CEF7E56C043852105367AD069481A1A9C7B942967679443B3CB09B
    Malicious:false
    Reputation:unknown
    Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20250106184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20250106184215Z....20250113184215Z0...*.H.................... .......|.....z....F..WZ...>.y..-u....0.......|..I|s...^.jQT~mF...C..8...$.........H4..pd.P.h.-.%>V.y..~!..8..<=...{5".X../..4.q^...?tP...IJqa...%.......`...q.(F.m3.I..`..)...qmR.8..h...b..'.y.I..J......="G../.Zt....;...=...c.s.....nE$?.(.....0.z^.......(J.v..W($.0.#|..8Tw....B4.....)w`H.5..6.w..........b..~%34.c.{.JP...).x....R: |LP."Rs.[..h}..0........v .i.l......l*1....;..........R..|M.x..._e.[6..m...........h.}..T:~.c..`N...us......^....[nv..M...!.N.W.@....8.Cq..._R0.D

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):306
    Entropy (8bit):3.2233320551111055
    Encrypted:false
    SSDEEP:
    MD5:58DC539688E25BA2B33848131038CC79
    SHA1:64084CD239B021F4CB60C2E1165CBD525722C61B
    SHA-256:E6B4BF2D76D08489F00A7E7C90B47C7AB999EB7581D2733B90A8FD7F0888693F
    SHA-512:C9470FD5DF1993EA1189D76599BCEE6935ACC6EF07AF9DB5FE0E09E3EF6AC65A6D2AA077EC44F6E3258B643FF0A53AADEFCE59D876070A2BE022D84E32C3C7BD
    Malicious:false
    Reputation:unknown
    Preview:p...... ........:...`..(....................................................... ........C+.=`.. ..."...............h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.l...".6.7.7.b.d.7.5.e.-.1.b.e.0.b."...

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):306
    Entropy (8bit):3.219263060020136
    Encrypted:false
    SSDEEP:
    MD5:07533CB0A37F83548CFA4F622B5AECF0
    SHA1:429ADA47267A8E92E8719DDCE08A07D91556044C
    SHA-256:2FFE170D2AFD2017E2D062C0D7CEE8583365B61B4CA87ED1C9F1EFDD62FC1DB5
    SHA-512:ED52A2053C56C06E9CFD7E8998FA685DC428804FD83A347505923FB861ED856820FA868311476A680C13ABCF2F2F11B5200E9BD830E1430007B576C43B312E26
    Malicious:false
    Reputation:unknown
    Preview:p...... ........:...`..(....................................................... ........C+.=`.. ..."...............h.t.t.p.:././.c.r.l.4...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.l...".6.7.7.b.d.7.5.e.-.1.b.e.0.b."...

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):404
    Entropy (8bit):3.9448318745628357
    Encrypted:false
    SSDEEP:
    MD5:DDBB299CCDE1AF3C0BD0A04837FF9EFB
    SHA1:BA677FEA083095D5900E87698841371846E50418
    SHA-256:B8D48DCD4FCBA4A56AAFBE57C2052413B905BD6F5F27D655CDA9ECB9DD112435
    SHA-512:C1A06F241BF74A98302C5F2209B185EB881E7CFB57A96EB873C87A804D057F97093883084954D5D6BB4F473089911FF600C7D65BDB9AAF91B15B65A1205D53E0
    Malicious:false
    Reputation:unknown
    Preview:p...... .... ....0n..`..(..................6._...._'e...................._'e.. ..........M.`.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.Q.J.G.B.t.f.1.b.t.m.d.V.N.D.t.W.%.2.B.V.U.A.g.%.3.D...

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_E3DA6A93A9D1E8B54B541D1774D4A2F9

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):404
    Entropy (8bit):4.004059630090414
    Encrypted:false
    SSDEEP:
    MD5:8374F51C1DC13CCBB6C405C07E3A2403
    SHA1:D130055D3B52F124A260F82B716B4C504D66340E
    SHA-256:7E15AD189443D3554DEF9E7398DA23E70F5105472502CCD6821DA072B90126DB
    SHA-512:7EAC343FC2028AFF76AA61C9B2B93A2EE2440F7217324B87FCD4FC0B94A664F164969A4C3EB80E318FFD5E5293C0C97760881ACEAE7E0A282BC92736AC0BA577
    Malicious:false
    Reputation:unknown
    Preview:p...... .... .......`..(................4.r5`.....9.e.....................9.e.. .........E..`.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.n.R.4.F.o.x.L.L.k.I.7.v.k.v.s.U.I.F.l.Z.t.%.2.B.l.G.H.3.g.Q.U.W.s.S.5.e.y.o.K.o.6.X.q.c.Q.P.A.Y.P.k.t.9.m.V.1.D.l.g.C.E.A.S.J.k.N.0.6.%.2.F.C.5.h.Z.r.X.o.l.o.a.n.B.J.k.%.3.D...

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):400
    Entropy (8bit):3.9433339195148855
    Encrypted:false
    SSDEEP:
    MD5:3777FCC575C86A321A39F7B1B328EC54
    SHA1:17C38B023FF475AC28FCD24280A67A85B7F312CA
    SHA-256:2848367E1778B1686223D62728C68F552B3A009DEF8B9468416764A4C8537680
    SHA-512:3A573700C278DF8D7BDE8334A71728333483524DCE136B2C0461508F47710ED3CA76198DEDB16CBF8F2A3536B643FCD07C7FD07B814E752EEB5EEFAE0D4561FF
    Malicious:false
    Reputation:unknown
    Preview:p...... ..........`..`..(................~..m`.......e.......................e.. ........O|>.`.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_6A97884DB14EB9A72E484523E5BFEEFC

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):404
    Entropy (8bit):3.516778047688811
    Encrypted:false
    SSDEEP:
    MD5:85526D4D89030CDFC6D497A20F898703
    SHA1:2F755F96B739D5593B77CD46B4015BE817C1B997
    SHA-256:64E4AA84A400CB7EBF67871D485970B7C99B264A6CB63C0C12A9AAE43E115921
    SHA-512:A3DE88E7B7E2E125863A3EC2C2B9387E8C5600C9E250377805EFDAE44E77848C83D06A322BB830D0591A495D627189B582C01F771A469DD352A1980A4D45BD32
    Malicious:false
    Reputation:unknown
    Preview:p...... .... ...TVS..`..(....................................................... ........<.K.`.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.3.Y.U.6.R.f.r.U.Z.A.J.U.l.q.x.c.n.Z.p.U.g.%.3.D...

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Download File
    Process:C:\Program Files (x86)\Cloud Core\iProtect\iProtectSvc.exe
    File Type:data
    Category:dropped
    Size (bytes):412
    Entropy (8bit):3.9428157331832896
    Encrypted:false
    SSDEEP:
    MD5:54092E05224828C583495E07424F8C25
    SHA1:A709FA39A137029815DA7B83C17B5A08FEE7CDB5
    SHA-256:E6C5AC5E376256083C4948EFAA6858E925FE1A061D2305250C736ED9B3F5BB3C
    SHA-512:A37D97C0F6F4AB7135166BCA44131EE428E4F17F15920B41E2A59813FBD881DCA39780DEA1363B4B8CB09E4A20F0535EC9456195E5C240324C5F3614F44B2E02
    Malicious:false
    Reputation:unknown
    Preview:p...... ....(.....U..`..(...................j`....x..e....................x..e.. ..........0.`.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

    C:\Windows\SysWOW64\ft_pactrl.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):126592
    Entropy (8bit):5.706040755499238
    Encrypted:false
    SSDEEP:
    MD5:5D986FE75373F0849334E06E26A21ECE
    SHA1:55C73D8DDCF8ED155CDAB0EA36A9F5BF61DD2DFD
    SHA-256:E1AF8B04C798FB30706BA66FB2AB157E42B1DCED5CB795CDB1DB01C5A8CB3017
    SHA-512:B1B4211065D2B52DDD268EAD4F738D621BFECED145F3AE56F8EF0FFBDA5810636D9384733DBCC76B5AD2D52F5FDE68C6F93FB209468DE0C998122720370B313B
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{..f...f...f..,z...f..Gy..-f..,nH..f...f...f..Gy..f...`...f..Gy...f..Rich.f..................PE..L...i=.`...........!.................w..............................................LV..............................0!......p...........@................>......4....................................................................................text............................... ..`.rdata...!.......0..................@..@.data...,A...0...0...0..............@....rsrc...@........ ...`..............@..@.reloc...*.......0..................@..B........................................................................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\gmcsp_szpa.csp

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):125952
    Entropy (8bit):6.379875160034353
    Encrypted:false
    SSDEEP:
    MD5:CD98C9296D70395B24137466B7FA2597
    SHA1:CAE2A3BE42821E221271DCCEEF26CAEE0DB23B52
    SHA-256:79306993E9E07D21E1EA60D9036BA5924D8A541D32062748776C691CE215E8F7
    SHA-512:CFBABFB02697FC9BDBE1E09A7CC66A536A8A4014A5601079C80000B5D3575E1A0613A986E4970F24CA9FB3752DE374E8A6A7713EB4545DD381EB24B1C6DE3F69
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T..ZT..ZT..ZG.ZU..Z..ZD..Z].YZS..Z].OZi..Z]._ZS..ZT..Z5..Zs..ZU..Z].HZ}..Z].^ZU..ZJ.XZU..Z].]ZU..ZRichT..Z................PE..L....^X`...........!.....>..........O4.......P...............................0..........................................k...D...........|...........................................................0h..@............P...............................text...k=.......>.................. ..`.rdata...T...P...V...B..............@..@.data...d*..........................@...GMCSP_SH............................@....rsrc...|........ ..................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\gmcsp_szpa.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):20992
    Entropy (8bit):6.176360312542106
    Encrypted:false
    SSDEEP:
    MD5:DF7C82E80557B1451005875A5F255EBE
    SHA1:8026B9BFA31E3AEE69B4EDF3812AF46B19F64D4B
    SHA-256:55C70A10ED26FA5B1E6500CC7BEEA256D09D256556B8332A576DF363D3C87366
    SHA-512:31634FC46FAE263F47946F6CAACBF862E5B9A0B2054461B086B1959B03DB75852804EAF12AA43A1B853E44A23B68CD1F1421697F2744ADFC9482B7D98CA87AA6
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........9R..jR..jR..j[.tjT..j[.ej_..j[.rjP..j[.bjn..j..jQ..jR..j...ju#.jS..jL.kj\..jL.sjS..jL.ujS..jL.pjS..jRichR..j........PE..L......M...........!.....2...........;.......P......................................L.....@..........................W..O...4T..<....p...............................P...............................S..@............P...............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...X....`.......@..............@....rsrc........p.......F..............@..@.reloc...............L..............@..B................................................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\gmcsp_szpa.sig

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:data
    Category:dropped
    Size (bytes):128
    Entropy (8bit):6.506879566572159
    Encrypted:false
    SSDEEP:
    MD5:208DF34E63356DF0BF3705853F718193
    SHA1:7A0FD930E900B4010AB081E20E53BC0C73544CC5
    SHA-256:C04FDC0AFC50F2A8CF61183D8E676477352ECFE1D934E90AFAB8088CE9992B1A
    SHA-512:54AEBD8D586FD7C6EF04AB50DB3739AEBB46F3DCE37AC5F5225F49D3D94BCE20D77F475EB8318F43280DD5DBF9B276924AEC69C39512C8E2408E902D48600CEC
    Malicious:false
    Reputation:unknown
    Preview:..=c.?;~h"Z..H..:Gu.qp.Qte..........-...{;h:.~..G.X^r.....d5%..g..h.#...Uy.U/q.. d\..F.%h.Op.L`...4...h....evt.%.;...3..EJ.

    C:\Windows\SysWOW64\gmcsp_szpa_2052.ini

    Download File
    Process:C:\Users\user\AppData\Local\Temp\nswBF4F.tmp\pajdbskey.exe
    File Type:ISO-8859 text, with CRLF line terminators
    Category:dropped
    Size (bytes):548
    Entropy (8bit):6.207902633466191
    Encrypted:false
    SSDEEP:
    MD5:EFC060C1F8D33AFEBE40B9821302DD58
    SHA1:49FE7234582D6208FA0C923C58CEADC6FC2C4C4F
    SHA-256:B9817D219B3D1CF0CFD468CB2FB92109F013E8BF6C4B5243918D7B6D66719F18
    SHA-512:DA5EB69A8006150DB034A0E4EAE661740072C1C3A02FB2F793F56ABEB4C3AD693E5B95627C05D21C26EC3C5CE9F2EA449B7EFDFEF74BB7925BCF5FC275CE3111
    Malicious:false
    Reputation:unknown
    Preview:[string]....1=.....2=.......;login dlg..7000=...USBKEY......7002=..........USBKEY......7006=USBKEY....:..70001=USBKEY.......................70002=USBKEY.................\n\n...................USBKEY..........USBKEY.......!..70003=USBKEY.......................... %d .....70004=...USBKEY.......!..5006=...............;select dlg..7003=...USBKEY..71001=......71002=.........;process dlg..7004=........RSA..........;wait button dlg..7005=..USBKEY..........;..72001=....................USBKEY..

    C:\Windows\SysWOW64\npft_pactrl.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):102328
    Entropy (8bit):6.316482347612338
    Encrypted:false
    SSDEEP:
    MD5:32D63108648DB679725EE5AF36929328
    SHA1:A20ED29FFF943EF6CC5E6CE1AA583484C4EBB7B1
    SHA-256:FF78889CFA1682DE736D2F5D878951B086B08FB1BE4EC9C41199EA60CB023797
    SHA-512:A24C9D7FAA30001138957BE33CB668AF70D56F8CEC5FB557D508F85DD725D50A62C379757C6DA0FBB9BEE96CF64CDABA529802AF9E6729B79044F5B7F5F32EFE
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........K...%..%..%....%.....%....%.5^..%..$...%....%....%....%....%.Rich..%.........................PE..L......f...........!.................W....................................................@..........................-.......'..<....p...............f...)......|...p...................................@...............0............................text...T........................... ..`.rdata..r>.......@..................@..@.data...D<...0... ...$..............@....rsrc........p.......D..............@..@.reloc...............J..............@..B................................................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\sdbCsp11.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):744376
    Entropy (8bit):6.547664306932754
    Encrypted:false
    SSDEEP:
    MD5:EB6566B87416D78EF67AB8B3DAD7C7A1
    SHA1:EF191DF2486A2B7817AD4821FE3C96BE487DE016
    SHA-256:705E7E3A35760AF6025C08C1E6DD71A97163018622D2938E97498F49AA1820BE
    SHA-512:E8A889D6BC52C47011A175A98B2E181839A47973BFE4030485573488A72E58F27B676AB32A3103110A783B6B6834B5127544FEDED33546176F0566B0C2A00825
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.=...n...n...n.6.n...n...n...n...n...n...n...ny..n...ny..n...n)..n...ny..n...nRich...n........PE..L......f...........!.................Q..............................................>................................e..V....G..,........T...........2...)...`...h......................................................$............................text...b........................... ..`.rdata..............................@..@.data....p...p.......V..............@...ve_share,............Z..............@....rsrc....T.......V...b..............@..@.reloc...x...`...z..................@..B................................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\sdbCsp11.sig

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:data
    Category:dropped
    Size (bytes):256
    Entropy (8bit):7.257507031114784
    Encrypted:false
    SSDEEP:
    MD5:420A735FB2E58073972248BB0DE907BF
    SHA1:19A5EB8167E98D2AF967F147B122BF3608036CDB
    SHA-256:ADB1EE8BA0B7965371F46DB4D199CE0EC844792879C4B8C574189F87ACA9A30B
    SHA-512:52A037B2375CA81C3977F131F348831730B8B57BB44F6FCA847B43C155CCB517A5043A335B82CF6188F4EAB8943EB648235ACCB02900255998BC70D2E38AF2B3
    Malicious:false
    Reputation:unknown
    Preview:D@..1..b.mJi...oFA..!...:mt.~.. ..Q.d....]`..hA/...........3.E..Z.LT.pDU.H....Xc.j..X...-8..vp.....9]_..x2Ur[g.l..\...y..q.x*g..]=..9Wcf..e..|.R....T.M.{..L. .>.W...i5[...m....._.|.....[R_w..Mw~..t.7..}8...z...&.-..1.]...8dH-|."..,.A.....u..

    C:\Windows\SysWOW64\sdbCsp11_s.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):10752
    Entropy (8bit):4.951784664876952
    Encrypted:false
    SSDEEP:
    MD5:6B27956BA886EE230281D205E09E91A9
    SHA1:D5C7D9297DF241B52573D03185A66528A84F5488
    SHA-256:3DF383F4B0195620BADC0BB9F5E1D86EBDB4975B60DA4B910A26FEE9B4AF474F
    SHA-512:E7B9D770EF04DDA2C2CF144C218851B2B933D59395CAFF6594E70D0D71DB4A78319A51BCBD3479668AB7DAD56ACEE4A24CC3C4206186AD6CC91F5314A498212A
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../..N...N...N..wm.N...Q...N...N.N...Q.N...h...N..JH.N..rn.N..Rich.N..........................PE..L...pN`J...........!......................... ...............................`.......(...............................#..P.... ..P....@.......................P....................................................... ...............................text...h........................... ..`.rdata.. .... ......................@..@.data... ....0......................@....rsrc........@....... ..............@..@.reloc..f....P.......&..............@..B................................................................................................................................................................................................................................................................................................................................

    C:\Windows\System32\ShuttleCsp11_3000GM_PINGAN.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):1607760
    Entropy (8bit):6.236087828715052
    Encrypted:false
    SSDEEP:
    MD5:9B60935771CAA3F365D935D5204BA0AD
    SHA1:CE84DFE089E6D5ACB2840FC79F47BC74857A58E9
    SHA-256:5D66D0EBB3289BC5448C970F746545129136EBD00D13C8C21C6C36148E60C8F5
    SHA-512:02CA90C851DA8DEE0802F359993DB27FBE7A1578749418D8CA1EBDB85DE2347B7ED608218872C04420F5210747C20A9E1835759E2DA0A450EE65505D5C9976FA
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T.CW5..W5..W5..p..P5...zx.U5..^M{.\5..Igj.T5..!...U5..p..N5..W5...7..^Mj..5..^Mm..4..^M|.V5..Igz.V5..^M..V5..RichW5..................PE..d....B.f.........." .........2......t?..............................................................................................@.......(i....... ...e......d....6..PR.......O...........................................................h..@....................text............................... ..`.rdata..V...........................@..@.data....W..........................@....pdata..d............P..............@..@ve_shareD............R..............@....rsrc....e... ...f...V..............@..@.reloc...y.......z..................@..B................................................................................................................................................................................................

    C:\Windows\System32\ShuttleCsp11_3000GM_PINGAN.sig

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:data
    Category:dropped
    Size (bytes):256
    Entropy (8bit):7.07295581042011
    Encrypted:false
    SSDEEP:
    MD5:D358CFD9132C78DF2ABF6DB7521710D6
    SHA1:A0BA34661AC9DD80F559640E11B25E2CAA2F5FCC
    SHA-256:4E16364DC74F752F3F2CAC544872EE23C7A277030B9F915A5CBC9EA47D64C923
    SHA-512:6E59955938B2AF45704AD5CBEB33991E24C6E689E87FB5169476C342A14E6F30CDAFEF848B7B5B7E060CC3B4CCB2291DDDAC7E6EB83A29431ACEE53F9F7803D7
    Malicious:false
    Reputation:unknown
    Preview:/N...y....5..u....}..P...I`3.u...X.d.8.O.E..........Rc..1C.C...'@G[P&.`.....k8A&huZ{B.z.M.W.g..e.-......t..Tz./Xq..G.^.j7.-....,.;1.F...*.$...5qo..7....-...P.G.l...e1..Vt.i;.U.B.:M1GZ..}@..!`.`x.$.....tvC.0v.{.....;...f.N9......(?........M.....;].3

    C:\Windows\System32\ShuttleCsp11_3000GM_PINGAN_s.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):48128
    Entropy (8bit):5.787809558210488
    Encrypted:false
    SSDEEP:
    MD5:32ED3BED1ADCCF7A765406A88C1E8E38
    SHA1:B3728AD271B36C3CC8E0B2C77D4ED0BBF830E95E
    SHA-256:7C062329835C528928357FEC772F9A7A6DBD8943A59EFD3A108831DBC3067C94
    SHA-512:9EBD42DEED37AFD709CBB4EA3212301DB49107897464E8E285CA2B6F4CA5EB441FF8112E13A8C841FCDF072C997599A3807FFE01866E89F578D5F172873FA9A1
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.w.&f..&f..&f....b.#f..&f..Df..84..bf..84../f..84..=f..84..'f..84..'f..84..'f..Rich&f..........................PE..d...b.wJ.........." .....l...L.......$...............................................z.................................................P......<....................................................................................................................text....j.......l.................. ..`.rdata..0'.......(...p..............@..@.data...x$..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..H...........................@..B................................................................................................................................................................................................................................................................

    C:\Windows\System32\drivers\CCInputProtect_x64.SYS

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:PE32+ executable (native) x86-64, for MS Windows
    Category:dropped
    Size (bytes):57760
    Entropy (8bit):6.68963916052761
    Encrypted:false
    SSDEEP:
    MD5:6282EF9B6573C58C53E3B3263D824E77
    SHA1:FE3F0615F9DD3B5BFA6E752BE222E62D43EDC95C
    SHA-256:9B6C08AA9C11811FA8E660E26D5E17402BC8148A6547651DDC38983D3A9C2B40
    SHA-512:D0A70C142B330D514903DF020CA8A9405982FFBA02C5D6F631F7CBB6D369CAEF087F4A4CE51AFE81ABDC4EB5027046F6D25B0084EF73D1178C8754F7446C61EC
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1HK(u)%{u)%{u)%{u)${8)%{..^{r)%{..X{w)%{|Q.{v)%{..H{t)%{|Q.{w)%{|Q.{})%{|Q.{t)%{|Q.{t)%{Richu)%{........PE..d....ayY..........".................<$.......................................P......M.......................................................`$..P....0...................?...@......p...................................................h............................text....r.......t.................. ..h.rdata..p............x..............@..H.data....o..........................@....pdata..............................@..HINIT....J.... ...................... ....rsrc........0......................@..B.reloc.......@......................@..B................................................................................................................................................................................................................................

    C:\Windows\System32\drivers\etc\hosts

    Download File
    Process:C:\Users\user\AppData\Local\Temp\is-QOG9J.tmp\iProtectSetup.tmp
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):857
    Entropy (8bit):4.696217601297639
    Encrypted:false
    SSDEEP:
    MD5:2A57FD79647411C350DDB859653756B8
    SHA1:79960753BD5A9AEF86FD844195E482AE5A846F62
    SHA-256:3DC703C80B6C2477B60FBE752E391178D018D6144E0514DB895F79A4D2F6149E
    SHA-512:BDC09D601D4DC5191A8ACAA3643F60997EEDDDE197813E30EF4D4C2038EE93B2CA66EEAFAD553551118FB4018B2722117333401D300F164B747126A9DAA828B0
    Malicious:true
    Reputation:unknown
    Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost..127.0.0.1 iprotect.cloudcore.cn..

    C:\Windows\System32\ft_pactrl.dll

    Download File
    Process:C:\Program Files (x86)\SAS USB Key Manager(Feitian)\ePass3000GM.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):214144
    Entropy (8bit):6.319729876508696
    Encrypted:false
    SSDEEP:
    MD5:F8A1A88CF570CD4F86ED38A77EABC61D
    SHA1:B21133517A1DB2ABFDD4806B073603B7B3EB43C0
    SHA-256:19D9127201A7FF53AC8BA45BA661614FD89B6014B55370A3B3E2C16728767509
    SHA-512:5B395E6D0144D531DE23E929D1F947434629913BEA0E10E69C4051D523EB4C260377FCC7B40748477455A1BC407B2FCD382E1B6775922FF818AE544261A93790
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.E)&.+z&.+z&.+z..z'.+z8.z-.+z8.z..+z8.zd.+z.gFz$.+z.gPz+.+z&.*z..+z/.z..+z/.z'.+z8.z'.+z/.z'.+zRich&.+z........................PE..d...u>.`.........." .........................................................`.............................................................. ........0..4.......D........>...P..T.................................................... ..8............................text............................... ..`.rdata..6.... ......................@..@.data....M.......&..................@....pdata..D...........................@..@.rsrc...4....0......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

    C:\Windows\System32\sdbCsp11.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):1192888
    Entropy (8bit):6.18237903516358
    Encrypted:false
    SSDEEP:
    MD5:F878E65C8AD1B0D4A79371F83C558852
    SHA1:5202191F78F71D5C82284F773A80247017BBA111
    SHA-256:A50D00C2E1EF1439FEFFEB1623227B97264A54F4A9C110FC01E67F65DB0CD3FD
    SHA-512:2722F1C5E726697B41CCBAEB858864E63E148420CFF76BD82CC4B696B4C53F7236D8BE3B6EEB7E90F37B6695BF3009CC2037B46008117F8FE1D39C01165EA276
    Malicious:false
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..L...L...L..A7...L...!...L.(....L......L......L...7...L...M...L....P.L....l.L......L......L......L.Rich..L.........................PE..d......f.........." ................T'..............................................SB..............................................0%..V...@...,.......X....0..,........)........................................................... ..x.......@....................text............................... ..`.rdata....... ......................@..@.data........0...P..."..............@....pdata..,....0.......r..............@..@ve_shareH...........................@....rsrc...X............6..............@..@.reloc..bD.......F..................@..B........................................................................................................................................................................................

    C:\Windows\System32\sdbCsp11.sig

    Download File
    Process:C:\Users\user\AppData\Local\Temp\Temp1_sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip\sasdriver_2.0.20.119.exe
    File Type:data
    Category:dropped
    Size (bytes):256
    Entropy (8bit):7.202819531114784
    Encrypted:false
    SSDEEP:
    MD5:D99D55CA1BFD47B890C83BCDDD1B633F
    SHA1:8504D2A57B362EE161A82EDDDD395F8E1EBE75C5
    SHA-256:B5229C17D6AEAA9678C90630BC3F593295D0FC10BD7BC47652E7CCCA12F7912C
    SHA-512:1D031F23A27F30260934B02651A852625026AA198F84450466860A4CC5D5AB26B86E1ABDDCD6EF8DE9777CDF7A4EC9CAE5FEE8692B67F41BFEDE008CF9810EAA
    Malicious:false
    Reputation:unknown
    Preview:(..\../....[...:QY..L...4|.]....*w...|".\q..J.\lv2...,....OG.~.b..@d.D.7.Ym]f.............)./.[...yi_.Kr....pp...V..A.0f<..........J.....w.....m...C.I.k3N7..O..7...Z....s...b.'..!.1.(..2.....1.B.[...DX+.....x.r......&.g.............V.u..C2

    \Device\ConDrv

    Download File
    Process:C:\Windows\SysWOW64\netsh.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):7
    Entropy (8bit):2.2359263506290326
    Encrypted:false
    SSDEEP:
    MD5:F1CA165C0DA831C9A17D08C4DECBD114
    SHA1:D750F8260312A40968458169B496C40DACC751CA
    SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
    SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
    Malicious:false
    Reputation:unknown
    Preview:Ok.....

    Static File Info

    General

    File type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Entropy (8bit):7.999984282472204
    TrID:
    • ZIP compressed archive (8000/1) 100.00%
    File name:sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip
    File size:11'863'511 bytes
    MD5:38d2a1b1bbff49eb73a28fec2dc80282
    SHA1:294749e3fbd32386a5bcac50f8ce59b85eb9f20d
    SHA256:fde085813fef08180b4e42af2cc210e731419a08041496cf3d284ae9d6240d0d
    SHA512:387e66384bafcbff6776f2d9f3d4290a1967f7461cd80878c0089000cd595774b8c747a0a3fb6813b86b6447bebd2a590d9b355a1633dd3be9c46e63fc29d72a
    SSDEEP:196608:JNJiyHDg4KLX/TKWHpRgwcDrx+phZWP6pSzYMTCMCef/YJ91znBGzNuXXlAIxT:vEH4o/TKWJRfcfxEQj7f/YJ91tseuwT
    TLSH:58C63370D17CB1881B65DA5F6B3376D11C720F35DC398D5A7C282BACA1FAA4889B0D2D
    File Content Preview:PK.........>'Za........I....$.sasdriver_2.0.20.119.exe.. ............R.`.....R.`.....R.`...p#..'.w...8.D.?X.rbr..(A....?X.].E.n..o?)....V....^h.z..4}4.Q]^4._SM.Cr..wu6....\.?].Y.|I.Q..S._..P0...I[@>.......e..o.1zR4r...F6.yP#j..../3.7.8T...q.....>.Y.......

    File Icon

    Icon Hash:1c1c1e4e4ececedc