Edit tour

Windows Analysis Report
BWCStartMSI.exe

Overview

General Information

Sample name:	BWCStartMSI.exe
Analysis ID:	1574547
MD5:	89d75b7846db98111be948830f9cf7c2
SHA1:	3771cbe04980af3cdca295df79346456d1207051
SHA256:	1077f5ff5fc1c7b7ce347323d14ba387f43e9cfab9808fa31a1cd3144fa05ef4
Infos:

Detection

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	32
Range:	0 - 100

Signatures

Antivirus detection for URL or domain

.NET source code contains potential unpacker

Changes the wallpaper picture

PE file contains section with special chars

PE file has nameless sections

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64native

BWCStartMSI.exe (PID: 3436 cmdline: "C:\Users\user\Desktop\BWCStartMSI.exe" MD5: 89D75B7846DB98111BE948830F9CF7C2)

BWCStartMSI.exe (PID: 1096 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe MD5: A923912A4643C5502E6C14F423065F11)

msiexec.exe (PID: 2928 cmdline: "C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4176 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4324 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 1E7C6F8FE305CF59FC9AE1ED4206AF89 MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 3516 cmdline: rundll32.exe "C:\Windows\Installer\MSI4343.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8209281 2 CustomActions!CustomActions.CustomActions.StartApp MD5: 889B99C52A60DD49227C5E485A016679)

BingWallpaperApp.exe (PID: 7648 cmdline: "C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe" MD5: 5DDF6C0675019C3A758236D0DB069D15)

rundll32.exe (PID: 3400 cmdline: rundll32.exe "C:\Windows\Installer\MSI472C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8210250 8 CustomActions!CustomActions.CustomActions.InstallPing MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7644 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

BingWallpaperApp.exe (PID: 448 cmdline: "C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe" MD5: 5DDF6C0675019C3A758236D0DB069D15)

BingWallpaperApp.exe (PID: 3332 cmdline: "C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe" MD5: 5DDF6C0675019C3A758236D0DB069D15)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.BingWallpaperApp.exe.5e0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 4176, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BingWallpaperApp

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Source: Registry Key set

Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241213.jpg, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe, ProcessId: 7648, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\BWCStartMSI.exe, ProcessId: 3436, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationvartype?	Avira URL Cloud: Label: malware
Source: https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationtext?3	Avira URL Cloud: Label: malware
Source: https://bgteamtestapp.azurewebsites.net/api/COSMOSIntermediateAPI/SendPing?	Avira URL Cloud: Label: malware
Source: https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationtext?	Avira URL Cloud: Label: malware

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\BWCStartMSI.exe	Code function: 0_2_00952F10 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	0_2_00952F10
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEFFAF0 SHGetFolderPathAndSubDirW,PathFileExistsW,CopyFileW,PathFileExistsW,CryptUnprotectData,GetSystemTime,SystemTimeToFileTime,DeleteFileW,	7_2_6BEFFAF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF56C80 CreateFileW,GetFileInformationByHandle,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptCreateHash,lstrlenW,CryptHashData,CryptDeriveKey,ReadFile,CryptDecrypt,MultiByteToWideChar,	8_2_6CF56C80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF56A90 lstrlenW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptCreateHash,lstrlenW,CryptHashData,CryptDeriveKey,WideCharToMultiByte,WideCharToMultiByte,CryptEncrypt,CreateFileW,WriteFile,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	8_2_6CF56A90

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\System32\msiexec.exe	EXE: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	EXE: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe			Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\System32\msiexec.exe	EXE: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	EXE: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe			Jump to behavior

Uses 32bit PE files

Source: BWCStartMSI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: BWCStartMSI.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: BWCStartMSI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: /_/Src/Newtonsoft.Json.Schema/obj/Release/net45/Newtonsoft.Json.Schema.pdb source: BingWallpaperApp.exe, 00000007.00000002.20785745454.0000000007F10000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json.Schema/obj/Release/net45/Newtonsoft.Json.Schema.pdbSHA256 source: BingWallpaperApp.exe, 00000007.00000002.20785745454.0000000007F10000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: BWCUpdater.pdb source: BWCUpdater.exe.4.dr
Source:	Binary string: D:\Ramesh\VSTS\BingGrowthApps\Installers\BWCInstaller\Common\CustomActions\obj\x86\Release\CustomActions.pdb source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, CustomActions.dll.6.dr, CustomActions.dll.8.dr
Source:	Binary string: wextract.pdb source: BWCStartMSI.exe
Source:	Binary string: D:\Ramesh\VSTS\BingGrowthApps\Installers\BWCInstaller\Common\CustomActions\obj\x86\Release\CustomActions.pdbPkjk \k_CorDllMainmscoree.dll source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, CustomActions.dll.6.dr, CustomActions.dll.8.dr
Source:	Binary string: wextract.pdbGCTL source: BWCStartMSI.exe
Source:	Binary string: D:\UNIWIN CLONE\Applications\DefaultOffer_V2\Release\BrowserSettings.pdb source: BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr
Source:	Binary string: D:\Ramesh\VSTS\BingGrowthApps\Applications\BingWallpaperApp\Release\CryptFile.pdb source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\SourceCode\BGA-Repo\Applications\BingWallpaperApp\Release\DispatchQueue.pdb source: rundll32.exe, 00000006.00000003.15725421874.000000000316B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.15725259867.0000000004E7C000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20793536348.000000006DA0C000.00000002.00000001.01000000.00000013.sdmp, rundll32.exe, 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmp, rundll32.exe, 00000008.00000003.15735175327.0000000002A8D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.0000000004715000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, DispatchQueue.dll.7.dr, DispatchQueue.dll.6.dr, DispatchQueue.dll.8.dr
Source:	Binary string: D:\UNIWIN CLONE\Applications\DefaultOffer_V2\Release\BrowserSettings.pdbT source: BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr
Source:	Binary string: D:\VSTS\BG\Libraries\EEISilentInstallerLib\obj\Release\EEISilentInstallerLib.pdb source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\v-arushgupta\source\repos\BingGrowthApps\Installers\BWCStartMSI\BWCStartMSI\obj\Release\BWCStartMSI.pdb source: BWCStartMSI.exe, 00000002.00000000.15704651755.0000000000D12000.00000002.00000001.01000000.00000004.sdmp, BWCStartMSI.exe.0.dr
Source:	Binary string: ~C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: BWCStartMSI.exe, 00000000.00000003.15704067824.0000000005582000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.8.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.8.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256^Y source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: BWCStartMSI.exe, 00000000.00000003.15704067824.0000000005582000.00000004.00000020.00020000.00000000.sdmp, 7d3d28.msi.4.dr, MSI4343.tmp.4.dr, 7d3d2b.msi.4.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: d:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\BWCStartMSI.exe	Code function: 0_2_00952395 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00952395
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEDC660 FindFirstFileW,FindNextFileW,FindClose,	7_2_6BEDC660
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BED8580 FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_6BED8580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF537BF RegOpenKeyExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,SHGetFolderPathAndSubDirW,FindFirstFileW,FindNextFileW,FindClose,	8_2_6CF537BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF62D02 FindFirstFileExW,	8_2_6CF62D02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF53FC7 FindFirstFileW,FindNextFileW,FindClose,	8_2_6CF53FC7

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 7.0.BingWallpaperApp.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe, type: DROPPED

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: BingWallpaperApp.exe, 00000007.00000002.20787912401.0000000008113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}/cli>> equals www.facebook.com (Facebook)
Source: BingWallpaperApp.exe, 00000007.00000002.20790378741.000000000ABDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: {"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefix

Source: global traffic

DNS traffic detected: DNS query: g.ceipmsn.com

Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: rundll32.exe, 00000008.00000002.15741067226.0000000002AA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g.ceipmsn.com/8SE/44?MI=64BE9693AC0BA
Source: rundll32.exe, 00000008.00000002.15741067226.0000000002AA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g.ceipmsn.com/8SE/44?MI=64BE9693AC0BA526EB78E89A5
Source: rundll32.exe, 00000008.00000002.15741067226.0000000002AA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g.ceipmsn.com/8SE/44?MI=64BE9693AC0BA526EB78E89A5DFE3
Source: rundll32.exe, 00000008.00000002.15741067226.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.15740913039.00000000028B9000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://g.ceipmsn.com/8SE/44?MI=64BE9693AC0BA526EB78E89A5DFE3A31&LV=10.0.19041.746&OS=10.0.19042.1&TE
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-03/schema
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-03/schema#
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://tempuri.org/XMLSchema.xsd
Source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.8.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.8.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.8.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://accounts.firefox.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: BingWallpaperApp.exe, 00000007.00000002.20763575170.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: BingWallpaperApp.exe, 00000007.00000002.20786778082.0000000008001000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.000000000808F000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.000000000808F000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes/
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationtext?
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15931787350.0000000003458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationtext?3
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15931787350.0000000003458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationvartype?
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15931787350.0000000003458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bgteamtestapp.azurewebsites.net/api/COSMOSIntermediateAPI/SendPing?
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.azureedge.net
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.azureedge.net/hpimages/Latest/3840x2160/20241206.jpg
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.azureedge.net/hpimages/Latest/3840x2160/20241207.jpg
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.azureedge.net/hpimages/Latest/3840x2160/20241208.jpg
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.azureedge.net/hpimages/Latest/3840x2160/20241209.jpg
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.azureedge.net/hpimages/Latest/3840x2160/20241210.jpg
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.azureedge.net/hpimages/Latest/3840x2160/20241211.jpg
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.azureedge.net/hpimages/Latest/3840x2160/20241212.jpg
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.azureedge.net/hpimages/Latest/3840x2160/20241213.jpg
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003782000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003325000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000345D000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003770000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000328E000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.blob.core.windows.net/bwapp/images/MSB-Dark-Logo.png
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003782000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000345D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.blob.core.windows.net/bwapp/images/MSB-Dark-Logo.pngX
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003782000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003325000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000345D000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003770000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000328E000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.blob.core.windows.net/bwapp/images/MSB-Light-Logo.png
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003782000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000345D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bingwallpaperimages.blob.core.windows.net/bwapp/images/MSB-Light-Logo.pngX
Source: BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: BingWallpaperApp.exe, 0000000A.00000002.15931787350.0000000003458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/detail/
Source: BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore06
Source: BingWallpaperApp.exe, 0000000A.00000002.15931787350.0000000003458000.00000004.00000800.00020000.00000000.sdmp, BWCStartMSI.exe.0.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxw
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://content.cdn.mozilla.net
Source: BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://coverage.mozilla.org
Source: BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20790525695.000000000AC04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20790525695.000000000AC04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20790525695.000000000AC04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20790525695.000000000AC04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20790525695.000000000AC04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.00000000081A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settings
Source: BingWallpaperApp.exe, 00000007.00000002.20763575170.000000000124E000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://ideas.mozilla.org/
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://install.mozilla.org
Source: BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://monitor.firefox.com/
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://monitor.firefox.com/about
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: BingWallpaperApp.exe, BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003754000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003754000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntpLR
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.00000000080AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntpak/
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.00000000080AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntpco$
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000375E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntpd
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003756000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntplB
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.00000000080AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntpni
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000375E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntpt-
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
Source: BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: BingWallpaperApp.exe, 00000007.00000002.20786778082.0000000007FD0000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: BingWallpaperApp.exe, 00000007.00000002.20790378741.000000000ABDF000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org:443
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.00000000080AB000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org
Source: BingWallpaperApp.exe, 00000007.00000002.20786778082.0000000008001000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/%LOCALE%/kb/accessibility-services
Source: BingWallpaperApp.exe, 00000007.00000002.20786778082.0000000008001000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/nightly-error-collection
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: BingWallpaperApp.exe, 00000007.00000002.20786778082.0000000008001000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: BingWallpaperApp.exe, 00000007.00000002.20788129976.00000000081B6000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see=isolation
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008020000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://wiki.mozilla.org/Addons/Extension_Signing
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: BingWallpaperApp.exe, 00000007.00000002.20790378741.000000000ABDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org:443
Source: BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=at
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=firefox
Source: BingWallpaperApp.exe, 00000007.00000002.20790378741.000000000ABDF000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com:443
Source: BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787414474.000000000808F000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787414474.000000000808F000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstoreY&-
Source: BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787414474.000000000808F000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787414474.000000000808F000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox4Gz-
Source: BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000049D5000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.microsoftnews.com/?pc=__PARAM__&ocid=MNHP___PARAM__
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000345D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.microsoftnews.com/?pc=__PARAM__&ocid=MNHP___PARAM__X
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/
Source: BingWallpaperApp.exe, 00000007.00000002.20763575170.000000000124E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.000000000808F000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: BingWallpaperApp.exe, 00000007.00000002.20787414474.00000000080AB000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: ZMGCCB7.tmp.7.dr	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: BingWallpaperApp.exe, 00000007.00000002.20763575170.000000000124E000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000049D5000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.msn.com/?pc=__PARAM__&ocid=MSNHP___PARAM__
Source: BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000345D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/?pc=__PARAM__&ocid=MSNHP___PARAM__X
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/copyright.html2

Spam, unwanted Advertisements and Ransom Demands

Changes the wallpaper picture

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241213.jpg

Jump to behavior

System Summary

PE file contains section with special chars

Source: BWCUpdater.exe.4.dr

Static PE information: section name: d~_<.

PE file has nameless sections

Source: BingWallpaperApp.exe.4.dr	Static PE information: section name:
Source: BWCUpdater.exe.4.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Process Stats: CPU usage > 6%

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_00951F9B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

0_2_00951F9B

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\7d3d28.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{240D9941-B463-4B9C-B483-7129740B9AC1}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3F6A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\7d3d2b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\7d3d2b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4343.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI472C.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-\CustomActions.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-\DispatchQueue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-\CustomActions.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-\DispatchQueue.dll	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\7d3d2b.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\BWCStartMSI.exe	Code function: 0_2_00953B8E	0_2_00953B8E
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Code function: 0_2_00955C50	0_2_00955C50
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BECDBD3	7_2_6BECDBD3
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEE9960	7_2_6BEE9960
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEEE930	7_2_6BEEE930
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF148C0	7_2_6BF148C0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BECBF50	7_2_6BECBF50
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF87F10	7_2_6BF87F10
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEC8E90	7_2_6BEC8E90
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEE7D20	7_2_6BEE7D20
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF1AC70	7_2_6BF1AC70
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF150E0	7_2_6BF150E0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF5B0B0	7_2_6BF5B0B0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEDB750	7_2_6BEDB750
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BECE710	7_2_6BECE710
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF15650	7_2_6BF15650
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BECB5BD	7_2_6BECB5BD
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF6B590	7_2_6BF6B590
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF2FB0A	7_2_6BF2FB0A
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEFFAF0	7_2_6BEFFAF0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF7EAC0	7_2_6BF7EAC0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF17A90	7_2_6BF17A90
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF26A60	7_2_6BF26A60
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF56A40	7_2_6BF56A40
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF6C9DE	7_2_6BF6C9DE
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF7D9C0	7_2_6BF7D9C0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF3B910	7_2_6BF3B910
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF058C0	7_2_6BF058C0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF288B0	7_2_6BF288B0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEE2870	7_2_6BEE2870
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF23F00	7_2_6BF23F00
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF8BEF0	7_2_6BF8BEF0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF09DC8	7_2_6BF09DC8
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF39D80	7_2_6BF39D80
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF3CD60	7_2_6BF3CD60
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF08CC0	7_2_6BF08CC0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF4ACB0	7_2_6BF4ACB0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF0ACA0	7_2_6BF0ACA0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF24C80	7_2_6BF24C80
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF73C70	7_2_6BF73C70
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEF4C60	7_2_6BEF4C60
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF75C60	7_2_6BF75C60
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF7C3F0	7_2_6BF7C3F0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF8C360	7_2_6BF8C360
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BFA62F0	7_2_6BFA62F0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF552E0	7_2_6BF552E0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BFAD290	7_2_6BFAD290
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BFAB259	7_2_6BFAB259
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF5A1D0	7_2_6BF5A1D0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEF6190	7_2_6BEF6190
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF0C060	7_2_6BF0C060
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF79020	7_2_6BF79020
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BED2030	7_2_6BED2030
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF8A010	7_2_6BF8A010
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF387A0	7_2_6BF387A0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF23790	7_2_6BF23790
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF02730	7_2_6BF02730
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF30738	7_2_6BF30738
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF48720	7_2_6BF48720
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF7D710	7_2_6BF7D710
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEC4700	7_2_6BEC4700
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF206D0	7_2_6BF206D0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF0D6B0	7_2_6BF0D6B0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF2A6A0	7_2_6BF2A6A0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF39680	7_2_6BF39680
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF06660	7_2_6BF06660
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BFB4653	7_2_6BFB4653
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF1F640	7_2_6BF1F640
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF4E620	7_2_6BF4E620
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF6A610	7_2_6BF6A610
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF0E5E0	7_2_6BF0E5E0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF5B5E0	7_2_6BF5B5E0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF1E5C0	7_2_6BF1E5C0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF7A560	7_2_6BF7A560
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF78540	7_2_6BF78540
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BF34510	7_2_6BF34510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF5E6AD	8_2_6CF5E6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF6199B	8_2_6CF6199B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF6A188	8_2_6CF6A188
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF65236	8_2_6CF65236
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF5CA20	8_2_6CF5CA20
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01815098	10_2_01815098
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01814C08	10_2_01814C08
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01816040	10_2_01816040
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_0181694D	10_2_0181694D
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01816950	10_2_01816950
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01817400	10_2_01817400
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01814B8C	10_2_01814B8C
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01817BA9	10_2_01817BA9
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_018177B7	10_2_018177B7
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01817BB8	10_2_01817BB8
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_018177C8	10_2_018177C8
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01815FCD	10_2_01815FCD
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_018173F0	10_2_018173F0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01815F57	10_2_01815F57
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01814B61	10_2_01814B61
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03294C08	11_2_03294C08
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03296040	11_2_03296040
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03295098	11_2_03295098
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03294B61	11_2_03294B61
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03295F5B	11_2_03295F5B
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03297BA9	11_2_03297BA9
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03297BB8	11_2_03297BB8
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_032977B7	11_2_032977B7
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_032973F0	11_2_032973F0
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_032977C8	11_2_032977C8
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03294BD1	11_2_03294BD1
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03296942	11_2_03296942
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03296950	11_2_03296950
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03297400	11_2_03297400
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03293857	11_2_03293857

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF599F0 appears 34 times
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: String function: 6BF0A660 appears 46 times
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: String function: 6BF26FB0 appears 34 times
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: String function: 6BF23340 appears 33 times
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: String function: 6BFA3B5E appears 87 times
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: String function: 6BF0B330 appears 169 times
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: String function: 6BF0AA30 appears 156 times
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: String function: 6BFA3F30 appears 42 times

PE file contains executable resources (Code or Archives)

Source: BWCStartMSI.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 8385503 bytes, 2 files, at 0x2c +A "BWCStartMSI.exe" +A "BWCInstaller.msi", ID 2884, number 1, 265 datablocks, 0x1503 compression

Sample file is different than original file name gathered from version info

Source: BWCStartMSI.exe, 00000000.00000003.15704067824.000000000558C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCustomActions.dll< vs BWCStartMSI.exe
Source: BWCStartMSI.exe, 00000000.00000003.15704067824.000000000558C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSfxCA.dll\ vs BWCStartMSI.exe
Source: BWCStartMSI.exe, 00000002.00000002.15744574604.0000000001193000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BWCStartMSI.exe
Source: BWCStartMSI.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUI8 vs BWCStartMSI.exe
Source: BWCStartMSI.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs BWCStartMSI.exe

Uses 32bit PE files

Source: BWCStartMSI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BWCUpdater.exe.4.dr

Static PE information: Section: d~_<. ZLIB complexity 1.0003294427710843

Source: BWCStartMSI.exe, 7d3d28.msi.4.dr, 7d3d2b.msi.4.dr

Binary or memory string: ef.SLN

Source: classification engine

Classification label: mal54.rans.troj.spyw.evad.winEXE@17/55@1/0

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_00953FDB CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

0_2_00953FDB

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_00951F9B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

0_2_00951F9B

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_00955933 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00955933

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Code function: 7_2_6BEC5210 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

7_2_6BEC5210

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Code function: 7_2_6BECADF0 GetLocalTime,CoInitialize,CoCreateInstance,CoUninitialize,

7_2_6BECADF0

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_00952CA1 memset,memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceA,LoadResource,

0_2_00952CA1

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BWCStartMSI.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ab6e8462-c2b9-4c08-be49-a7f3e53a9aab}

Source: C:\Users\user\Desktop\BWCStartMSI.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Command line argument: Kernel32.dll

0_2_00952BF2

Source: BWCStartMSI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI4343.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8209281 2 CustomActions!CustomActions.CustomActions.StartApp

Source: BingWallpaperApp.exe, BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: BingWallpaperApp.exe, BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: BingWallpaperApp.exe, BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: BingWallpaperApp.exe, BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: BingWallpaperApp.exe, BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: BingWallpaperApp.exe, BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: unknown	Process created: C:\Users\user\Desktop\BWCStartMSI.exe "C:\Users\user\Desktop\BWCStartMSI.exe"
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1E7C6F8FE305CF59FC9AE1ED4206AF89
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI4343.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8209281 2 CustomActions!CustomActions.CustomActions.StartApp
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe "C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI472C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8210250 8 CustomActions!CustomActions.CustomActions.InstallPing
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe "C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe "C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1E7C6F8FE305CF59FC9AE1ED4206AF89	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI4343.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8209281 2 CustomActions!CustomActions.CustomActions.StartApp	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI472C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8210250 8 CustomActions!CustomActions.CustomActions.InstallPing	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe "C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Section loaded: gpapi.dll

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Bing Wallpaper.lnk.4.dr

LNK file: ..\..\..\..\..\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: BWCStartMSI.exe

Static PE information: certificate valid

PE /OLE file has a valid certificate with Microsoft as Issuer

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Submission file is bigger than most known malware samples

Source: BWCStartMSI.exe

Static file information: File size 8543800 > 1048576

PE file has a big raw section

Source: BWCStartMSI.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x81b000

PE file contains a mix of data directories often seen in goodware

Source: BWCStartMSI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: BWCStartMSI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: BWCStartMSI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: BWCStartMSI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: BWCStartMSI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: BWCStartMSI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: BWCStartMSI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: BWCStartMSI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: /_/Src/Newtonsoft.Json.Schema/obj/Release/net45/Newtonsoft.Json.Schema.pdb source: BingWallpaperApp.exe, 00000007.00000002.20785745454.0000000007F10000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json.Schema/obj/Release/net45/Newtonsoft.Json.Schema.pdbSHA256 source: BingWallpaperApp.exe, 00000007.00000002.20785745454.0000000007F10000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: BWCUpdater.pdb source: BWCUpdater.exe.4.dr
Source:	Binary string: D:\Ramesh\VSTS\BingGrowthApps\Installers\BWCInstaller\Common\CustomActions\obj\x86\Release\CustomActions.pdb source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, CustomActions.dll.6.dr, CustomActions.dll.8.dr
Source:	Binary string: wextract.pdb source: BWCStartMSI.exe
Source:	Binary string: D:\Ramesh\VSTS\BingGrowthApps\Installers\BWCInstaller\Common\CustomActions\obj\x86\Release\CustomActions.pdbPkjk \k_CorDllMainmscoree.dll source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, CustomActions.dll.6.dr, CustomActions.dll.8.dr
Source:	Binary string: wextract.pdbGCTL source: BWCStartMSI.exe
Source:	Binary string: D:\UNIWIN CLONE\Applications\DefaultOffer_V2\Release\BrowserSettings.pdb source: BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr
Source:	Binary string: D:\Ramesh\VSTS\BingGrowthApps\Applications\BingWallpaperApp\Release\CryptFile.pdb source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\SourceCode\BGA-Repo\Applications\BingWallpaperApp\Release\DispatchQueue.pdb source: rundll32.exe, 00000006.00000003.15725421874.000000000316B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.15725259867.0000000004E7C000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20793536348.000000006DA0C000.00000002.00000001.01000000.00000013.sdmp, rundll32.exe, 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmp, rundll32.exe, 00000008.00000003.15735175327.0000000002A8D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.0000000004715000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, DispatchQueue.dll.7.dr, DispatchQueue.dll.6.dr, DispatchQueue.dll.8.dr
Source:	Binary string: D:\UNIWIN CLONE\Applications\DefaultOffer_V2\Release\BrowserSettings.pdbT source: BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp, BrowserSettings.dll.7.dr
Source:	Binary string: D:\VSTS\BG\Libraries\EEISilentInstallerLib\obj\Release\EEISilentInstallerLib.pdb source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\v-arushgupta\source\repos\BingGrowthApps\Installers\BWCStartMSI\BWCStartMSI\obj\Release\BWCStartMSI.pdb source: BWCStartMSI.exe, 00000002.00000000.15704651755.0000000000D12000.00000002.00000001.01000000.00000004.sdmp, BWCStartMSI.exe.0.dr
Source:	Binary string: ~C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: BWCStartMSI.exe, 00000000.00000003.15704067824.0000000005582000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.8.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.8.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256^Y source: BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: BWCStartMSI.exe, 00000000.00000003.15704067824.0000000005582000.00000004.00000020.00020000.00000000.sdmp, 7d3d28.msi.4.dr, MSI4343.tmp.4.dr, 7d3d2b.msi.4.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 7.2.BingWallpaperApp.exe.5b70000.1.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor
Source: 7.2.BingWallpaperApp.exe.5b70000.1.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 7.2.BingWallpaperApp.exe.7f10000.2.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_00952F10 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00952F10

PE file contains an invalid checksum

Source: CustomActions.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0xdad6
Source: CustomActions.dll.6.dr	Static PE information: real checksum: 0x0 should be: 0xdad6
Source: BWCStartMSI.exe	Static PE information: real checksum: 0x827ecb should be: 0x82f839

PE file contains sections with non-standard names

Source: BingWallpaperApp.exe.4.dr	Static PE information: section name: .7.T
Source: BingWallpaperApp.exe.4.dr	Static PE information: section name:
Source: BWCUpdater.exe.4.dr	Static PE information: section name: d~_<.
Source: BWCUpdater.exe.4.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BFA3B3B push ecx; ret	7_2_6BFA3B4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF6A893 push ecx; ret	8_2_6CF6A8A6
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01811509 push D9FFFFFDh; iretd	10_2_0181150E
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_0181588A push ds; iretd	10_2_0181588C
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01812219 push ecx; retf	10_2_0181221A
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_0181221C push ecx; retf	10_2_01812224
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 10_2_01814E78 pushfd ; ret	10_2_01815039
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03292219 push ecx; retf	11_2_0329221A
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_0329221C push ecx; retf	11_2_03292224
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03294E70 pushfd ; ret	11_2_03295039
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_03291509 push D9FFFFFDh; iretd	11_2_0329150E
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 11_2_0329588A push ds; iretd	11_2_0329588C

Source: BWCUpdater.exe.4.dr

Static PE information: section name: d~_<. entropy: 7.999519010773929

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\BWCStartMSI.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4343.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-\CustomActions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File created: C:\Users\user\AppData\Local\Microsoft\BGAHelperLib\BrowserSettings.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-\DispatchQueue.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI472C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File created: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\DispatchQueue.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-\CustomActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-\DispatchQueue.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4343.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-\CustomActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-\DispatchQueue.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI472C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI472C.tmp-\CustomActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI4343.tmp-\DispatchQueue.dll	Jump to dropped file

Source: C:\Users\user\Desktop\BWCStartMSI.exe	Code function: 0_2_00951B04 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,		0_2_00951B04
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEED970 GetPrivateProfileStringW,CompareStringW,GetPrivateProfileStringW,CompareStringW,		7_2_6BEED970

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bing Wallpaper.lnk

Jump to behavior

Source: C:\Users\user\Desktop\BWCStartMSI.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\BWCStartMSI.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BingWallpaperApp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BingWallpaperApp	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Memory allocated: 5180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 51D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 5840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 6840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 6970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 7970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 7BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 8BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: A790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: B790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: BC20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 1810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 3440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 3250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 5B10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 6B10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 6C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 7C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 7E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 8E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: AA20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: BA20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: BEB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 3250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 3410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 5410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 5A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 6A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 6B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 7B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 7DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: 8DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: A990000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: B990000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Memory allocated: BE20000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Code function: 7_2_6BEC5210 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

7_2_6BEC5210

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Window / User API: threadDelayed 406			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Window / User API: threadDelayed 8938			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4343.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4343.tmp-\CustomActions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\BGAHelperLib\BrowserSettings.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI472C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI472C.tmp-\DispatchQueue.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI472C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\DispatchQueue.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4343.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI472C.tmp-\CustomActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4343.tmp-\DispatchQueue.dll	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-2350

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe TID: 3036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe TID: 5476	Thread sleep time: -406000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe TID: 1244	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe TID: 5476	Thread sleep time: -8938000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe TID: 1244	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe TID: 5040	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe TID: 7608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe TID: 5924	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BWCStartMSI.exe	Code function: 0_2_00952395 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00952395
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BEDC660 FindFirstFileW,FindNextFileW,FindClose,	7_2_6BEDC660
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BED8580 FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_6BED8580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF537BF RegOpenKeyExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,SHGetFolderPathAndSubDirW,FindFirstFileW,FindNextFileW,FindClose,	8_2_6CF537BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF62D02 FindFirstFileExW,	8_2_6CF62D02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF53FC7 FindFirstFileW,FindNextFileW,FindClose,	8_2_6CF53FC7

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_00955423 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00955423

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Thread delayed: delay time: 922337203685477

Source: BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006272000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.15741067226.0000000002B15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.15741067226.0000000002B40000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Code function: 7_2_6BFA7AA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_6BFA7AA3

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Code function: 7_2_6BEC5210 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

7_2_6BEC5210

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_00952F10 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00952F10

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF5F7D2 mov ecx, dword ptr fs:[00000030h]		8_2_6CF5F7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF629A7 mov eax, dword ptr fs:[00000030h]		8_2_6CF629A7

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Code function: 7_2_6BEC67C0 OpenProcess,OpenProcessToken,CloseHandle,GetTokenInformation,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,

7_2_6BEC67C0

Enables debug privileges

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\BWCStartMSI.exe	Code function: 0_2_00956C90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00956C90
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BFA7AA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6BFA7AA3
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BFA393E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_6BFA393E
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: 7_2_6BFA3DB1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6BFA3DB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF59657 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6CF59657
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF5C0E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6CF5C0E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_6CF5986F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6CF5986F

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe "C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"			Jump to behavior

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_009518C1 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

0_2_009518C1

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Code function: 7_2_6BFA3F75 cpuid

7_2_6BFA3F75

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: EnumSystemLocalesW,	7_2_6BFB8ABC
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: GetLocaleInfoEx,	7_2_6BFA2E46
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_6BFC2D9E
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: EnumSystemLocalesW,	7_2_6BFC3130
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: EnumSystemLocalesW,	7_2_6BFC3095
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: GetLocaleInfoW,	7_2_6BFB907F
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: EnumSystemLocalesW,	7_2_6BFC304A
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_6BFC3713
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_6BFC3537

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI4343.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI4343.tmp-\CustomActions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Dispatcher\DispatchQueueBWCApp.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Dispatcher\DispatchQueueBWCApp.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Program Files\Mozilla Firefox\browser\omni.ja VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Program Files\Mozilla Firefox\browser\omni.ja VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI472C.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI472C.tmp-\CustomActions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Dispatcher\DispatchQueueBWCInstaller.bin VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Dispatcher\DispatchQueueBWCInstaller.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_00957105 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00957105

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Code function: 7_2_6BFA8EC6 GetTimeZoneInformation,

7_2_6BFA8EC6

Source: C:\Users\user\Desktop\BWCStartMSI.exe

Code function: 0_2_00952BF2 GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_00952BF2

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kzpbmws1.default\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\search.json	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	12 Software Packing	NTDS	37 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Search Order Hijacking	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BWCStartMSI.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\BGAHelperLib\BrowserSettings.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\DispatchQueue.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe	0%	ReversingLabs
C:\Windows\Installer\MSI4343.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4343.tmp-\CustomActions.dll	0%	ReversingLabs
C:\Windows\Installer\MSI4343.tmp-\DispatchQueue.dll	0%	ReversingLabs
C:\Windows\Installer\MSI4343.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Windows\Installer\MSI472C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI472C.tmp-\CustomActions.dll	0%	ReversingLabs
C:\Windows\Installer\MSI472C.tmp-\DispatchQueue.dll	0%	ReversingLabs
C:\Windows\Installer\MSI472C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://drive-daily-1.corp.google.com/	0%	Avira URL Cloud	safe
https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationvartype?	100%	Avira URL Cloud	malware
https://tracking-protection-issues.herokuapp.com/new	0%	Avira URL Cloud	safe
https://drive-daily-4.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-daily-5.corp.google.com/	0%	Avira URL Cloud	safe
https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationtext?3	100%	Avira URL Cloud	malware
https://www.microsoftnews.com/?pc=__PARAM__&ocid=MNHP___PARAM__X	0%	Avira URL Cloud	safe
https://content.cdn.mozilla.net	0%	Avira URL Cloud	safe
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	0%	Avira URL Cloud	safe
https://drive-daily-2.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-staging.corp.google.	0%	Avira URL Cloud	safe
https://bgteamtestapp.azurewebsites.net/api/COSMOSIntermediateAPI/SendPing?	100%	Avira URL Cloud	malware
https://www.newtonsoft.com/jsonschema	0%	Avira URL Cloud	safe
https://www.microsoftnews.com/?pc=__PARAM__&ocid=MNHP___PARAM__	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://www.newtonsoft.com/json	0%	Avira URL Cloud	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	Avira URL Cloud	safe
https://drive-preprod.corp.google.com/	0%	Avira URL Cloud	safe
http://wixtoolset.org/news/	0%	Avira URL Cloud	safe
https://system.data.sqlite.org/X	0%	Avira URL Cloud	safe
https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr	0%	Avira URL Cloud	safe
https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationtext?	100%	Avira URL Cloud	malware
https://drive-staging.corp.google.com/	0%	Avira URL Cloud	safe
https://coverage.mozilla.org	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
https://topsites.services.mozilla.com/cid/	0%	Avira URL Cloud	safe
https://install.mozilla.org	0%	Avira URL Cloud	safe
https://drive-autopush.corp.google.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0012.t-0009.t-msedge.net	13.107.246.40	true	false		high
g.ceipmsn.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://g.ceipmsn.com/8SE/44?MI=64BE9693AC0BA526EB78E89A5DFE3	rundll32.exe, 00000008.00000002.15741067226.0000000002AA9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/firefox/	ZMGCCB7.tmp.7.dr	false		high
http://json-schema.org/draft-06/schema#	BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	BingWallpaperApp.exe, 00000007.00000002.20786778082.0000000007FD0000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://chrome.google.com/webstore06	BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/firefox/language-tools/	BingWallpaperApp.exe, 00000007.00000002.20763575170.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr	ZMGCCB7.tmp.7.dr	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
http://g.ceipmsn.com/8SE/44?MI=64BE9693AC0BA	rundll32.exe, 00000008.00000002.15741067226.0000000002AA9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://wiki.mozilla.org/Addons/Extension_Signing	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	BingWallpaperApp.exe, 00000007.00000002.20786778082.0000000008001000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://monitor.firefox.com/breach-details/	ZMGCCB7.tmp.7.dr	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008020000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://drive.google.com/	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	BingWallpaperApp.exe, 00000007.00000002.20788129976.00000000081B6000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://www.microsoftnews.com/?pc=__PARAM__&ocid=MNHP___PARAM__X	BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000345D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com/edge/ntpco$	BingWallpaperApp.exe, 00000007.00000002.20787414474.00000000080AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationvartype?	BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15931787350.0000000003458000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://accounts.firefox.com/settings/clients	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://chrome.google.com/webstore	BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/firefox/themes/	BingWallpaperApp.exe, 00000007.00000002.20787414474.000000000808F000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://drive-daily-2.corp.google.com/	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://payments.google.com/payments/v4/js/integrator.js	BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.8.dr	false	Avira URL Cloud: safe	unknown
https://drive-daily-4.corp.google.com/	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20790525695.000000000AC04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	ZMGCCB7.tmp.7.dr	false		high
https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://addons.mozilla.org/%LOCALE%/firefox/search-engines/	BingWallpaperApp.exe, 00000007.00000002.20786778082.0000000008001000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://drive-daily-1.corp.google.com/	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/nightly-error-collection	ZMGCCB7.tmp.7.dr	false		high
https://drive-daily-5.corp.google.com/	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20790525695.000000000AC04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	ZMGCCB7.tmp.7.dr	false		high
https://ntp.msn.com/edge/ntpt-	BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000375E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationtext?3	BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15931787350.0000000003458000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://mitmdetection.services.mozilla.com/	BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://content.cdn.mozilla.net	ZMGCCB7.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bgteamtestapp.azurewebsites.net/api/COSMOSIntermediateAPI/SendPing?	BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15931787350.0000000003458000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.quovadis.bm0	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive-preprod.corp.google.com/	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20790525695.000000000AC04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com/edge/ntplB	BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003756000.00000004.00000800.00020000.00000000.sdmp	false		high
http://g.ceipmsn.com/8SE/44?MI=64BE9693AC0BA526EB78E89A5DFE3A31&LV=10.0.19041.746&OS=10.0.19042.1&TE	rundll32.exe, 00000008.00000002.15741067226.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.15740913039.00000000028B9000.00000004.00000010.00020000.00000000.sdmp	false		high
https://urn.to/r/sds_see	BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp	false		high
https://urn.to/r/sds_see=isolation	BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	ZMGCCB7.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://sandbox.google.com/	BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/	BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.microsoftnews.com/?pc=__PARAM__&ocid=MNHP___PARAM__	BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000049D5000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/?pc=__PARAM__&ocid=MSNHP___PARAM__X	BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000345D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	ZMGCCB7.tmp.7.dr	false		high
https://token.services.mozilla.com/1.0/sync/1.5	ZMGCCB7.tmp.7.dr	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	ZMGCCB7.tmp.7.dr	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	ZMGCCB7.tmp.7.dr	false		high
https://drive-staging.corp.google.	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/?pc=__PARAM__&ocid=MSNHP___PARAM__	BingWallpaperApp.exe, 00000007.00000002.20771265816.00000000049D5000.00000004.00000800.00020000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://ntp.msn.com/edge/ntp	BingWallpaperApp.exe, BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003754000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://support.google.com/chrome/?p=plugin_flash	BingWallpaperApp.exe, 00000007.00000002.20787414474.00000000080AB000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	false		high
https://system.data.sqlite.org/X	BingWallpaperApp.exe, 0000000A.00000002.15932959264.000000000A990000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/json	BingWallpaperApp.exe, 00000007.00000002.20782232342.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://g.ceipmsn.com/8SE/44?MI=64BE9693AC0BA526EB78E89A5	rundll32.exe, 00000008.00000002.15741067226.0000000002AA9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
http://wixtoolset.org/news/	rundll32.exe, 00000006.00000003.15725259867.0000000004E4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.15734862879.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.8.dr	false	Avira URL Cloud: safe	unknown
https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr	BingWallpaperApp.exe, 00000007.00000002.20763575170.000000000124E000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://payments.google.com/	BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp	false		high
https://oauth.accounts.firefox.com/v1	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://sandbox.google.com/payments/v4/js/integrator.js	BingWallpaperApp.exe, 00000007.00000002.20787722631.00000000080E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.eicar.org:443	BingWallpaperApp.exe, 00000007.00000002.20790378741.000000000ABDF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://json-schema.org/draft-03/schema	BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000329E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/about	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://drive.google.com/drive/settings	BingWallpaperApp.exe, 00000007.00000002.20788129976.0000000008193000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20788129976.00000000081A3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report	ZMGCCB7.tmp.7.dr	false		high
https://ntp.msn.com/edge/ntpLR	BingWallpaperApp.exe, 00000007.00000002.20765836667.0000000003754000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/edge/ntpd	BingWallpaperApp.exe, 00000007.00000002.20765836667.000000000375E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-staging.corp.google.com/	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20790525695.000000000AC04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://coverage.mozilla.org	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://install.mozilla.org	ZMGCCB7.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com:443	BingWallpaperApp.exe, 00000007.00000002.20790378741.000000000ABDF000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp, BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/search?q=at	BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	false		high
http://json-schema.org/draft-04/schema#	BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	BingWallpaperApp.exe, 00000007.00000002.20784689917.0000000006295000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com/edge/ntpak/	BingWallpaperApp.exe, 00000007.00000002.20787414474.00000000080AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bgteamtestapp.azurewebsites.net/api/BWC/getnotificationtext?	BingWallpaperApp.exe, 00000007.00000002.20765836667.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://json-schema.org/draft-07/schema#	BingWallpaperApp.exe, 0000000A.00000002.15932959264.0000000009F90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://accounts.firefox.com/	ZMGCCB7.tmp.7.dr	false		high
https://contile.services.mozilla.com/v1/tiles	BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://monitor.firefox.com/user/preferences	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://profile.accounts.firefox.com/v1	BingWallpaperApp.exe, 00000007.00000002.20787081363.0000000008034000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://chrome.google.com/webstore/detail/	BingWallpaperApp.exe, 0000000A.00000002.15931787350.0000000003458000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-autopush.corp.google.com/	BingWallpaperApp.exe, 00000007.00000002.20787414474.0000000008077000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/	BingWallpaperApp.exe, 00000007.00000002.20786778082.0000000008001000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	ZMGCCB7.tmp.7.dr	false		high
https://topsites.services.mozilla.com/cid/	BingWallpaperApp.exe, 00000007.00000002.20787285635.0000000008059000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/%LOCALE%/kb/accessibility-services	BingWallpaperApp.exe, 00000007.00000002.20786778082.0000000008001000.00000004.00000020.00020000.00000000.sdmp, ZMGCCB7.tmp.7.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574547
Start date and time:	2024-12-13 12:23:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 17m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	BWCStartMSI.exe
Detection:	MAL
Classification:	mal54.rans.troj.spyw.evad.winEXE@17/55@1/0
EGA Information:	Successful, ratio: 85.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 135 Number of non-executed functions: 75
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.41.62.11, 23.216.74.151, 52.173.134.115, 23.54.201.219, 13.107.246.40
Excluded domains from analysis (whitelisted): waws-prod-dm1-071.centralus.cloudapp.azure.com, e13678.dscb.akamaiedge.net, ctldl.windowsupdate.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, bingwallpaperimages.afd.azureedge.net, toolbar-prod-bn01.microsoft.com, www.microsoft.com-c-3.edgekey.net, go.microsoft.com, toolbar.search.msn.com.trafficmanager.net, go.microsoft.com.edgekey.net, bingwallpaperimages.azureedge.net, azureedge-t-prod.trafficmanager.net, bingwallpaper.microsoft.com, www.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 3516 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: BWCStartMSI.exe

Simulations

Behavior and APIs

Time	Type	Description
06:26:10	API Interceptor	32835454x Sleep call for process: BingWallpaperApp.exe modified
12:25:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BingWallpaperApp C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
12:25:53	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BingWallpaperApp C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0012.t-0009.t-msedge.net	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.40
	vQu0zndLpi.dll	Get hash	malicious	Unknown	Browse	13.107.246.40
	mtbkkesfthae.exe	Get hash	malicious	Vidar	Browse	13.107.246.40
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.40
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://www.cognitoforms.com/f/fWhXKikFUk-rIZ2zs1gjVw/1	Get hash	malicious	Unknown	Browse	13.107.246.40
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.40
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	13.107.246.40
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.40
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.40

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	10005
Entropy (8bit):	5.623339016471663
Encrypted:	false
SSDEEP:	96:E8qF0mIPxqPVP4PXQbP0fCsPYeQ6tTUNeD2yGlCsThqfUNeD2yGlC6jAF+oQThqL:E8PluFawiYe3A0GYIF0GYMITqKMpe
MD5:	43968F3A6197FFD2E87D4DDD10A8B256
SHA1:	E9AECF0648509D20E8DD420B3D3431A74447C664
SHA-256:	2395FFE9809858F88B5EC66DFF7A6C6C958F1D62CB9C78E5BC6A8D74FBDD6964
SHA-512:	685B211F3F60B5B19ED4B8EFAE877DE4C805AE0868FB1B2B47F282409E1E63D80109E0EA8239D484837227C90900C96242ADB01DBD8DCF591BE4ED7FBC442598
Malicious:	false
Preview:	...@IXOS.@.....@23.Y.@.....@.....@.....@.....@.....@......&.{240D9941-B463-4B9C-B483-7129740B9AC1}..Bing Wallpaper..BWCInstaller.msi.@.....@.....@.....@......favicon.ico..&.{9B9A5205-ECCA-4DAA-9B05-ABDF28BEB81A}.....@.....@.....@.....@.......@.....@.....@.......@......Bing Wallpaper......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{5F4BE57E-1322-4D61-A8E5-FD064E59569E}&.{240D9941-B463-4B9C-B483-7129740B9AC1}.@......&.{B947C018-5890-4E6F-8291-C66E61CB7AE3}&.{240D9941-B463-4B9C-B483-7129740B9AC1}.@......&.{D7DD0CB9-06D0-45B6-83EA-EA5BBE25BD88}&.{240D9941-B463-4B9C-B483-7129740B9AC1}.@........CreateFolders..Creating folders..Folder: [1]".(.C:\Users\user\AppData\Local\Microsoft\.@..............0.......<..................R..N.3...................X......................................... ... .....$....................R..N.3.....#.9.C:\Users\user\AppData\Local\Microsoft\BingWallpaperAp

C:\Users\user\AppData\Local\Microsoft\BGAHelperLib\BrowserSettings.dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1320480
Entropy (8bit):	6.720606969151946
Encrypted:	false
SSDEEP:	24576:35t82rYcGIzmzXcU44F7lx9hZNo/xEaEDEZNER/jLsGJztY9akg06jUYUbXfUTvk:Jq2rYcGIzmzXcUjFtW/xEYEJjLNkgLUl
MD5:	884F63DBC809DCEC05912A05477FA078
SHA1:	3AA2D5B9A24DB61B4532CC4A3B33040E36827EED
SHA-256:	AFDDC2CF125104F3B907F0645A9F921475E02EDA0A54179FB77EA677A608501D
SHA-512:	30853C127905C6CFE9360279F334D50C273D53DB09EBD869E4107FDDBB3CD75CCADF531B783ED0AFB5A6E25DBA338709BE67E3468D4BC64F56F407DC6975F8A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.W.............j.......j..U....g.......g.......g.......j.......j..............,g......,g......,gv.............,g......Rich....................PE..L.....-g...........!.........$.......5.......................................P...........@..........................@......@C.......................... (..............p...............................@............................................text...l........................... ..`.rdata...T.......V..................@..@.data...0C...`...0...D..............@....rsrc................t..............@..@.reloc...............z..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BWAConfig.bin

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	data
Category:	dropped
Size (bytes):	5472
Entropy (8bit):	7.9631653687612385
Encrypted:	false
SSDEEP:	96:d4+dIurFQXAWiIl/voy2/DpHUu/QS28iWFqB39l2TFeiyYSankRw4H:rdGQWiIl/voyCHU6/F8tl2YiyYSank3H
MD5:	3C972B982C38C43F84DE30D453C5530F
SHA1:	78EF3C5DEF7B908AA0CA8DFDBBA35B7A399E35CD
SHA-256:	B7AC86BD8FE8C164E7F52D5CEF81935331FAADDA9BF497F413CA3BD0FE996802
SHA-512:	4D4D0A40A6D83BC4E6A4848F531AB78C6F33E151B06DD5FF33030C2974187843D7136DB1E77731948F718102EBB3BD283B422DFDF96DC59F0444902CFE85D977
Malicious:	false
Preview:	MK.....fE."..KiAI..W....w.0\|C.....CQ..g.LH....Y...D...d...5...:.&.y...i....(.H.?D...O.P...!-G.._....&De.....H..W..{..%'"Q...>..:..#...y...#..E.}........}....Agr..\|...0.d...z..P.......I...3...wWr...%.....b6.1...@.......<.a..:.'...q....Wy#.o......s..w...W#;\|'.\|..T.x..{0...(m.rE<..._.'....;u...h.$2.....%.Qs.2R.t.U.J..C}$..e.8..-...^.m...r.kpg...sOJ..z..I%.d...4A..Y.C..s.}'.>4..T7 .si..4K5)....y5... (.^P.V...F^.9..........a..r_.....ps.j.....;.b8.Uj..."lv..)........ .....Ez.....[p...P..H.60ch....?..E.O[d.~."=V..0;..+.~o...a..I).$f...o...!R.0.E.t6.l.O..5Vr!..g.."9."...R..0&A...i....wF{._.=-....S.?.K..@...K.K..:o.-....)&K.}Ze....a....n.8us.>...t.P.2.;=Wdv..."2B..^.....o.P.G...u.).X..c..s.Tl..'.o(...........JE.z.l'..s.Z../>...5..(3......1.y@_.@I.F....s.....C..>.LlDh8....Bx_F..V....jlo.{WS.;..2g.O. ..M.B..q..l...w...K9..B.u.......)..(.*'...~4.$....2..ye..6...[.y........B6..S`.`5c.<y..`98.N..r..q.....VO.. .n..dJ..^.S.aY@.V.!..i.Y.4...^.

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	458312
Entropy (8bit):	7.887460094465605
Encrypted:	false
SSDEEP:	12288:quibSsl/Og9YSu6o+XvjCiSSf+wYYJmF9NJhc:quibSa/Z9m6oMjCxu
MD5:	DE98AF416B81C8813D28337CACC9B240
SHA1:	B03D1452790266B31384DCDE30A1F88876993ADF
SHA-256:	B5CD2D4C56646A79D63E0AF87E7798238B155F4A955A683EBC87FE0DD82986DC
SHA-512:	1AFFFB8454738593A819CB8614B82E48D15AC37295ACEB71B849D344E83926A10CE2F7E60421D5B9AEFF396B62D0EF4A2021D19F350F2EAD5CAF06C809451DDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....RYg.........."...0.............. ....... ....@.. .......................`............`.................................."..K......."...............H(...@......."............................................... ..................H............d~_..<.d.... ......................@....text............................... ..`.rsrc..."...........................@..@............. ...................... ..`.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8224312
Entropy (8bit):	7.928958997417578
Encrypted:	false
SSDEEP:	196608:qXt8CfDCwKZ/RbgNK0RmmMYKr/7QzRqn7oTwbDsmk0b:qXgZ/RbgNK2QYs/7QzRq7os/sN0b
MD5:	5DDF6C0675019C3A758236D0DB069D15
SHA1:	41896FBDEBC90BE5FAC406596D5728C7EA0C0C53
SHA-256:	D9395E5D508E683DAEBFBC485B45249BD20C46A596AEFAE839F508C4A8C05F3F
SHA-512:	768A9BC2D132B3129E9696A068553CDD7B8DF135D23C59DC71E34E9E129F40052BD9E29FCE60A13E8EA54926BDA2276B99F554CF26520C468876709DE1B3A013
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ARYg.........."...0.......s.......}...q.. ....@.. ........................}......S~...`...................................r.W.....{.M............V}.8(....}.......................................................}...............q.H..............7.T..D.q.. ....q.................@....text.........q.......q............. ..`.rsrc...M.....{.......{.............@..@..............}......R}............. ..`.reloc........}......T}.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\DispatchQueue.dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	162336
Entropy (8bit):	6.570944085847951
Encrypted:	false
SSDEEP:	3072:kY5vvDMWR9BlPUT5zPqDtYBvQ2oA2C14u7/yQfPSZr8HYInhh+p:kY5vvDMWBdUTBpv7V54QWIT+
MD5:	588B3B8D0B4660E99529C3769BBDFEDC
SHA1:	D130050D1C8C114421A72CAAEA0002D16FA77BFE
SHA-256:	D05A41ED2AA8AF71E4C24BFFF27032D6805C7883E9C4A88AA0A885E441BEC649
SHA-512:	E5F2FAC5E12A7E1828E28C7395435E43449898A18A2A70B3F7EA6A1982E1C36F11DA6EE7CC8AC7CEFAAB266E53D6F99EE88067BC9D719E99F4F69B4834B7F50B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._$\|e.E.6.E.6.E.6.7.7.E.6.7.7.E.6.7.7.E.6I0.7.E.6I0.7.E.6I0.72E.6.7.7.E.6.E.6.E.6.0.7.E.6.0.7.E.6.0.6.E.6.E.6.E.6.0.7.E.6Rich.E.6........PE..L......d...........!................B...............................................=.....@......................... 3..$...D4.......`..p............R.. (...p..........p...............................@............................................text...*........................... ..`.rdata...~..........................@..@.data...\|....@.......,..............@....rsrc...p....`.......8..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241206.jpg

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 3840x2160, components 3
Category:	dropped
Size (bytes):	1069867
Entropy (8bit):	7.783043792278915
Encrypted:	false
SSDEEP:	24576:5NajuplkI3Jxdo1ekkgIEi49ZwqLUVH/O43qRHpZjuaFbh29A:GjukaJxdobkNT49WgUVHG46jc9A
MD5:	E7ABED7180982A8A963C66E7935FE191
SHA1:	FF6883359275D08B120672F036F239D00A187AC3
SHA-256:	ED369BDB5B49C9D693F17702A82DC1617780FB5B7D677EE66C2D67AE62B7D0B7
SHA-512:	3100DE9EB862E0E6D15BA4D567620B68663EF973A597846D223647DBCC3EB11C731408D715A82718815F1F855A7AA5D8E43A12BB82E3A616CA613C985557E7C0
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................p...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...7.h.....Q.N...(...(.h...(...m:..(...L....2.(. ).E2...L..A...ej.y.=-.PXQE....Q@.EC.Z..QE..QEdXQE..QE..QE....S+ ...TtP...e..QE..o...(...(z....m...QEX..QP.E.P.E...}2.L...}..QL...L....(...(...(...(...(..........h.......*Z..%...j.....Z.(...B.)$...I)h..(...(...(...B.(..(...B.(...(...(..(.....(.@(.....QE..QE'.@.E.VF..Q@..QO..S.~...(.@)..+ .(...}2..}..(..QE...(...)..QE....h.

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241207.jpg

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 3840x2160, components 3
Category:	dropped
Size (bytes):	856234
Entropy (8bit):	7.737045748330216
Encrypted:	false
SSDEEP:	24576:BngTpy4jN0z32yrIlh7upbwL2RnCYhA9KiOn7mKHr:BngVzZa04ZnCYhA9xc5
MD5:	6188C4475D0A503203CA907ADD1FA5C7
SHA1:	A98CC343C4BA413FC4A888856C477AEFAC36C3AF
SHA-256:	5B0CAD3391B4D055A2B0BAE1060A902D933A5914A51804BC0D7A48494E63292C
SHA-512:	149E8873EC4DD65E36BE405E0239A0DD43B6E3C9E4013A6ABB5A1CBE6F521F21367ECE9A0E9C6C329B6318A274C89607E41704B54F935AAD1D2A11CE6DC0672D
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................p...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..>..>d..~.O..>...e~.\|..).P..S(....( )..}...QE..T....->.E.>.QS...}2...R.z}.KO.Ryt.%..}.>...(....(..l..@..F.}...l..@..L.....O.S.@..O.e.G..h....h...h......]......(...*...(...(.................Q%.-ER.@..Q@.T.Q@..Q@...e-..QE..QE..QO..QI.)h,(...(...)..P....?}.KE7..E..(.h.....u%Y....(J(...........G....R.6.J)^....M...)...e>...F.}...l..( (.O.......(..S..@..F.}..2...e.....e>.

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241208.jpg

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 3840x2160, components 3
Category:	dropped
Size (bytes):	991332
Entropy (8bit):	7.790390525895741
Encrypted:	false
SSDEEP:	24576:1zuzV3JtR6w//4AF8U6smCgoWzIKtDyqroWV:R8JGwnTasmloWtDyaV
MD5:	B51BA4B54B4506EE3789F0C54F835575
SHA1:	F6EB5B585F4ECB86910014FA66C17871FF26AF5E
SHA-256:	BCAD64EDAF09522E6AAAF99E7618BD399D43D88EB1D49C8A0155C33FE6505C21
SHA-512:	8691F2EF82B6117A27535D4D9D7337456B2A6E547EDE268F391E508DE64A536699684A94EBC4135B9665F05128F5732016716F0E1C920F787E900102F0E1515A
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................p...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..6.}2..?u..`.(.9..h.9.v...Q...E.Q.XQE..QE..QE..QE..S).P.).Q@..Q@..T.].GEKE@.QEK@.QE..QR.U..R....QE..QE....Q@..QY.QE..QE...QE..QE..QE..QE..QE@..(..(...(....(....(.....(...(...(...(...(...(...(...(...(...(...(...)..(...(...(...(...(....(.j*.(.h...Z(...(...(...(...L...E.P..Q@...O....(...(..Sh..QM...E6.@..QY.5......T55..(..((.....+P..Z(.h.=h.h=h.k .E.V...Q@..Q@.>.E.>.e...

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241209.jpg

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 3840x2160, components 3
Category:	dropped
Size (bytes):	1799121
Entropy (8bit):	7.743678729032892
Encrypted:	false
SSDEEP:	49152:Q5MqtubxpCiXsdaNTJK5kxZwbqlxC2pC65ct7WcxoAm:QWqWbCnaNTJ1xZe27pCdKcxRm
MD5:	7D8D3B7B395AF7D0E350F55955A55D65
SHA1:	AA78242233A2C1CAF57886BAC03E33EC8C857E43
SHA-256:	F1AD829B8B52EB0F4A26594E7D5F1C16A83467F778A5E4ED34C0816D7D34230E
SHA-512:	EC95600897975C62122B46B4DA05B48F0B3AF4943E1E6E056D2FF17F044C30D04EE521D18959AB3F6530F9077EE1A7CEBF40BA7044790E453744FE1852D5B7B7
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................p...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...M...u.T..QE..:.(...E2.Ac.S. .....%...h...(...L..j:.E...)...)..(..R.IR...}CN.J..}=.z=@.......b..GK.PY=..o.Y.%.o.}.>...m..........e..b....<.Z.....F.(...e..QE..^..h..P.P.)..(....S....T;.#...N.J.).%.N.S..V..X.u..I.ISo....H...U..R...OX..V.z.6...$J.I..s..f\|.]W..v.%rwz<..+..}.....q3<.....4..<I\....L9.u...yoLz.(.....RShJ....:..z.e'.RS...i$..........J(...(J

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241210.jpg

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 3840x2160, components 3
Category:	dropped
Size (bytes):	2146585
Entropy (8bit):	7.619251768061482
Encrypted:	false
SSDEEP:	49152:5tOx7PmteWlGUHAaKKf35kjPRMRskiSOdivqdblCrA1MDjMVFSX+jsAGcLW90LK1:HOxzmte6GUHAQ5kjGihBdblC81M3sFS5
MD5:	571A29AEC899878176C4BD6259F031F6
SHA1:	23977E4A2E3DA383E7989489D55349C079A29C9D
SHA-256:	89DEC08EE761987559AD66AE96AFBA276F352AF8690A0C74213950F81A255C74
SHA-512:	091051A14B98EC15FDBC8293BE18F0BB47ABEA518A13F205ED86F1C9F433D3516DB5D22C7932416CA254DBA18122D713E8E1A2BAD597853C8945A71F986A50B8
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................p...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...#...........Q......b...s~......(.,g...q......}?......G.........L...........)K..........G....{..?.}......g...F.....4..}.>O..Q.~g.?.@..o../...R.....R\|..........Q$..GD....3...Z....?.@................S.....G......U.....w.....G.....RR?..q....3.....Q............z\|........~.-......../e._...=.3..>..Dq..r...>...K.l..c...?/.........T.....3.......).ZzU..6l.?..........

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241211.jpg

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 3840x2160, components 3
Category:	dropped
Size (bytes):	2114181
Entropy (8bit):	7.559690281480676
Encrypted:	false
SSDEEP:	49152:jh1YycXQorN1DiEtcM3ygu6x69UY9d4Z11a6ebNmFvHjqJyNry:j1+rN1DftcF6w9bqQx2D/W
MD5:	18E87F30B3A3AF386575A0C495E494BD
SHA1:	CAFAFFE578140B5CDC2A936F608A549D89BE1305
SHA-256:	045957A7129BAD367E5B5631DDCE4B255FD373A832A070ABB856B30B6DA204DC
SHA-512:	9023A32984752151492B0333F55803FBD63FF5ED38819C04E2BD202CA36E0ABC3DE158C964CE2772FD98B0416D4022A1E9E0BBE6B48E1CE3D7B885B1B6F87BAE
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................p...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...........T....7......~.u...)..V.+;....g.....I.\|..`..(.._._..4....+"..#.fq. .(..@.~j.:...@...e.c..T.?.........J..:<........?.u...S.S.}?...@..M....=@..g...w..MO....$}...:<.g.Q..?Ad.....t.O.MB}....O.?... /....C.....&.........:&....>...L................%.2I6..:$........O'.@...o.....t.....>O.....%.29>.........T.?....r....&.:..O...:%.$o..=*y>..... @.?....>

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241212.jpg

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 3840x2160, components 3
Category:	dropped
Size (bytes):	596466
Entropy (8bit):	7.547783267445176
Encrypted:	false
SSDEEP:	12288:lRVEZz58yv8hSFOFEL4PyyTPc8mioS603v8ps+ag4beFCjD4Y9WA+N:HVEZz+yUhSsFBPyOPoid603vVmuB9f+N
MD5:	6CECE1759BFDF96AAA3D17BE93042E94
SHA1:	BD326B7F1EC276D866D15AADEBC152CD3119BF11
SHA-256:	8D424C778724D4BCA17EAE327BE45964257379B74EF1722AC1A779BECD36A188
SHA-512:	C3A5BA2BBCEEB7DCFAE8FBA886F2DD40FD10FCF33F0F7BDCCB1DC62AA8439BB032E3B98022314B01A564FACF582235A3987D4A98C981A841A654FA7E8DECDCCC
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................p...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..e..#.)..\|...:H..#.....D....z...W@.$...../........>G...t..b......H...Rj-:...s....%%.T...%/.R..t..)...(...(....<u:=A...>..&I?...l..'...M+8.....%@.O.+..-A'.RG'.Uc.........E...O.I.U......).....LG..%.N....O......:...>J.....Rl......S<..`A...:..z\|.....W..:UWO2.2....."}.....A.{.eI....)...y...7.P.y.O......K.P.%3}.C...<..O......Q~Z?.:$..G......'........oG....zP..

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241213.jpg

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 3840x2160, components 3
Category:	dropped
Size (bytes):	1607906
Entropy (8bit):	7.7251183244171395
Encrypted:	false
SSDEEP:	49152:TDYnXFHynHaW9E5BqJ2JiNK5oyoE6Sz/m9YrOWN4J:PYVHynHaWAY2sNIoyoE64/meNS
MD5:	8E03D5D75E9C1BCE8A808D1EF9CB35F4
SHA1:	24B09F8C284D47586099409609F996F5D16FEC56
SHA-256:	2E273F21BCCCE25EEAB9C68040D30B9367321C4678866443856AE08AC1AC3580
SHA-512:	0BEDE1A89F08F63D9D22F84454F9CBFAAF54E5E72F7D576AB5A69FCA41F310937F66DE9250C6E88856ECAD47EC672157BD9490F0845C41343CB5AB72438E4799
Malicious:	true
Preview:	......JFIF.....`.`.....XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1........

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\WPPrefs.bin

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	data
Category:	dropped
Size (bytes):	3600
Entropy (8bit):	7.949151997899422
Encrypted:	false
SSDEEP:	96:0dGbZTSPURKagS6KXmUEw5lWJgkZqX0DznUmqpIGdHE:0eTS8RKZXKDWJY0DDUB6J
MD5:	85B8F0D93ACD9ED38858E711D4ACD6ED
SHA1:	063495F16D2602BA781EE1687BE0319A00211263
SHA-256:	5CBF1B3337F87458EC826BDC45D3516E8B3A85A183B86BBE8D9BA330CA204621
SHA-512:	03A2AEE9F5DA0CCDA34839BDDAD178F57EBE8D1FCF59BC1EB7C284E51C904D1EB8B8AE49FD72F9BB2FC4F4A154125E5EE52CE9E6010AFA444BD300DBA0E9BD8B
Malicious:	false
Preview:	....>....!.].....[^. .`.....<......<.O%PA...(j#.....:_An..me.O}.XR....u.I...VEj..5e!...7.{x.b..w.......N...q..?..=.#.....?.^....?3R}j.#..]..<..n.%y.....[.\|b^........(..!..oQ.6..{..g._..76K.......X.....k.`v-koR.......kU7.\.xI..r$8.lC....m.-.W..@1..tO.Ef..J..\y..<].P....;.7v..,.@O.I.`....Y/..j...<...M..1..i8%.Z..V.a9..\|..Ca..IQ.~.zzxc...-L......\|..7-.%..8=...E......<{...#+...e....oL..@.D..qe..#JAb....90]..<..:!^..a..$....L....R..sm...."'.J.+.1.0.I..'.u6.?....0............<k,.bk~a.........>.......SZO$r..\|<.mTPPh{..O.-.._U.H.^GK$E......5..]Y....]...CVA......J..........]...u...#g.V\|...)I.d....)...$.[.Q...\..#b.!...W\cf6.N.,.+...lN...(=<...ZJ ^i..IN..[..r.(.c3..(.....nR.?D.}......&....U]...(TR`j.....~....Ee.(.M..q>/Z..g...y.A.....}[%...8..I....{...1<Z.4$..1...o.z.`c...W..PL.........]...C.D.]s.6/k2.......`.^...0%b.......6...4X.(.Z..q..H]o..........9..&%q&PTPVdM..7.40i.b.F/.KHG..U...R0..6.....^.41.!..........r...\|..nX..Ba.....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BWCStartMSI.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.404757711459466
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL27FuhXR5fv:Q3La/KDLI4MWuPtXR5fv
MD5:	39315D6B5D9F3BE7641DAAE22EA4D0EC
SHA1:	354FE9E747D4C059171C13F889CDF51602FDCA32
SHA-256:	FC55081F21B5E78C4F57556C38D9CDE4893BC3CA9DDF8582A6ABE5A770FC90B1
SHA-512:	9347B94E11E727E7FE6EBCA134AD6539EB839A7D39373FDD823FB047CFFCE16EF1E36083F8024E135728935FAA90152B0157FEF256121413930937F69866F3ED
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BingWallpaperApp.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.384492787892129
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPtXR5fq1KDLI4M6:MLUE4K5E4K1Bs1qE4j
MD5:	37E78E344E8C1F8BEF4B8B01DB1C8957
SHA1:	D87DB381014F3794B957B5FE8F00E7BB9E1486CE
SHA-256:	7B22B69CD8F6186754B7510863D2614654E9A6A9C32AB5527893198A78F8C176
SHA-512:	496A021348AC303443A22841C754EC88D79DB69B192588B6EEB8F19D17DFB30142DEA17BAB25CAB3703A2FEE616C56B87B4529261A33DCA14FE16A3A0A7EC87B
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	651
Entropy (8bit):	5.350896455548501
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPtXR5fOKbbDLI4MWuPJKMsDbKhaOK9eDLI4MNJK9re6K9yiv:ML9E4K1BIKDE4KhKMaKhPKIE4oKnKoM
MD5:	74840CB151128A65F91C744FC5CC0959
SHA1:	77EED566FCD18FBD3E3F4060F81B43485992D9EB
SHA-256:	5073D71022979833A0645845C588D590E94E17F9D5EAA8BDB609181D53A10F05
SHA-512:	2278C02A52E84ACD5B86E28C5F02835ABF3EA50CB37FB00A5EBED84286E45E453329FFC135E540B48B55DE9D0C0DA3D39A278CADAC07B1B6FC4312FDE6CE7264
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\b863adc9d550931e279ac7e2ee517d1f\System.Configuration.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Dispatcher\DispatchQueueBWCApp.bin

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	data
Category:	dropped
Size (bytes):	84
Entropy (8bit):	6.178031708493046
Encrypted:	false
SSDEEP:	3:NPlUU3L444A3IN2QkK0oIiclvW4:b5L444NN2ziclO4
MD5:	6AAEE4E196B359D2936DFA059F048FEF
SHA1:	5625021523B9A0E386E94480BE2BB3F921F8ACE4
SHA-256:	14022378898BCA04919FD2693465ECF67FF94A6E2886B92B92EE318F6DD2EB13
SHA-512:	C68C9E0256A2459ED931D9E92704670D166F3C70A75FC5493ECDED188382160A3A2E7C2E00CE3E10B1C3754EEF4E01DC164634AABEB061A4CC13C18715F2617C
Malicious:	false
Preview:	.J.........q.\9..r.2..&.G85...\|......*.$....v..~.....uA..^......._.b..Gd..`...Em.3]

C:\Users\user\AppData\Local\Microsoft\Dispatcher\DispatchQueueBWCInstaller.bin

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	70
Entropy (8bit):	5.9184989097712055
Encrypted:	false
SSDEEP:	3:NPlUU3L444AFBE9VxFd1T:b5L444iErx5T
MD5:	4418F8F6D61214AE733300CF9C932A3D
SHA1:	B2A02028E4782A90641F6978F47EBC1A52D2C9F8
SHA-256:	501AFE32EA4826C61B523FDC56A3E7A8B0712116BFADC4342444A27302AB18D3
SHA-512:	8A09E67922AC1BADAC82D73E6CDDEEF14C156DD17E15403237DBAEA8953F1653492E555EC3005C9BF05ABCEB2D2A2326D3BCD6CB220EFC1D58A75D58149E0025
Malicious:	false
Preview:	.J.........q.\9..r.2..&.G85...\|......*.$..r........LD.scR....2?3.o-

C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCInstaller.msi

Download File

Process:	C:\Users\user\Desktop\BWCStartMSI.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Bing Wallpaper, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Bing Wallpaper., Template: Intel;1033, Revision Number: {9B9A5205-ECCA-4DAA-9B05-ABDF28BEB81A}, Create Time/Date: Wed Dec 11 09:10:06 2024, Last Saved Time/Date: Wed Dec 11 09:10:06 2024, Number of Pages: 300, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
Category:	dropped
Size (bytes):	8626176
Entropy (8bit):	7.96544410935432
Encrypted:	false
SSDEEP:	196608:u4pEezDV5RgvRDbJz0S2vs4zcMZVKCq7bE1MRzQf5y3a7:u4NgvRDbJzdz4oMZVKCqHEeBQxy3a
MD5:	EE59439A29C4ABEA66385AE5DAB25EAB
SHA1:	D6A3559373A9E2E8E9988ABC6E7B636892CA033E
SHA-256:	D1B28A6B26E1BCA329A63211AC822D6A3718C6985E64E61F66FA7A2FD4058740
SHA-512:	58A59374C6FF99289DC7B9B8513DB9305760485B37E47F6835AE364DB5D149DAC4AEEF31D1B64108CB5073896E434C786924C18B1CCA314401214E83F6F2067F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe

Download File

Process:	C:\Users\user\Desktop\BWCStartMSI.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	25656
Entropy (8bit):	6.281045492379948
Encrypted:	false
SSDEEP:	384:anIG1Iql6UKG8c/SIpm6lEBFNvCNBgtjWQ+T7nHRN7MkELRPR9zic:an9IqlIGb258B4vmXQ9z1
MD5:	A923912A4643C5502E6C14F423065F11
SHA1:	C2591CCB3357BD94F9D56FCDBD0DA9771694056E
SHA-256:	DBE43727DBAA78DDAA08E73562C0FF271444A6C5AE87BA2082A2533157B8FCC4
SHA-512:	A5F8FB088CE047E49946D66BF0278F20A978B0695AD60F3BD5A740ACFBBA5DD2D4A81ECAEDE95702857F071877BD8B4D11F0BDB095A084F57069EEA53AC00CD7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3kXg.........."...0..0...........N... ...`....@.. ..............................2e....`..................................M..O....`..(............<..8(...........L............................................... ............... ..H............text...$.... ...0.................. ..`.rsrc...(....`.......2..............@..@.reloc...............:..............@..B.................N......H........-..@............K...............................................0..].......(.....~........(....,Ar...p.(......rM..p(....rc..po....,..rw..po....-..rM..p.{....(......&.............MY.......0..O.......r}..p...(.....(........0.,- ....s.........o.....(....,..o....o....o.......&............DJ.......0..{.........r...p(....(...+..,Z.o.....+8..(.......( .....~!...r...p..("...o#.......,....Q......"..($...-...........o%.....~....Q............Ea.......0..@.......~!.....o&...

C:\Users\user\AppData\Local\Temp\ZMGCCA6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	154
Entropy (8bit):	4.722420995748231
Encrypted:	false
SSDEEP:	3:RTbRcN53nzKq6akGhXmKd0UV/P0KorHB+N53nzKq6akGhXmKd0UV/P0n:V6N5mqbmKd0UVUKg+N5mqbmKd0UVUn
MD5:	01A35C398BC06F9BBEBB1777312777EA
SHA1:	09C36586B44F9EC2E9ED70A35E10223BB8599A55
SHA-256:	DAC4E40D3C02ECD31C267A88B567BFB35C2A2480E589885023BC56F9BBB47317
SHA-512:	71C895FEE3A851DCA2EEFE7E72D88D10183EE8B59B41C7029A10EC1301F18786C6EAEA173F825890D76077DD42ED012C2A92777D31885FC85280FEA5F2CCB5F5
Malicious:	false
Preview:	//@line 4 "$OBJDIR/browser/locales/merge-dir/en-GB/browser/firefox-l10n.js"..//@line 6 "$OBJDIR/browser/locales/merge-dir/en-GB/browser/firefox-l10n.js"..

C:\Users\user\AppData\Local\Temp\ZMGCCB7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	ASCII text, with very long lines (740)
Category:	dropped
Size (bytes):	72598
Entropy (8bit):	5.10430322594921
Encrypted:	false
SSDEEP:	1536:Q1fKEYchD9BoJTFtoQhCik2ddz3ZDw5O4S:Q1fHYd3ogddz3ZDw5O4S
MD5:	6AE5C98539151C7CAB17D48138868371
SHA1:	7FA7AC114C0029DD89E4D0B90D6886C61D092CAC
SHA-256:	861BB9A4CE135B9F1F306976BA819E0C65939E79ECAEB9B6DCB18341AE09DD6E
SHA-512:	6526E7CB8A4EB2AD3E765781165223B1A48E0A57A863B77FDDF6DF5358244457EBD27FC24C23A155D4D8EAF1514504AFC32BC6456AE1843A5498B0D38801680C
Malicious:	false
Preview:	//@line 2 "$SRCDIR/browser/app/profile/firefox.js".//@line 21 "$SRCDIR/browser/app/profile/firefox.js".pref("browser.hiddenWindowChromeURL", "chrome://browser/content/hiddenWindowMac.xhtml");.pref("extensions.logging.enabled", false);.pref("extensions.strictCompatibility", false);.pref("extensions.checkCompatibility.temporaryThemeOverride_minAppVersion", "29.0a1");.pref("extensions.webextPermissionPrompts", true);.pref("extensions.webextOptionalPermissionPrompts", true);.pref("extensions.postDownloadThirdPartyPrompt", true);.pref("extensions.getAddons.cache.enabled", true);.pref("extensions.getAddons.get.url", "https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%");.pref("extensions.getAddons.search.browseURL", "https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%");.pref("extensions.getAddons.link.url", "https://addons.mozilla.org/%LOCALE%/firefox/");.pref("extensions.getAddons.langpacks.url", "https://services.addon

C:\Users\user\AppData\Local\Temp\ZMGCCD7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	2094
Entropy (8bit):	5.094060004248792
Encrypted:	false
SSDEEP:	24:wfrmokmmziHRLr8KrvdjmT4eg3h6ooIib0AQq0rS06CYC6z06CPcZyoiegubeWFr:AKmuyjCr4voIrAyrJ6CYC6A6COFar/TQ
MD5:	92D8764502DDD832F5851731BFECE7BC
SHA1:	23EF5CF75E5A7BC568E1B8C99935629D05D2FA83
SHA-256:	44F514EB9FDE96BC09CE3AEEDB49929E8CB13079C196F142ABE20F618C3CC33F
SHA-512:	D14A975C21FCF212EBBBC7A5B5B1456BA11FC1A844C8A191EC2B8D74D99F2F355D5D7F79FCF6EEECB2F5A20B7921B0993F1282335420D073DC41E4295899CE59
Malicious:	false
Preview:	/* This Source Code Form is subject to the terms of the Mozilla Public. * License, v. 2.0. If a copy of the MPL was not distributed with this. * file, You can obtain one at http://mozilla.org/MPL/2.0/. */..// This file contains branding-specific prefs...pref("startup.homepage_override_url", "");.pref("startup.homepage_welcome_url", "about:welcome");.pref("startup.homepage_welcome_url.additional", "");.// Interval: Time between checks for a new version (in seconds).pref("app.update.interval", 43200); // 12 hours.// Give the user x seconds to react before showing the big UI. default=192 hours.pref("app.update.promptWaitTime", 691200);.// app.update.url.manual: URL user can browse to manually if for some reason.// all update installation attempts fail..// app.update.url.details: a default value for the "More information about this.// update" link supplied in the "An update is available" page of the update.// wizard..//@line 25 "$SRCDIR/browser/branding/official/pref/firefox-branding.js".

C:\Users\user\AppData\Roaming\Microsoft\Installer\{240D9941-B463-4B9C-B483-7129740B9AC1}\favicon.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	114221
Entropy (8bit):	3.9315825858195703
Encrypted:	false
SSDEEP:	768:Fcs1aJ6J5nzs+4rqAw3gLmniZhAr3hV1oiwBGQi5pKjLrhLewPN6:FcCi6Jpx4+AwWLB5NLea6
MD5:	CBC184A5EEA547161A088DE3C9B00112
SHA1:	4CF04E1D12DBA3D5C8A2A461E9CD8FB98CDABFC6
SHA-256:	625B51E325133084AEF42A233EF7A11ECE5F36D7A99CF463A2FD1EFA3CF682D7
SHA-512:	A8BA5D6319F52EC2CFCE3E3644AB177124D5FE2B1C389FAF9466E0069FF0B33AE957DFE72DEECD4B1D8E7E22B053406581269314005440D5159B36EAD2172E8B
Malicious:	false
Preview:	............ ..8..f......... .(...%9..@@.... .(B..MA..00.... ..%..u... .... ............... .h.......PNG........IHDR.............\r.f..8.IDATx..}{...y...S..F#..e........!....&k9...d}P.'.!.a.....X.]b.<.l....A.cM..X8~@....y. 0F~a.la...h43wf..o....}.tg............U5................................................................l.yw`!q......7..{ ......3....o9^.[&..b...q.....3.~....2.+......W.Ul.W.C................3>82C.N.8....;.].%\|..k......@.w...'C..0V......U{..n@@+.p..%...1:C..j;A..h.....w...1...mE.c.]b....'.........\.....St....-....^....b.P>.r...Fo..l92EC.?4....1 ..(.....W[...H.....O....y.j@@#P,..1..dUl92..K.......SE.... &.......}....O..?..'.B1....&...Izz..m .5Q(.0.>.Z..cSt.._.....6..Z(.....*6.V...z...y.% `.(...A.....i.u.W._.._'6.=....P,..$..q..2=...m ..Q,....`o..t........6..(..hB(m..M\|..&B.Q@S.X....~.66M.....O....M.b1.&G...`.............b1..@..il...+.>.\|....X...P!.:<E.^.....K@..X...l.......~50..\|P,.....L ....4.d?.m.L...+...,,...Z..S

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bing Wallpaper.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Wed Dec 11 18:29:32 2024, mtime=Fri Dec 13 10:25:34 2024, atime=Wed Dec 11 18:29:32 2024, length=8224312, window=hide
Category:	dropped
Size (bytes):	2466
Entropy (8bit):	3.9526043915595976
Encrypted:	false
SSDEEP:	48:8DFdRcdOuVNzweDP3C0iKu2iKS0hkWdu1CV80hVvzcTv:8BjcdOujHP3yWcD0zq
MD5:	10938F9BC63F5C3259CAF880C33DBD94
SHA1:	158EED8DDF4AC9C138E75BDA89A00CBFF3F8493A
SHA-256:	8D7F6D99027E543F9A245CFB9BAB53D6A354572CF61801C9E59067C463F89A6A
SHA-512:	27C891BB70B87F648F28EB7B824F2860A493A00E8F4FD78F3F9829FCD79CDDEA94B99617015849F06D2C7F3EA8D933E9F82FF39B236D440F24205A130222B0FF
Malicious:	false
Preview:	L..................F.@.. ........L...; .QM.......L..8~}.....................J.:..DG..Yr?.D..U..k0.&...&........{.S......QM....W.QM......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y.[....B......................A!.A.p.p.D.a.t.a...B.P.1......Y,[..Local.<......"S.Y.[....V.........................L.o.c.a.l.....\.1......Y2[..MICROS~1..D......"S.Y2[....X........................M.i.c.r.o.s.o.f.t.....j.1......Y2[..BINGWA~1..R......Y2[.Y2[.............................B.i.n.g.W.a.l.l.p.a.p.e.r.A.p.p.....v.2.8~}..Y.. .BINGWA~1.EXE..Z......Y...Y2[..............................B.i.n.g.W.a.l.l.p.a.p.e.r.A.p.p...e.x.e.......\|...............-.......{...........F.Ml.....C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe..%.S.e.t. .B.i.n.g. .i.m.a.g.e.s. .a.s. .d.e.s.k.t.o.p. .b.a.c.k.g.r.o.u.n.d.D.....\.....\.....\.....\.....\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.B.i.n.g.W.a.l.l.p.a.p.e.r.A.p.p.\.B.i.n.g.W.a.l.l.p.a.p.e.r.A.p.p...e.x.

C:\Windows\Installer\7d3d28.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Bing Wallpaper, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Bing Wallpaper., Template: Intel;1033, Revision Number: {9B9A5205-ECCA-4DAA-9B05-ABDF28BEB81A}, Create Time/Date: Wed Dec 11 09:10:06 2024, Last Saved Time/Date: Wed Dec 11 09:10:06 2024, Number of Pages: 300, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
Category:	dropped
Size (bytes):	8626176
Entropy (8bit):	7.96544410935432
Encrypted:	false
SSDEEP:	196608:u4pEezDV5RgvRDbJz0S2vs4zcMZVKCq7bE1MRzQf5y3a7:u4NgvRDbJzdz4oMZVKCqHEeBQxy3a
MD5:	EE59439A29C4ABEA66385AE5DAB25EAB
SHA1:	D6A3559373A9E2E8E9988ABC6E7B636892CA033E
SHA-256:	D1B28A6B26E1BCA329A63211AC822D6A3718C6985E64E61F66FA7A2FD4058740
SHA-512:	58A59374C6FF99289DC7B9B8513DB9305760485B37E47F6835AE364DB5D149DAC4AEEF31D1B64108CB5073896E434C786924C18B1CCA314401214E83F6F2067F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\7d3d2b.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Bing Wallpaper, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Bing Wallpaper., Template: Intel;1033, Revision Number: {9B9A5205-ECCA-4DAA-9B05-ABDF28BEB81A}, Create Time/Date: Wed Dec 11 09:10:06 2024, Last Saved Time/Date: Wed Dec 11 09:10:06 2024, Number of Pages: 300, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
Category:	dropped
Size (bytes):	8626176
Entropy (8bit):	7.96544410935432
Encrypted:	false
SSDEEP:	196608:u4pEezDV5RgvRDbJz0S2vs4zcMZVKCq7bE1MRzQf5y3a7:u4NgvRDbJzdz4oMZVKCqHEeBQxy3a
MD5:	EE59439A29C4ABEA66385AE5DAB25EAB
SHA1:	D6A3559373A9E2E8E9988ABC6E7B636892CA033E
SHA-256:	D1B28A6B26E1BCA329A63211AC822D6A3718C6985E64E61F66FA7A2FD4058740
SHA-512:	58A59374C6FF99289DC7B9B8513DB9305760485B37E47F6835AE364DB5D149DAC4AEEF31D1B64108CB5073896E434C786924C18B1CCA314401214E83F6F2067F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3F6A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	117236
Entropy (8bit):	4.042311032536716
Encrypted:	false
SSDEEP:	768:END0PWVnGZ1cs1aJ6J5nzs+4rqAw3gLmniZhAr3hV1oiwBGQi5pKjLrhLewPNQd1:VcCi6Jpx4+AwWLB5NLeaw
MD5:	09CFD95341DA2935E6B27E882906B7E7
SHA1:	4A43AF4703D0971B3ADB39A23643C6DDC007A56C
SHA-256:	AD7708E964D169EA79966F721ACE77A181D63302FD00A38C185CB57C5ABD3EBE
SHA-512:	39DFE2CEE5A8D82F5A01690695D00D4A7EEABD4FCEF0DE8C799A1D5ACE9E56210DC2BF90884D434F96695F1986AB9A841D02613DFEE160AE38FB41041C581555
Malicious:	false
Preview:	...@IXOS.@.....@23.Y.@.....@.....@.....@.....@.....@......&.{240D9941-B463-4B9C-B483-7129740B9AC1}..Bing Wallpaper..BWCInstaller.msi.@.....@.....@.....@......favicon.ico..&.{9B9A5205-ECCA-4DAA-9B05-ABDF28BEB81A}.....@.....@.....@.....@.......@.....@.....@.......@......Bing Wallpaper......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{5F4BE57E-1322-4D61-A8E5-FD064E59569E}6.01:\Software\Microsoft\BingWallpaperApp\isMSIInstalled.@.......@.....@.....@......&.{B947C018-5890-4E6F-8291-C66E61CB7AE3}...@.......@.....@.....@......&.{D7DD0CB9-06D0-45B6-83EA-EA5BBE25BD88}...@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".(.C:\Users\user\AppData\Local\Microsoft\.@....".9.C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.\|...@.....@......9.C:\Us

C:\Windows\Installer\MSI4343.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	341072
Entropy (8bit):	6.8282163150649975
Encrypted:	false
SSDEEP:	6144:41sA6fnlk/ExTj8xVB+m6vGuj6flOepvTkk4U1zgBU9Sk:yinQUTj8sdYQYzCK
MD5:	917F037636BC8BFD46149CCCBB4E34B5
SHA1:	68F04ABFEA57BCA80390AE2E030287079FD4E4C5
SHA-256:	5D98C744D61684418FA69643639A17816422B14F3C95B5A9ED0117CA06147E65
SHA-512:	B620936939968E0DDE038112265DF419299DCEF2BA63E2AE6412E9891401ED92968977C6E9950F291065D08A1DDE065DDF8AFD4F6290AF8AF911AC5713641E4A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6m..X>..X>..X>(..>..X>(..>..X>(..>..X>E.[?..X>E.\?..X>E.]?..X>...>..X>..Y>;.X>8.]?..X>8.X?..X>8.>..X>...>..X>8.Z?..X>Rich..X>........PE..L.....Z...........!.....B...\|.......L.......`............................................@..........................{.........x.......P...............H(...... ....r..T...........................Xr..@............`..l............................text....A.......B.................. ..`.rdata...P...`...R...F..............@..@.data...t...........................@....rsrc...P...........................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4343.tmp-\CustomAction.config

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1493
Entropy (8bit):	4.732294656481805
Encrypted:	false
SSDEEP:	24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
MD5:	01C01D040563A55E0FD31CC8DAA5F155
SHA1:	3C1C229703198F9772D7721357F1B90281917842
SHA-256:	33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
SHA-512:	9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

C:\Windows\Installer\MSI4343.tmp-\CustomActions.dll

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.0990205067828125
Encrypted:	false
SSDEEP:	384:LN0IbYdUadEgM4n1oTN/cfiOkaNsuX2CwPtoAvC+r/Lxt6d82W+:Lk1Pouf/Cufi/j6uG
MD5:	93D3D63AB30D1522990DA0BEDBC8539D
SHA1:	3191CACE96629A0DEE4B9E8865B7184C9D73DE6B
SHA-256:	E7274B3914040C71ED155871396088D2FD4C38AD36D4A765530CFE6D487B6CF2
SHA-512:	9F1D1A96B8FAABCAC299DEDAB140AAB75D51D32C99AC31F6D1769C11D5A7D00D1E8EC2ABA026690B93B51C21D157AD5E651113ED5142DA7B7BDAAAFD4057D4E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]Xg.........." ..0..L..........zk... ........... ....................................`.................................(k..O....................................i............................................... ............... ..H............text....K... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................\k......H........9..\0...........................................................0..r........r...po.....(....,>~....r...p~....(.....s....%.o......(....,.~....(.....-..(....&~....~ ...(.....r#..po......&.............mm.......0.............r=..po....r[..p(....,........0..R........r_..po....~....(.......+!.....o....-..o.....r...po......X....i2..(........&.....*..........KK.......0..p........r...po....~....(.......+....o.....r...po......X....i2..~....(,...~....~....(-...(....(/.....&..

C:\Windows\Installer\MSI4343.tmp-\DispatchQueue.dll

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	162336
Entropy (8bit):	6.570944085847951
Encrypted:	false
SSDEEP:	3072:kY5vvDMWR9BlPUT5zPqDtYBvQ2oA2C14u7/yQfPSZr8HYInhh+p:kY5vvDMWBdUTBpv7V54QWIT+
MD5:	588B3B8D0B4660E99529C3769BBDFEDC
SHA1:	D130050D1C8C114421A72CAAEA0002D16FA77BFE
SHA-256:	D05A41ED2AA8AF71E4C24BFFF27032D6805C7883E9C4A88AA0A885E441BEC649
SHA-512:	E5F2FAC5E12A7E1828E28C7395435E43449898A18A2A70B3F7EA6A1982E1C36F11DA6EE7CC8AC7CEFAAB266E53D6F99EE88067BC9D719E99F4F69B4834B7F50B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._$\|e.E.6.E.6.E.6.7.7.E.6.7.7.E.6.7.7.E.6I0.7.E.6I0.7.E.6I0.72E.6.7.7.E.6.E.6.E.6.0.7.E.6.0.7.E.6.0.6.E.6.E.6.E.6.0.7.E.6Rich.E.6........PE..L......d...........!................B...............................................=.....@......................... 3..$...D4.......`..p............R.. (...p..........p...............................@............................................text...*........................... ..`.rdata...~..........................@..@.data...\|....@.......,..............@....rsrc...p....`.......8..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4343.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	5.775039237799255
Encrypted:	false
SSDEEP:	3072:2kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyF:w+c7b1W4R6joxfQ8
MD5:	4E04A4CB2CF220AECC23EA1884C74693
SHA1:	A828C986D737F89EE1D9B50E63C540D48096957F
SHA-256:	CFED1841C76C9731035EBB61D5DC5656BABF1BEFF6ED395E1C6B85BB9C74F85A
SHA-512:	C0B850FBC24EFAD8207A3FCCA11217CB52F1D08B14DEB16B8E813903FECD90714EB1A4B91B329CF779AFFF3D90963380F7CFD1555FFC27BD4AC6598C709443C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI472C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	modified
Size (bytes):	341072
Entropy (8bit):	6.8282163150649975
Encrypted:	false
SSDEEP:	6144:41sA6fnlk/ExTj8xVB+m6vGuj6flOepvTkk4U1zgBU9Sk:yinQUTj8sdYQYzCK
MD5:	917F037636BC8BFD46149CCCBB4E34B5
SHA1:	68F04ABFEA57BCA80390AE2E030287079FD4E4C5
SHA-256:	5D98C744D61684418FA69643639A17816422B14F3C95B5A9ED0117CA06147E65
SHA-512:	B620936939968E0DDE038112265DF419299DCEF2BA63E2AE6412E9891401ED92968977C6E9950F291065D08A1DDE065DDF8AFD4F6290AF8AF911AC5713641E4A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6m..X>..X>..X>(..>..X>(..>..X>(..>..X>E.[?..X>E.\?..X>E.]?..X>...>..X>..Y>;.X>8.]?..X>8.X?..X>8.>..X>...>..X>8.Z?..X>Rich..X>........PE..L.....Z...........!.....B...\|.......L.......`............................................@..........................{.........x.......P...............H(...... ....r..T...........................Xr..@............`..l............................text....A.......B.................. ..`.rdata...P...`...R...F..............@..@.data...t...........................@....rsrc...P...........................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI472C.tmp-\CustomAction.config

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1493
Entropy (8bit):	4.732294656481805
Encrypted:	false
SSDEEP:	24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
MD5:	01C01D040563A55E0FD31CC8DAA5F155
SHA1:	3C1C229703198F9772D7721357F1B90281917842
SHA-256:	33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
SHA-512:	9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

C:\Windows\Installer\MSI472C.tmp-\CustomActions.dll

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.0990205067828125
Encrypted:	false
SSDEEP:	384:LN0IbYdUadEgM4n1oTN/cfiOkaNsuX2CwPtoAvC+r/Lxt6d82W+:Lk1Pouf/Cufi/j6uG
MD5:	93D3D63AB30D1522990DA0BEDBC8539D
SHA1:	3191CACE96629A0DEE4B9E8865B7184C9D73DE6B
SHA-256:	E7274B3914040C71ED155871396088D2FD4C38AD36D4A765530CFE6D487B6CF2
SHA-512:	9F1D1A96B8FAABCAC299DEDAB140AAB75D51D32C99AC31F6D1769C11D5A7D00D1E8EC2ABA026690B93B51C21D157AD5E651113ED5142DA7B7BDAAAFD4057D4E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]Xg.........." ..0..L..........zk... ........... ....................................`.................................(k..O....................................i............................................... ............... ..H............text....K... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................\k......H........9..\0...........................................................0..r........r...po.....(....,>~....r...p~....(.....s....%.o......(....,.~....(.....-..(....&~....~ ...(.....r#..po......&.............mm.......0.............r=..po....r[..p(....,........0..R........r_..po....~....(.......+!.....o....-..o.....r...po......X....i2..(........&.....*..........KK.......0..p........r...po....~....(.......+....o.....r...po......X....i2..~....(,...~....~....(-...(....(/.....&..

C:\Windows\Installer\MSI472C.tmp-\DispatchQueue.dll

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	162336
Entropy (8bit):	6.570944085847951
Encrypted:	false
SSDEEP:	3072:kY5vvDMWR9BlPUT5zPqDtYBvQ2oA2C14u7/yQfPSZr8HYInhh+p:kY5vvDMWBdUTBpv7V54QWIT+
MD5:	588B3B8D0B4660E99529C3769BBDFEDC
SHA1:	D130050D1C8C114421A72CAAEA0002D16FA77BFE
SHA-256:	D05A41ED2AA8AF71E4C24BFFF27032D6805C7883E9C4A88AA0A885E441BEC649
SHA-512:	E5F2FAC5E12A7E1828E28C7395435E43449898A18A2A70B3F7EA6A1982E1C36F11DA6EE7CC8AC7CEFAAB266E53D6F99EE88067BC9D719E99F4F69B4834B7F50B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._$\|e.E.6.E.6.E.6.7.7.E.6.7.7.E.6.7.7.E.6I0.7.E.6I0.7.E.6I0.72E.6.7.7.E.6.E.6.E.6.0.7.E.6.0.7.E.6.0.6.E.6.E.6.E.6.0.7.E.6Rich.E.6........PE..L......d...........!................B...............................................=.....@......................... 3..$...D4.......`..p............R.. (...p..........p...............................@............................................text...*........................... ..`.rdata...~..........................@..@.data...\|....@.......,..............@....rsrc...p....`.......8..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI472C.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	5.775039237799255
Encrypted:	false
SSDEEP:	3072:2kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyF:w+c7b1W4R6joxfQ8
MD5:	4E04A4CB2CF220AECC23EA1884C74693
SHA1:	A828C986D737F89EE1D9B50E63C540D48096957F
SHA-256:	CFED1841C76C9731035EBB61D5DC5656BABF1BEFF6ED395E1C6B85BB9C74F85A
SHA-512:	C0B850FBC24EFAD8207A3FCCA11217CB52F1D08B14DEB16B8E813903FECD90714EB1A4B91B329CF779AFFF3D90963380F7CFD1555FFC27BD4AC6598C709443C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{240D9941-B463-4B9C-B483-7129740B9AC1}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1644104268686482
Encrypted:	false
SSDEEP:	12:JSbX72FjOAGiLIlHVRpLh/7777777777777777777777777vDHF7MxhFXu0l0i8Q:JMQI5PePtIF
MD5:	C0AC5510F41FF67E3B11736D8EC86C81
SHA1:	9FAA69D574F5A752754C0AE0CE2D9D83162EDC02
SHA-256:	7B94B90EDCF3DAA899333884E0EEB26B45E589AC74EE8F25D33B0B49EDEC4849
SHA-512:	DE02D93B406E37E8467EA083E78FF28F56637F2EFF72CD735A9F948FBE4E67EC3FDBB88877051D24C67C55275F6052FFBAE399454677FE0394565D039067745B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.512513156137976
Encrypted:	false
SSDEEP:	48:c8PhOuRc06WXJGFT5fong9iKRS79rw9iKRSIV:zhO1dFT2eZ
MD5:	56FBE0791203D02A6AD8CFCD7551FC41
SHA1:	AC82BD4E25903617A5084C9DF3EE04DCE3E5AD17
SHA-256:	A433881547C9DC32B0F5AEA4EA724774507AC5AF1992A5ECF35988ECE37E96C0
SHA-512:	980D5FBC4C21D8B45880FBD646D350E10726F0C877C8412677F05DDBECE4A41E14296FBA60F77316560B232F16FA901D2EB71646A075BE001C93F2E2264EB512
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1013989
Entropy (8bit):	5.4100285920377145
Encrypted:	false
SSDEEP:	6144:TFfxq8RfKF0Dux6lvJ3c7v/3dd7kGcoyq+HNJ8zS:TFfxq8xKCE6lVcbP7kGcjNJ8zS
MD5:	DB58C83F5CB99F45060A9CEC8F3443A6
SHA1:	2F84381CF4F17639CDB340C439F34F79425A625C
SHA-256:	8EC3FC125C41522FC87704684E25EFFF491F40269740BFD592480272A02911BA
SHA-512:	CEAE81A1B800493712A575B5DBA8A75351FD035DBEB0C9A665DF74E1EEC6F19DAB7DBF0666927B855EA088838E08BC0559405C0A38F600B1A3ED9179DF52E9D3
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 09:59:37.236 [4684]: Command line: D:\wd\compilerTemp\BMT.i51yo0aa.beh\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 09:59:37.255 [4684]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 09:59:37.299 [4684]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 09:59:37.299 [4684]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 09:59:37.299 [

C:\Windows\Temp\~DF03A287EC5D576782.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0720E540BFFF2327.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.512513156137976
Encrypted:	false
SSDEEP:	48:c8PhOuRc06WXJGFT5fong9iKRS79rw9iKRSIV:zhO1dFT2eZ
MD5:	56FBE0791203D02A6AD8CFCD7551FC41
SHA1:	AC82BD4E25903617A5084C9DF3EE04DCE3E5AD17
SHA-256:	A433881547C9DC32B0F5AEA4EA724774507AC5AF1992A5ECF35988ECE37E96C0
SHA-512:	980D5FBC4C21D8B45880FBD646D350E10726F0C877C8412677F05DDBECE4A41E14296FBA60F77316560B232F16FA901D2EB71646A075BE001C93F2E2264EB512
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF12CE73E5AD9120EA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.12338994053542315
Encrypted:	false
SSDEEP:	24:4UzIHpwVXiKRipVkwVXiKRipVJVXLpGWZkN+JV6:Fo69iKRSL9iKRS79rU86
MD5:	CC8634A65DFDCB6D23D8AA5CA5D5DCCF
SHA1:	31DF9C7BCA6D62551AD8333E94BC5843FDA7F00C
SHA-256:	06B59F6DDD7D92EDCB1635DCDCCF3023E77D0DE95C3AF09E1983EDDAAF955B01
SHA-512:	46721699F1449F412177431CAF0C6B1F74B62AB7341DA977B62245FE13E7F2F6ACB8A4747FD3A76304BDCF5B69771962634CD113F822FD647CDD3AFB9605B9AB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2696A807D72EBE8D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF57B90790A36B600F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5EF3D2AC7C7BC863.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07200963350440084
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO7/PhqvJj1FXLIIVky6l0:2F0i8n0itFzDHF7MxhFXu0
MD5:	17405C2E0B53CC7D0F737790BE853069
SHA1:	AF3885F0A0FD4264AA325A24B730DB2D9FB687B1
SHA-256:	A00AAA6295A51FF7147814AF448738616EE7C70391263F1EB254B06E1195F354
SHA-512:	8BA2E68A893E2F4A5204CAA3AA3CAAAAEF7FA1A57634E1374B90C5210511D1DE8028D91876BE288A98CB9B5B52475FA83CA6CCEB2B2255F0A43C92A9B128AE9B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB5FB8A8945671B71.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB66683FA17881A2D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.512513156137976
Encrypted:	false
SSDEEP:	48:c8PhOuRc06WXJGFT5fong9iKRS79rw9iKRSIV:zhO1dFT2eZ
MD5:	56FBE0791203D02A6AD8CFCD7551FC41
SHA1:	AC82BD4E25903617A5084C9DF3EE04DCE3E5AD17
SHA-256:	A433881547C9DC32B0F5AEA4EA724774507AC5AF1992A5ECF35988ECE37E96C0
SHA-512:	980D5FBC4C21D8B45880FBD646D350E10726F0C877C8412677F05DDBECE4A41E14296FBA60F77316560B232F16FA901D2EB71646A075BE001C93F2E2264EB512
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD02EF75A0A71C791.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD3385A1DE7F4395A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2150074939712021
Encrypted:	false
SSDEEP:	48:oMmGuIPveFXJHT59ong9iKRS79rw9iKRSIV:+GYvTseZ
MD5:	5686987DDBF62ACC815054F10E740F71
SHA1:	4F37879BE883A5B1394C379F3304227D95B9C189
SHA-256:	84C7AA7DB0E59BB413209493DAC0C0B97E884B8B3AF2410D13820FFAD30AF598
SHA-512:	E28CBB796ABB9C59A6566DAB6110A01EFC37E5A59B5CC867FF175C66754AC6C813183818623D74E5E9A2EAB28AB6F33C0A833F6B7C7557E29B46ADD935205A44
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDA35668D189EFB69.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2150074939712021
Encrypted:	false
SSDEEP:	48:oMmGuIPveFXJHT59ong9iKRS79rw9iKRSIV:+GYvTseZ
MD5:	5686987DDBF62ACC815054F10E740F71
SHA1:	4F37879BE883A5B1394C379F3304227D95B9C189
SHA-256:	84C7AA7DB0E59BB413209493DAC0C0B97E884B8B3AF2410D13820FFAD30AF598
SHA-512:	E28CBB796ABB9C59A6566DAB6110A01EFC37E5A59B5CC867FF175C66754AC6C813183818623D74E5E9A2EAB28AB6F33C0A833F6B7C7557E29B46ADD935205A44
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE23D66F2A9E018C0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2150074939712021
Encrypted:	false
SSDEEP:	48:oMmGuIPveFXJHT59ong9iKRS79rw9iKRSIV:+GYvTseZ
MD5:	5686987DDBF62ACC815054F10E740F71
SHA1:	4F37879BE883A5B1394C379F3304227D95B9C189
SHA-256:	84C7AA7DB0E59BB413209493DAC0C0B97E884B8B3AF2410D13820FFAD30AF598
SHA-512:	E28CBB796ABB9C59A6566DAB6110A01EFC37E5A59B5CC867FF175C66754AC6C813183818623D74E5E9A2EAB28AB6F33C0A833F6B7C7557E29B46ADD935205A44
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997929645365895
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BWCStartMSI.exe
File size:	8'543'800 bytes
MD5:	89d75b7846db98111be948830f9cf7c2
SHA1:	3771cbe04980af3cdca295df79346456d1207051
SHA256:	1077f5ff5fc1c7b7ce347323d14ba387f43e9cfab9808fa31a1cd3144fa05ef4
SHA512:	f283b1a7bc30621a0e6ee6383174323cc67d002329a294d13aa23a633ca6f66ee0acdc6a4d2b0d4b7465acaa043b60f1ed27200a2b2d998fa0ef85f3545138fc
SSDEEP:	196608:HREgs4DsRz2vROZmy0TNy06Gm/HVSle4LG7IYTmd6r+d4:HRG2vROZmyYR63/HVSleAkLT66r+a
TLSH:	5D86335339E8E689E1BC9BB520D626831FB1BCD12C7940761369F48D18B2F11D9327BE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Of.{...(...(...(.l.)...(.l.)...(.l.)...(.l.)...(...(...(.l.)...(.l\(...(.l.)...(Rich...(........PE..L...!V.:.................d.

File Icon


Icon Hash:	3b6120282c4c5a1f

Static PE Info

General

Entrypoint:	0x406a00
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x3A1E5621 [Fri Nov 24 11:50:57 2000 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	646167cce332c1c252cdcb1839e0cf48

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/09/2024 22:11:14 11/09/2025 22:11:14
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	830B09B4F77B3E9361C2D8A892B83C5C
Thumbprint SHA-1:	8F985BE8FD256085C90A95D3C74580511A1DB975
Thumbprint SHA-256:	E4AB39116A7DC57D073164EB1C840B1FB8334A8C920B92EFAFEA19112DCE643B
Serial:	33000004046C7406FF572B2772000000000404

Entrypoint Preview

Instruction
call 00007F5920B5B405h
jmp 00007F5920B5AD05h
push 00000058h
push 00407268h
call 00007F5920B5B4A7h
xor ebx, ebx
mov dword ptr [ebp-20h], ebx
lea eax, dword ptr [ebp-68h]
push eax
call dword ptr [0040A184h]
mov dword ptr [ebp-04h], ebx
mov eax, dword ptr fs:[00000018h]
mov esi, dword ptr [eax+04h]
mov edi, ebx
mov edx, 004088ACh
mov ecx, esi
xor eax, eax
lock cmpxchg dword ptr [edx], ecx
test eax, eax
je 00007F5920B5AD1Ah
cmp eax, esi
jne 00007F5920B5AD09h
xor esi, esi
inc esi
mov edi, esi
jmp 00007F5920B5AD12h
push 000003E8h
call dword ptr [0040A188h]
jmp 00007F5920B5ACD9h
xor esi, esi
inc esi
cmp dword ptr [004088B0h], esi
jne 00007F5920B5AD0Ch
push 0000001Fh
call 00007F5920B5B235h
pop ecx
jmp 00007F5920B5AD3Ch
cmp dword ptr [004088B0h], ebx
jne 00007F5920B5AD2Eh
mov dword ptr [004088B0h], esi
push 004010CCh
push 004010C0h
call 00007F5920B5AE60h
pop ecx
pop ecx
test eax, eax
je 00007F5920B5AD19h
mov dword ptr [ebp-04h], FFFFFFFEh
mov eax, 000000FFh
jmp 00007F5920B5AE39h
mov dword ptr [004081E4h], esi
cmp dword ptr [004088B0h], esi
jne 00007F5920B5AD1Dh
push 004010BCh
push 004010B4h
call 00007F5920B5B3F3h
pop ecx
pop ecx
mov dword ptr [000088B0h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa28c	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x81ae6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x823600	0x2838	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x827000	0x888	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1410	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1008	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x288	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x62c4	0x6400	d3b080bd7b514f812cbee16da52b0c4c	False	0.5751171875	data	6.301659763150869	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8000	0x1a48	0x200	7b9890a93c0516bb070e1170cfde54d5	False	0.609375	data	4.970639543960129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa000	0x1052	0x1200	3906fab55f211460c4a4a799648be3c7	False	0.4142795138888889	data	5.0224249304912405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x81ae6c	0x81b000	415889d20266236d4ab5866fdf0b0f9b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x827000	0x888	0xa00	f081b23c3aa39325c504c02cdcd1422d	False	0.7515625	data	6.273787441603385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0xca10	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States	0.2713099474665311
RT_ICON	0xf82c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3225609756097561
RT_ICON	0xfe94	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.41263440860215056
RT_ICON	0x1017c	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4569672131147541
RT_ICON	0x10364	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5574324324324325
RT_ICON	0x1048c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6223347547974414
RT_ICON	0x11334	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7369133574007221
RT_ICON	0x11bdc	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.783410138248848
RT_ICON	0x122a4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3829479768786127
RT_ICON	0x1280c	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004662673505254
RT_ICON	0x201e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5300829875518672
RT_ICON	0x22788	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6137429643527205
RT_ICON	0x23830	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.703688524590164
RT_ICON	0x241b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.425531914893617
RT_DIALOG	0x24620	0x2f2	data	English	United States	0.4389920424403183
RT_DIALOG	0x24914	0x1b0	data	English	United States	0.5625
RT_DIALOG	0x24ac4	0x166	data	English	United States	0.5223463687150838
RT_DIALOG	0x24c2c	0x1c0	data	English	United States	0.5446428571428571
RT_DIALOG	0x24dec	0x130	data	English	United States	0.5526315789473685
RT_DIALOG	0x24f1c	0x120	data	English	United States	0.5763888888888888
RT_STRING	0x2503c	0x8c	Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0	English	United States	0.6214285714285714
RT_STRING	0x250c8	0x520	data	English	United States	0.4032012195121951
RT_STRING	0x255e8	0x5cc	data	English	United States	0.36455525606469
RT_STRING	0x25bb4	0x4b0	data	English	United States	0.385
RT_STRING	0x26064	0x44a	data	English	United States	0.3970856102003643
RT_STRING	0x264b0	0x3ce	data	English	United States	0.36858316221765913
RT_RCDATA	0x26880	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x26888	0x7ff3df	Microsoft Cabinet archive data, many, 8385503 bytes, 2 files, at 0x2c +A "BWCStartMSI.exe" +A "BWCInstaller.msi", ID 2884, number 1, 265 datablocks, 0x1503 compression	English	United States	0.9998865127563477
RT_RCDATA	0x825c68	0x4	data	English	United States	3.0
RT_RCDATA	0x825c6c	0x24	data	English	United States	0.8611111111111112
RT_RCDATA	0x825c90	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x825c98	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x825ca0	0x4	data	English	United States	3.0
RT_RCDATA	0x825ca4	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x825cac	0x4	data	English	United States	3.0
RT_RCDATA	0x825cb0	0x10	data	English	United States	1.5
RT_RCDATA	0x825cc0	0x4	data	English	United States	3.0
RT_RCDATA	0x825cc4	0xc	data	English	United States	1.6666666666666667
RT_RCDATA	0x825cd0	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x825cd8	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_GROUP_ICON	0x825ce0	0xbc	data	English	United States	0.6117021276595744
RT_VERSION	0x825d9c	0x4e4	data			0.30431309904153353
RT_VERSION	0x826280	0x408	data	English	United States	0.42151162790697677
RT_MANIFEST	0x826688	0x7e2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3761149653121903

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, lstrcmpA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, ExpandEnvironmentStringsA, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, FindNextFileA, LocalAlloc, GetShortPathNameA, MulDiv, GetDiskFreeSpaceA, EnumResourceLanguagesA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, Sleep, FindClose, GetCurrentProcess, FindFirstFileA, WaitForSingleObject, GetModuleFileNameA, LoadLibraryExA
GDI32.dll	GetDeviceCaps
USER32.dll	SetWindowLongA, GetDlgItemTextA, DialogBoxIndirectParamA, ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetDesktopWindow, CharUpperA, SetDlgItemTextA, ExitWindowsEx, MessageBeep, EndDialog, CharPrevA, LoadStringA, CharNextA, EnableWindow, ReleaseDC, SetForegroundWindow, PeekMessageA, GetDlgItem, SendMessageA, SendDlgItemMessageA, MessageBoxA, SetWindowTextA, GetWindowLongA, CallWindowProcA, GetSystemMetrics
msvcrt.dll	_controlfp, ?terminate@@YAXXZ, _acmdln, _initterm, __setusermatherr, _except_handler4_common, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, memcpy_s, _vsnprintf, memset
COMCTL32.dll
Cabinet.dll
VERSION.dll	GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 12:25:38.149291992 CET	57067	53	192.168.11.20	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 12:25:38.149291992 CET	192.168.11.20	1.1.1.1	0xcde7	Standard query (0)	g.ceipmsn.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 12:25:38.263751030 CET	1.1.1.1	192.168.11.20	0xcde7	No error (0)	g.ceipmsn.com	g.search.live.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:25:38.263751030 CET	1.1.1.1	192.168.11.20	0xcde7	No error (0)	g.search.live.com	toolbar.search.msn.com.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:25:40.764275074 CET	1.1.1.1	192.168.11.20	0x71f3	No error (0)	bingwallpaper.azurewebsites.net	waws-prod-dm1-071.sip.azurewebsites.windows.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:25:40.764275074 CET	1.1.1.1	192.168.11.20	0x71f3	No error (0)	waws-prod-dm1-071.sip.azurewebsites.windows.net	waws-prod-dm1-071.centralus.cloudapp.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:25:41.811949015 CET	1.1.1.1	192.168.11.20	0xdf5	No error (0)	shed.dual-low.s-part-0012.t-0009.t-msedge.net	s-part-0012.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 12:25:41.811949015 CET	1.1.1.1	192.168.11.20	0xdf5	No error (0)	s-part-0012.t-0009.t-msedge.net		13.107.246.40	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:25:33
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\BWCStartMSI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BWCStartMSI.exe"
Imagebase:	0x950000
File size:	8'543'800 bytes
MD5 hash:	89D75B7846DB98111BE948830F9CF7C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:25:33
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
Imagebase:	0xd10000
File size:	25'656 bytes
MD5 hash:	A923912A4643C5502E6C14F423065F11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:25:33
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart
Imagebase:	0x880000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:25:34
Start date:	13/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff69c130000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:25:35
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 1E7C6F8FE305CF59FC9AE1ED4206AF89
Imagebase:	0x880000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:25:35
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Windows\Installer\MSI4343.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8209281 2 CustomActions!CustomActions.CustomActions.StartApp
Imagebase:	0x330000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:25:36
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
Imagebase:	0x5e0000
File size:	8'224'312 bytes
MD5 hash:	5DDF6C0675019C3A758236D0DB069D15
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	06:25:36
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Windows\Installer\MSI472C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8210250 8 CustomActions!CustomActions.CustomActions.InstallPing
Imagebase:	0x330000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:25:45
Start date:	13/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Imagebase:	0x7ff62d960000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:25:53
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
Imagebase:	0x7b0000
File size:	8'224'312 bytes
MD5 hash:	5DDF6C0675019C3A758236D0DB069D15
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:26:01
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
Imagebase:	0x7f0000
File size:	8'224'312 bytes
MD5 hash:	5DDF6C0675019C3A758236D0DB069D15
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	28.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	30.5%
Total number of Nodes:	932
Total number of Limit Nodes:	47

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00953B8E Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00953BFD
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00953CC8

Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095467A
Part of subcall function 00954669: SizeofResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00954683
Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095469D
Part of subcall function 00954669: LoadResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546A6
Part of subcall function 00954669: LockResource.KERNEL32(00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546AD
Part of subcall function 00954669: memcpy_s.MSVCRT ref: 009546BF
Part of subcall function 00954669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 009546C9

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00958C42), ref: 00953D7B
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00953E12
FreeLibrary.KERNEL32(00000000,?,00958C42), ref: 00953EEB
LocalFree.KERNEL32(?,?,?,?,00958C42), ref: 00953F0B
FreeLibrary.KERNEL32(00000000,?,00958C42), ref: 00953F2C
LocalFree.KERNEL32(?,?,?,?,00958C42), ref: 00953F33
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00958C42), ref: 00953F62
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00958C42), ref: 00953F6C
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00958C42), ref: 00953FAE

Strings

REBOOT, xrefs: 00953BCE
BWCStartMSI, xrefs: 00953E54
D, xrefs: 00953C05
advpack.dll, xrefs: 00953F89
<None>, xrefs: 00953CB5, 00953D69
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00953E60
SHOWWINDOW, xrefs: 00953C20
USRQCMD, xrefs: 00953C99
POSTRUNPROGRAM, xrefs: 00953D4C
DoInfInstall, xrefs: 00953E0B, 00953E10, 00953F54
ADMQCMD, xrefs: 00953C8A
RUNPROGRAM, xrefs: 00953CF1

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$BWCStartMSI$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll
API String ID: 1032054927-4278669608
Opcode ID: 285b50b11cda6999296eb0a52ac3ae2d5e761b10ef760666567c8858bd94b576
Instruction ID: 046f26beeeb868244b4a350c9c10feccf09ba0964b374673e8899af4a1fa1808
Opcode Fuzzy Hash: 285b50b11cda6999296eb0a52ac3ae2d5e761b10ef760666567c8858bd94b576
Instruction Fuzzy Hash: AAB1F1709183419BE720DF27D845B6B77E8AB84387F008A29FE85E61E0DB74894CCB56

Function 00951B04 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 290
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00951C03
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00951C1A
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00951C73
GetPrivateProfileIntA.KERNEL32(?,Reboot,00000000,?), ref: 00951CA4
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00951140,00000000,00000008,?), ref: 00951CD4
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00951D37

Part of subcall function 00954495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 009544F4
Part of subcall function 00954495: MessageBoxA.USER32(?,?,BWCStartMSI,00010010), ref: 00954530

Strings

Reboot, xrefs: 00951C9E
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00951D57
.BAT, xrefs: 00951D9F
setupapi.dll, xrefs: 00951D3F, 00951D56
setupx.dll, xrefs: 00951D30
.INF, xrefs: 00951BF7
AdvancedINF, xrefs: 00951CCA
", xrefs: 00951B41
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00951BBC
Command.com /c %s, xrefs: 00951DB7, 00951E04
DefaultInstall, xrefs: 00951C90, 00951CA3, 00951CEA, 00951CEF, 00951D49, 00951D55
Version, xrefs: 00951CCF

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-3300983261
Opcode ID: 44cb107187bc360da4eaa8c5c56aff9fb2b64fe3317887576c80bafce5982979
Instruction ID: 3357f748b4ecf4f3c569067bf31486b0fd091094be572bf5e787d82f38741117
Opcode Fuzzy Hash: 44cb107187bc360da4eaa8c5c56aff9fb2b64fe3317887576c80bafce5982979
Instruction Fuzzy Hash: F8A15970A08314ABEB20DB26CC45FEA77BD9B85312F140295ED55A32C1EBB49ECDCB54

Function 00952CA1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 182
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00952CD0
memset.MSVCRT ref: 00952CE0
memset.MSVCRT ref: 00952CF0

Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095467A
Part of subcall function 00954669: SizeofResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00954683
Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095469D
Part of subcall function 00954669: LoadResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546A6
Part of subcall function 00954669: LockResource.KERNEL32(00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546AD
Part of subcall function 00954669: memcpy_s.MSVCRT ref: 009546BF
Part of subcall function 00954669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 009546C9

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00952D2B
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00952D37
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00952DA5
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00952DB4
CloseHandle.KERNEL32(BWCStartMSI,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00952E01

Part of subcall function 00954495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 009544F4
Part of subcall function 00954495: MessageBoxA.USER32(?,?,BWCStartMSI,00010010), ref: 00954530

Strings

VERCHECK, xrefs: 00952E4B
BWCStartMSI, xrefs: 00952CFB, 00952DD0, 00952DE7
INSTANCECHECK, xrefs: 00952D8C
EXTRACTOPT, xrefs: 00952D44
TITLE, xrefs: 00952D00

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: BWCStartMSI$EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
API String ID: 1002816675-1030729922
Opcode ID: 56232269969538db71f88ee55393849a064ac0670bbe4eada833576409d5692d
Instruction ID: 4afdeba95d3fc9bf74bd5c8f5130e4b4e2ab22e83c6c1ee0c1272b09ad43107f
Opcode Fuzzy Hash: 56232269969538db71f88ee55393849a064ac0670bbe4eada833576409d5692d
Instruction Fuzzy Hash: 5D51A370358341AAEB60EB379C4BB7B269DDB87707F100425BD42DA1E1DAB4884DEB25

Function 00955933 Relevance: 19.7, APIs: 13, Instructions: 211
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 0095595E
SetCurrentDirectoryA.KERNELBASE(?), ref: 00955965
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 009559C9
MulDiv.KERNEL32(?,?,00000400), ref: 009559F6
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00955A1A
memset.MSVCRT ref: 00955A32
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00955A4E
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00955A5B
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00955BB2

Part of subcall function 00954495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 009544F4
Part of subcall function 00954495: MessageBoxA.USER32(?,?,BWCStartMSI,00010010), ref: 00954530

Part of subcall function 00956233: GetLastError.KERNEL32(00955B72), ref: 00956233

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: 4055ac72b62ac069080209c24451ccc97cb8e551577b923df253551405905917
Instruction ID: d22d7fc4622bb67580a75019942acbd0ff852769cfc90861458359df0049d4df
Opcode Fuzzy Hash: 4055ac72b62ac069080209c24451ccc97cb8e551577b923df253551405905917
Instruction Fuzzy Hash: 3471D4B191460CAFEB25DF22DC99FFA77BCEB48346F4045A9F805D2141DA348F898B24

Function 00952F10 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 119
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000105), ref: 00952F86
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00952FA5
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00952FB9
DecryptFileA.ADVAPI32 ref: 00952FD9
FreeLibrary.KERNEL32(00000000), ref: 00952FEB
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0095300F

Part of subcall function 009551A5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00952F40,?,00000002,00000000), ref: 009551C1

Strings

advapi32.dll, xrefs: 00952F8C
DecryptFileA, xrefs: 00952FB3
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00952FCE, 0095300A

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-3632011670
Opcode ID: 434fdafdba6ba54470ab7b0202040749d777de2bf9edfe4ee852756ee241780d
Instruction ID: fb8f494d8ca2147ea8ee9330cdace6f0e9684e9d54ef0c84fa95aa2c22d8eb96
Opcode Fuzzy Hash: 434fdafdba6ba54470ab7b0202040749d777de2bf9edfe4ee852756ee241780d
Instruction Fuzzy Hash: 4241C130A243459AEB20EB33AD4576A77ACAB953D3F008129ED01D20D1EB70CE8DDB60

Function 00955423 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00955485
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 009554F9
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0095552B

Part of subcall function 0095535F: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 009553B9
Part of subcall function 0095535F: GetFileAttributesA.KERNELBASE(?), ref: 009553C0
Part of subcall function 0095535F: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?), ref: 009553DD
Part of subcall function 0095535F: DeleteFileA.KERNEL32(?), ref: 009553E9
Part of subcall function 0095535F: CreateDirectoryA.KERNEL32(?,00000000), ref: 009553F2

Strings

alpha, xrefs: 009554AC
i386, xrefs: 009554BA
ppc, xrefs: 009554A5
mips, xrefs: 009554B3
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00955439, 0095543D, 00955467, 009554D8, 009554F8, 00955524

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-4226573791
Opcode ID: a6263eda4a31662e76fc9ccb6dca6ced370a590847e5e464fead6f0eff654bf7
Instruction ID: 5ed5ca42e26aa6798b394ba09b914189bc169d90e96e8540d163dbe6eb05050c
Opcode Fuzzy Hash: a6263eda4a31662e76fc9ccb6dca6ced370a590847e5e464fead6f0eff654bf7
Instruction Fuzzy Hash: 16314970B18B1097CB10DF3B9D65A7E76AEABC1353B46402AFC0693192EB74CD4E8355

Function 00952395 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,00958A3A,009511F4,00958A3A,00000000,?,?), ref: 009523FB
lstrcmpA.KERNEL32(?,009511F8), ref: 0095242C
lstrcmpA.KERNEL32(?,009511FC), ref: 00952440
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 0095249A
DeleteFileA.KERNEL32(?), ref: 009524A8
FindNextFileA.KERNELBASE(00000000,00000010), ref: 009524B4
FindClose.KERNELBASE(00000000), ref: 009524C3
RemoveDirectoryA.KERNELBASE(00958A3A), ref: 009524CA

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: ba21dc7ab1f469297162b8409f3d9efee55bd7f71cff2302c4ff1e008aaadd11
Instruction ID: fff29dfe1a4320ee9bf17140631180d932c7c5e7b6ec95a322ba9a379d8a0a4b
Opcode Fuzzy Hash: ba21dc7ab1f469297162b8409f3d9efee55bd7f71cff2302c4ff1e008aaadd11
Instruction Fuzzy Hash: BC31BE322187449BC320EF66CC89FEB73ACABC6307F04492DB955872A0EB74994DC756

Function 00953FDB Relevance: 10.6, APIs: 7, Instructions: 96
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 0095401F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00954035
GetExitCodeProcess.KERNELBASE(?,?), ref: 00954048
CloseHandle.KERNEL32(?), ref: 00954088
CloseHandle.KERNEL32(?), ref: 00954094
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 009540C8
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 009540D5

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 87f94cf3fd310f274000cd553397ba9a541c566e914763dfa112b4364399eaaf
Instruction ID: b7b28de38b231dfc52ec1d5f97fbe6bba1ef133e4130ef88324fcfa731de54b7
Opcode Fuzzy Hash: 87f94cf3fd310f274000cd553397ba9a541c566e914763dfa112b4364399eaaf
Instruction Fuzzy Hash: EA319131654318ABEB60DB37DC49FAB777CEB9571AF200169FA05D21A0CA304D899B25

Function 00952BF2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00956B50,00950000,00000000,00000002,0000000A), ref: 00952BFA
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00956B50,00950000,00000000,00000002,0000000A), ref: 00952C0F
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00952C1F
CloseHandle.KERNEL32(00000000,?,?,00956B50,00950000,00000000,00000002,0000000A), ref: 00952C8F

Strings

Kernel32.dll, xrefs: 00952C0A
HeapSetInformation, xrefs: 00952C19

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 3dfed33a8690cecdf977b4301b632b1c0c370ad1f048f2b3c13ab00e220921a5
Instruction ID: 8140389e410a5e85ee078b75d45d256577b95f61cbb7bab946f3e96bac656a30
Opcode Fuzzy Hash: 3dfed33a8690cecdf977b4301b632b1c0c370ad1f048f2b3c13ab00e220921a5
Instruction Fuzzy Hash: 5E1106712243015BDB14EB77EC99B2F375D9B86397F050155FC82832A2DA70CC0D97A5

Function 00952033 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 184
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00952059
memset.MSVCRT ref: 00952068
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00952095

Part of subcall function 0095173E: _vsnprintf.MSVCRT ref: 00951770

RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?,?,?,?,?), ref: 009520D2
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 009520F3
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0095210C
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?), ref: 0095212B
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 0095213D
FreeLibrary.KERNELBASE(00000000,?,?,?,?), ref: 0095214D
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00952164
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?), ref: 00952195
LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 009521CA
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 009521ED
RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 00952246
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00952252
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00952259

Strings

advpack.dll, xrefs: 00952112
wextract_cleanup0, xrefs: 009520AE, 009520C7, 009520F9, 0095223B
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0095208B
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 009521B1, 0095220D
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 009521FF
DelNodeRunDLL32, xrefs: 00952137
%s /D:%s, xrefs: 00952208, 00952219
wextract_cleanup%d, xrefs: 009520A7

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-1171619124
Opcode ID: b7a5a5631e384c39bd93d48e31c27e6aa6df66497cd49c986ac0dab4276f4b58
Instruction ID: eaacbbac57c322cf99a8740da63fbe10a7a172c276b8f1a5493bc1da4541ab72
Opcode Fuzzy Hash: b7a5a5631e384c39bd93d48e31c27e6aa6df66497cd49c986ac0dab4276f4b58
Instruction Fuzzy Hash: 6051F671A18314ABDB20DB36DC49FEB776CEB96702F0002A4FE05E6191EA709E4D9B50

Function 0095555A Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 247
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095467A
Part of subcall function 00954669: SizeofResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00954683
Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095469D
Part of subcall function 00954669: LoadResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546A6
Part of subcall function 00954669: LockResource.KERNEL32(00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546AD
Part of subcall function 00954669: memcpy_s.MSVCRT ref: 009546BF
Part of subcall function 00954669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 009546C9

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 00955589
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 009555F2
LocalFree.KERNEL32(00000000), ref: 00955606
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 009555DA

Part of subcall function 00954495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 009544F4
Part of subcall function 00954495: MessageBoxA.USER32(?,?,BWCStartMSI,00010010), ref: 00954530

Part of subcall function 00956233: GetLastError.KERNEL32(00955B72), ref: 00956233

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00955673
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 009556D8
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 009556F1
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 00955787
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 009557A9
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 009557BC

Part of subcall function 00952631: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00952655

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 009557EA

Part of subcall function 009564C3: FindResourceA.KERNEL32(00950000,000007D6,00000005), ref: 009564D6
Part of subcall function 009564C3: LoadResource.KERNEL32(00950000,00000000,?,?,00952EDF,00000000,00951A00,00000547,0000083E,?,?,?,?,?,?,?), ref: 009564E4
Part of subcall function 009564C3: DialogBoxIndirectParamA.USER32(00950000,00000000,00000547,00951A00,00000000), ref: 00956503
Part of subcall function 009564C3: FreeResource.KERNEL32(00000000,?,?,00952EDF,00000000,00951A00,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 0095650C

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00955832

Part of subcall function 00955933: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 0095595E
Part of subcall function 00955933: SetCurrentDirectoryA.KERNELBASE(?), ref: 00955965

Strings

msdownld.tmp, xrefs: 0095578D
<None>, xrefs: 009555EC
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00955668, 0095566D, 009557F7
Z, xrefs: 009556C4
RUNPROGRAM, xrefs: 00955577, 009555BA
A:\, xrefs: 009556AE

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-1124914566
Opcode ID: 512bdc8b19bf7acc188f59a40e3fa074cd2a406391b223ec9b637d8a6e538675
Instruction ID: 908c4f64d1ebaed181d5f0032a856c522e614ed5f707031dac50dbc71b94842c
Opcode Fuzzy Hash: 512bdc8b19bf7acc188f59a40e3fa074cd2a406391b223ec9b637d8a6e538675
Instruction Fuzzy Hash: EE812970A18A149BDB20EB378C65BEE766D9B95303F410065FE86D2192EF748DCECB10

Function 00954FA0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095467A
Part of subcall function 00954669: SizeofResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00954683
Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095469D
Part of subcall function 00954669: LoadResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546A6
Part of subcall function 00954669: LockResource.KERNEL32(00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546AD
Part of subcall function 00954669: memcpy_s.MSVCRT ref: 009546BF
Part of subcall function 00954669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 009546C9

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00954FBE
LoadResource.KERNEL32(00000000,00000000), ref: 00954FC6
LockResource.KERNEL32(00000000), ref: 00954FCD
GetDlgItem.USER32(00000000,00000842), ref: 00954FF0
ShowWindow.USER32(00000000), ref: 00954FF7
GetDlgItem.USER32(00000841,00000005), ref: 0095500A
ShowWindow.USER32(00000000), ref: 00955011
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 009550D1
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00955119

Strings

*MEMCAB, xrefs: 00955087
CABINET, xrefs: 00954FA6, 00954FB7

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: a1d1478d495665fa384f4b88ff7d065e4575fcd1423c9010fb8e883312b314fa
Instruction ID: 0dac4a3b55c5236f2c4940b8256a322aafaf759f2640c90a5133a44eab583fb0
Opcode Fuzzy Hash: a1d1478d495665fa384f4b88ff7d065e4575fcd1423c9010fb8e883312b314fa
Instruction Fuzzy Hash: 8C31F57065CB11AFE760DF33AC8AF67365CAB8574BF000114FD09A21E1DAB48C49A765

Function 0095535F Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0095173E: _vsnprintf.MSVCRT ref: 00951770

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 009553B9
GetFileAttributesA.KERNELBASE(?), ref: 009553C0
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?), ref: 009553DD
DeleteFileA.KERNEL32(?), ref: 009553E9
CreateDirectoryA.KERNEL32(?,00000000), ref: 009553F2
CreateDirectoryA.KERNELBASE(?,00000000), ref: 0095540E

Strings

IXP, xrefs: 009553D7
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00955375, 0095539F, 009553DC
IXP%03d.TMP, xrefs: 0095537E

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-112269632
Opcode ID: d55e3ffb5b0725fbcbb3a50bf43fb070460e5b613758253d395f09955f479224
Instruction ID: 7eeb0614fc8920f9e4af2034d43165b32d07b73b3c4f952d0f663039e071abcd
Opcode Fuzzy Hash: d55e3ffb5b0725fbcbb3a50bf43fb070460e5b613758253d395f09955f479224
Instruction Fuzzy Hash: C9112F30324600A7D320EB379C08FAF366CDFC2313F000115FA46D21D0DAB88E8A8369

Function 00952570 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,?,?,?,00951EE3,00000001,00000000,00954121,?,00954082), ref: 009525B5
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,?,?,00951EE3,00000001,00000000,00954121,?,00954082), ref: 009525CE
RegCloseKey.KERNELBASE(?,?,00951EE3,00000001,00000000,00954121,?,00954082), ref: 009525E0
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,?,?,?,00951EE3,00000001,00000000,00954121,?,00954082), ref: 00952602
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00951EE3,00000001,00000000), ref: 0095261D

Strings

PendingFileRenameOperations, xrefs: 009525C6
System\CurrentControlSet\Control\Session Manager, xrefs: 009525AB
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 009525F8

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: 6b2ac9d2191dba95ecb46465d68055fbdaf017c13c84cb81e42cdf6b9892f15c
Instruction ID: c9824056358c997b232a24fd7606fea314f9de3b437b4e9efba596330b38b848
Opcode Fuzzy Hash: 6b2ac9d2191dba95ecb46465d68055fbdaf017c13c84cb81e42cdf6b9892f15c
Instruction Fuzzy Hash: 8E118275916228BB9B20DBA39C09DEB7E7CEF467A7F400051FC05A2040D6704A49E7A1

Function 00955880 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,009554F0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0095589F
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,009554F0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 009558F9
LocalFree.KERNEL32(00000000,?,009554F0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00955903
CloseHandle.KERNEL32(00000000,?,009554F0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00955912
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,009554F0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00955919

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00955885, 00955887, 009558CF, 00955918
TMP4351$.TMP, xrefs: 009558D9

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
API String ID: 747627703-1619695125
Opcode ID: f9bd3a0eb212b0c9906bf326854c86ccb9f039def4495702ec733d018473220f
Instruction ID: 4e7e9880264d09eda16e17f86c3ae62ebf7b641905ad40c469854ed40662da17
Opcode Fuzzy Hash: f9bd3a0eb212b0c9906bf326854c86ccb9f039def4495702ec733d018473220f
Instruction Fuzzy Hash: 481134717197106BD7209F7B5C0DB9B7E9DDF86762F100618BA06D31C2DA70DC0A83A4

Function 00956A00 Relevance: 12.1, APIs: 8, Instructions: 144
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00957105: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00957132
Part of subcall function 00957105: GetCurrentProcessId.KERNEL32 ref: 00957141
Part of subcall function 00957105: GetCurrentThreadId.KERNEL32 ref: 0095714A
Part of subcall function 00957105: GetTickCount.KERNEL32 ref: 00957153
Part of subcall function 00957105: QueryPerformanceCounter.KERNEL32(?), ref: 00957168

GetStartupInfoW.KERNEL32(?,00957268,00000058), ref: 00956A1F
Sleep.KERNEL32(000003E8), ref: 00956A54
_amsg_exit.MSVCRT ref: 00956A69
_initterm.MSVCRT ref: 00956ABD
exit.KERNELBASE ref: 00956B5F
_ismbblead.MSVCRT ref: 00956B7A

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: CurrentTime$CountCounterFileInfoPerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 626344529-0
Opcode ID: e0a525b71fd77cfcb20a93bd139fec357f915c5d4229734b54a5a50913809593
Instruction ID: 7d70fc24a78dbb2f62b6ef9d50e2708ff2b9b40de169da2fb1d72f926d9ffafc
Opcode Fuzzy Hash: e0a525b71fd77cfcb20a93bd139fec357f915c5d4229734b54a5a50913809593
Instruction Fuzzy Hash: 2041EF31A1C7658FDB21DF6BEC0576ABBE8EB84723F90412AED51E3290CB744848DB41

Function 009551A5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095467A
Part of subcall function 00954669: SizeofResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00954683
Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095469D
Part of subcall function 00954669: LoadResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546A6
Part of subcall function 00954669: LockResource.KERNEL32(00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546AD
Part of subcall function 00954669: memcpy_s.MSVCRT ref: 009546BF
Part of subcall function 00954669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 009546C9

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00952F40,?,00000002,00000000), ref: 009551C1
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00955210

Part of subcall function 00954495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 009544F4
Part of subcall function 00954495: MessageBoxA.USER32(?,?,BWCStartMSI,00010010), ref: 00954530

Part of subcall function 00956233: GetLastError.KERNEL32(00955B72), ref: 00956233

Strings

<None>, xrefs: 00955222
UPROMPT, xrefs: 009551AF, 009551F0

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 0bc82e1b0055a774ad820bcce551ca0d4182ef0eb8685e8cd411cc331f2e5c22
Instruction ID: ac36f3cfa82932662e5bf2d3ef3ce86c85f0dfac771137404589829babe75e31
Opcode Fuzzy Hash: 0bc82e1b0055a774ad820bcce551ca0d4182ef0eb8685e8cd411cc331f2e5c22
Instruction Fuzzy Hash: 011156B1218700BBE760EB735C59F3B209DDBC934BF11402DFE02DA191DA788C082728

Function 00955276 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(034A4CC0,00000080,?,00000000), ref: 009552B2
DeleteFileA.KERNELBASE(034A4CC0), ref: 009552BA
LocalFree.KERNEL32(034A4CC0,?,00000000), ref: 009552C5
LocalFree.KERNEL32(034A4CC0), ref: 009552CC
SetCurrentDirectoryA.KERNELBASE(009511FC,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00955323

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 009552F4

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 2833751637-816172423
Opcode ID: 501ea542320dff4c79421677c95b1fc5d995ee94d15034241adb9e3c74b390ec
Instruction ID: 70d3b16a4c669fbb1764e3feb4ada5172ed391e51c3f0db8feb0109f6d914e00
Opcode Fuzzy Hash: 501ea542320dff4c79421677c95b1fc5d995ee94d15034241adb9e3c74b390ec
Instruction Fuzzy Hash: 0621DE31538B14DBEB20DF23ED29B693BA8AB44347F410119EC86A21A1CFB05C8CEB50

Function 00951FEC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,0095534C,?,?,0095534C), ref: 00952010
RegDeleteValueA.KERNELBASE(0095534C,wextract_cleanup0,?,?,0095534C), ref: 00952022
RegCloseKey.ADVAPI32(0095534C,?,?,0095534C), ref: 0095202B

Strings

wextract_cleanup0, xrefs: 00951FF2, 0095201A
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00952006

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 849931509-702805525
Opcode ID: cad959f268f6c3ac3c0c5a7acfeae6eb8eb8bc16a699c70bb1623ba9c65961bf
Instruction ID: 53be1d937a7b1e0c8ddcce0d9b3c9c9b6dcc32cfb665c765e47b698c26505252
Opcode Fuzzy Hash: cad959f268f6c3ac3c0c5a7acfeae6eb8eb8bc16a699c70bb1623ba9c65961bf
Instruction Fuzzy Hash: 87E04F30534314BBDB20CBB3AC4AF5E7A69E751786F200194FA01B00E0EB609A48E709

Function 00954CA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00954D85
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00954DAD

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00954D06, 00954DB3

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 3625706803-816172423
Opcode ID: acebb6489c107f8ac0267aaee0cf7368628f4dbbe78d2f01f57632a1e2b5238e
Instruction ID: 9832e324e67d34acfbc60ad6afc66b855c84c2da08148d2ffee255bb95409ee4
Opcode Fuzzy Hash: acebb6489c107f8ac0267aaee0cf7368628f4dbbe78d2f01f57632a1e2b5238e
Instruction Fuzzy Hash: 774144312046019ACBA1DF3ACD447FA73B9AB8530AF144668ECD697195DB31EACECB10

Function 00954C07 Relevance: 4.5, APIs: 3, Instructions: 38timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00954C24
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00954C36
SetFileTime.KERNELBASE(?,?,?,?), ref: 00954C4E

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 6325fbbda7fc600f60ab83b913c5197cbde63fb362e98df04812aabc1e6f38ef
Instruction ID: 182b51ddf4e9c185f31ddca46c4c10d7172136fc6962b392412af1507bd1837e
Opcode Fuzzy Hash: 6325fbbda7fc600f60ab83b913c5197cbde63fb362e98df04812aabc1e6f38ef
Instruction Fuzzy Hash: 20F02472614308AF9B54DBB3CC08DFF7BFCEB8530A700452AA866D1090FA30E948D761

Function 00954854 Relevance: 3.1, APIs: 2, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,009549F3,?,00954F35,*MEMCAB,00008000,00000180), ref: 009548B8
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00954F35,*MEMCAB,00008000,00000180), ref: 009548DC

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eba934f8bd6e8c44ecada687e04d2cb0ee5e085f37bc076d7342ecd09450609b
Instruction ID: 237f0986801001e616609027aeaf1daf29bca7f31c2447ad56fbae4439a8383f
Opcode Fuzzy Hash: eba934f8bd6e8c44ecada687e04d2cb0ee5e085f37bc076d7342ecd09450609b
Instruction Fuzzy Hash: EF01ADA3E1997026F364802A8C48FF7440CDBD673AF1A0730BFAAE71C1D6644C4892E0

Function 00954AA0 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00953670: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0095368F
Part of subcall function 00953670: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 009536A2
Part of subcall function 00953670: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 009536CA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00954AD5

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 0555d6997f5d10ced89736742b84aacc81bea31186ff4963f5f25b81f74a0f6d
Instruction ID: 218f7867bac215829cc078faa86aa9d6d8e56291551e67dad80339bcdc10f838
Opcode Fuzzy Hash: 0555d6997f5d10ced89736742b84aacc81bea31186ff4963f5f25b81f74a0f6d
Instruction Fuzzy Hash: 3C01D2312283019BDB44CF2BEC05BA63768F74472BF148225FD259A1F0DB30C856DB40

Function 00956534 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CharPrevA.USER32(00958B3E,00958B3F,00000001,00958B3E,-00000003,?,0095609E,00951140,?), ref: 00956564

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 7db9ec2a07fa89f42328ec91a7bf7d66deeec58031794f4046b19c3d4efb1eaa
Instruction ID: cace41270b74a17d78af5238081fb464c4b18fc35e204fbc46e14d87bb496afa
Opcode Fuzzy Hash: 7db9ec2a07fa89f42328ec91a7bf7d66deeec58031794f4046b19c3d4efb1eaa
Instruction Fuzzy Hash: EEF07D329082405BD321891F9884BA6BFDE9B85392F64015AFCD983205E5554C0BC3A4

Function 009561CE Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 009561EF

Part of subcall function 00954495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 009544F4
Part of subcall function 00954495: MessageBoxA.USER32(?,?,BWCStartMSI,00010010), ref: 00954530

Part of subcall function 00956233: GetLastError.KERNEL32(00955B72), ref: 00956233

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: a0bdac9b4adb8b7849b0d8de99c140a4824f1f9689d14dfabadf1d086d838dd1
Instruction ID: 9dce2c570e3f351f30d1edef09f8748f8cc982bfaa0db895b32a900ff675dc2c
Opcode Fuzzy Hash: a0bdac9b4adb8b7849b0d8de99c140a4824f1f9689d14dfabadf1d086d838dd1
Instruction Fuzzy Hash: 56F0E970758204ABEB50EB378D02BBE36ACCB84306F800069AA82D70C2DDB499499750

Function 00956656 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,00954751,?,00954E08,?), ref: 00956659

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 69128fcdae5977ca1b1ed11223033a6174b7a4086a20d69006ab75265ba4d32b
Instruction ID: fe60c117d241f496b30aaf642c9559eb1051bb717ce0eae6d91ccaa9d33f0415
Opcode Fuzzy Hash: 69128fcdae5977ca1b1ed11223033a6174b7a4086a20d69006ab75265ba4d32b
Instruction Fuzzy Hash: 16B092B6132580026A2046327C1995A2C45B6C273BBE41B90F032C10E0CA3EC84AE206

Function 00954B30 Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,00000000,00000000,?,00954F6F,00000000), ref: 00954B68

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 37713b1217fd5f18b86d253a0d30db09555e181476f9ebe0e0624b24d9e8db05
Instruction ID: cae9c28b38dc222e234ed107eab5e0991e379e607c9b079337ceb516ac3d351a
Opcode Fuzzy Hash: 37713b1217fd5f18b86d253a0d30db09555e181476f9ebe0e0624b24d9e8db05
Instruction Fuzzy Hash: 83F01271504B089E47B1CF3BAC00617BBF8AAA5363310092ED46EE21D0FB30A455DB94

Function 00954C70 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00954C7A

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6ac4980bac76afb3bb8d27f428f7931ab5db32676fa4ca724f71ec1c254ba70b
Instruction ID: 0d7d696fcc8963575b12a23d7689008efcc9982e2a8ce4a080c8c02e5b700304
Opcode Fuzzy Hash: 6ac4980bac76afb3bb8d27f428f7931ab5db32676fa4ca724f71ec1c254ba70b
Instruction Fuzzy Hash: 54B0123205830CB7CF001FD3EC09F863F1DE7C5772F140000F60C450908A729410979A

Function 00954C90 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 00954C98

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 1afb5f1b1368003238d17476edf1935f630a8e32e48b2a18c3e49459d7efca3b
Instruction ID: 962587618eb4cecbe794e6ee2ecb730ba18cadf73a2533314f75961bab4594e9
Opcode Fuzzy Hash: 1afb5f1b1368003238d17476edf1935f630a8e32e48b2a18c3e49459d7efca3b
Instruction Fuzzy Hash: 38B0123101420CB78F001B53EC088453F1DD6C12717000010F60C410218B3398119689

Non-executed Functions

Function 00955C50 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 421COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00955CA0
GetModuleFileNameA.KERNEL32(00958B3E,00000104,00000000,?,?), ref: 00955DAE
CharUpperA.USER32(?), ref: 00955DF0
CharUpperA.USER32(-00000052), ref: 00955E93
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00955F21
CharUpperA.USER32(?), ref: 00955F59
CharUpperA.USER32(-0000004E), ref: 00955FBA
CharUpperA.USER32(?), ref: 0095605C
CloseHandle.KERNEL32(00000000,00951140,00000000,00000040,00000000), ref: 009561A3
ExitProcess.KERNEL32 ref: 009561AA

Strings

", xrefs: 009560DF
RegServer, xrefs: 00955F18
:, xrefs: 009560CA
", xrefs: 00955D2A

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 409f72890d158aff07ae94477d29eac823f85046b9a5c64b0f0974ecea7c38b8
Instruction ID: 294b02ee88cb870edbaf3f5c709437aa89d93f8c0ce2e5df053df40c753a51ba
Opcode Fuzzy Hash: 409f72890d158aff07ae94477d29eac823f85046b9a5c64b0f0974ecea7c38b8
Instruction Fuzzy Hash: B3D15B31A18F445ADF31CB3B8C693BA3B699B52307F560599CCC6D7192DA748E8E8B00

Function 009518C1 Relevance: 16.6, APIs: 11, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0095180E: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,009518FB), ref: 0095183A
Part of subcall function 0095180E: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0095184C
Part of subcall function 0095180E: AllocateAndInitializeSid.ADVAPI32(009518FB,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,009518FB), ref: 00951875
Part of subcall function 0095180E: FreeSid.ADVAPI32(?,?,?,?,009518FB), ref: 009518A3
Part of subcall function 0095180E: FreeLibrary.KERNEL32(00000000,?,?,?,009518FB), ref: 009518AA

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 00951909
OpenProcessToken.ADVAPI32(00000000), ref: 00951910
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00951928
GetLastError.KERNEL32 ref: 00951936
LocalAlloc.KERNEL32(00000000,?,?), ref: 0095194A
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00951962
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00951982
EqualSid.ADVAPI32(00000004,?), ref: 00951998
FreeSid.ADVAPI32(?), ref: 009519BA
LocalFree.KERNEL32(00000000), ref: 009519C1
CloseHandle.KERNEL32(?), ref: 009519CB

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 22e4e95a3d29e5a51d5fe1d87f9a66b7bfe2620a2469c17ea85b60310c277d36
Instruction ID: f3b10bc0e1d4e2fa4524a53492cd15cceb52e35b08fcc1b6a48b7e5ac7a555a6
Opcode Fuzzy Hash: 22e4e95a3d29e5a51d5fe1d87f9a66b7bfe2620a2469c17ea85b60310c277d36
Instruction Fuzzy Hash: 0C313A35A14309AFDB10DFA7EC59AAF7BBCFF45746F100528E941E2190DB309908DB65

Function 00951F9B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00951F08
OpenProcessToken.ADVAPI32(00000000), ref: 00951F0F
ExitWindowsEx.USER32(00000002,00000000), ref: 00951FDE

Strings

SeShutdownPrivilege, xrefs: 00951F35

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: dc50daf1fd8ff5242c60f3da254486fc2f74a81f6cd3804d5b088e973ea55ffe
Instruction ID: 6ab0806f3b0e06d72607c7fe9106e1c79a7d013d5f6855fe3d07daac8acac287
Opcode Fuzzy Hash: dc50daf1fd8ff5242c60f3da254486fc2f74a81f6cd3804d5b088e973ea55ffe
Instruction Fuzzy Hash: 9621A671A54205ABDB20DBA39C4AFBF7ABDDB85757F100119FE02E61C0C7748849A725

Function 00957105 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00957132
GetCurrentProcessId.KERNEL32 ref: 00957141
GetCurrentThreadId.KERNEL32 ref: 0095714A
GetTickCount.KERNEL32 ref: 00957153
QueryPerformanceCounter.KERNEL32(?), ref: 00957168

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: da39c192d1ef812209a3c50409ddf71f2c511492d905cca1b648434af969c3ca
Instruction ID: 69a45d57f99f89b988ff84fd0ecf7576c805abc16f15a8c38911f041b19fe048
Opcode Fuzzy Hash: da39c192d1ef812209a3c50409ddf71f2c511492d905cca1b648434af969c3ca
Instruction Fuzzy Hash: 30113A71D28608EFCB10DBBAEA4869EB7F4EF48316F914955D802E7250EA309B049B44

Function 00956C90 Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00956DC6,00951000), ref: 00956C97
UnhandledExceptionFilter.KERNEL32(?,?,00956DC6,00951000), ref: 00956CA0
GetCurrentProcess.KERNEL32(C0000409,?,00956DC6,00951000), ref: 00956CAB
TerminateProcess.KERNEL32(00000000,?,00956DC6,00951000), ref: 00956CB2

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: d1772e385e817f7c5fe926242ba208baf43d67e482441ab1b4580cccedbd7641
Instruction ID: 85c497ce8287c812da336d22eacd78d30d188f57eb150cc14ecc3fb495c923ae
Opcode Fuzzy Hash: d1772e385e817f7c5fe926242ba208baf43d67e482441ab1b4580cccedbd7641
Instruction Fuzzy Hash: AAD0C93201CB08BBDB002BF3EC0CA593F28EB48223F444100F31982020CA325851AB5A

Function 00953200 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188windowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32(000003E8,00958598,00000200), ref: 00953261
GetDesktopWindow.USER32 ref: 009533D2
SetWindowTextA.USER32(?,BWCStartMSI), ref: 009533E7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00953400
GetDlgItem.USER32(?,00000836), ref: 00953416
EnableWindow.USER32(00000000), ref: 0095341D
EndDialog.USER32(?,00000000), ref: 0095342F

Strings

BWCStartMSI, xrefs: 009533E1
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 009532D2, 009532D7, 00953321, 00953334, 0095334B, 0095335A

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: BWCStartMSI$C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 2418873061-1324072528
Opcode ID: acc7f64d7659391cc322183195cdd98d918ad6e4a5aa55dbe17acdd78eb66b83
Instruction ID: 8c903aca56744d4e2a83436dfa956995a8f4f5c07d126d004bf3bf289a8ef55a
Opcode Fuzzy Hash: acc7f64d7659391cc322183195cdd98d918ad6e4a5aa55dbe17acdd78eb66b83
Instruction Fuzzy Hash: F151F220398750BAEB22DF375C4DF7B2B5D9B86787F50C528FE05A50E0CA748A09A365

Function 009534E0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119threadwindowCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(00000000), ref: 00953525
EndDialog.USER32(?,?), ref: 00953531
ResetEvent.KERNEL32 ref: 0095354F
SetEvent.KERNEL32(00951140,00000000,00000020,00000004), ref: 00953580
GetDesktopWindow.USER32 ref: 009535B7
GetDlgItem.USER32(?,0000083B), ref: 009535E1
SendMessageA.USER32(00000000), ref: 009535E8
GetDlgItem.USER32(?,0000083B), ref: 00953600
SendMessageA.USER32(00000000), ref: 00953607
SetWindowTextA.USER32(?,BWCStartMSI), ref: 00953613
CreateThread.KERNEL32(00000000,00000000,Function_00004FA0,00000000,00000000,00958798), ref: 00953627
EndDialog.USER32(?,00000000), ref: 00953661

Strings

BWCStartMSI, xrefs: 0095360D

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: BWCStartMSI
API String ID: 2406144884-3637052039
Opcode ID: e9ca2bbdc82bf02ce3ddb1a5e51b8447511771021806ff79bc007251c88f9a71
Instruction ID: be7122ec1de02440f0894cd910c149328b3f868545a02a40f6b1559c04bfca58
Opcode Fuzzy Hash: e9ca2bbdc82bf02ce3ddb1a5e51b8447511771021806ff79bc007251c88f9a71
Instruction Fuzzy Hash: E831863115C301BBD7209F27EC4EE273B68E785B83F20C529FA15952A0DA758905EB59

Function 00954204 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00954216
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0095422C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00954243
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 0095425A
GetTempPathA.KERNEL32(00000104,009588C0,?,00000001), ref: 0095427F
CharPrevA.USER32(009588C0,012B1181,?,00000001), ref: 009542A2
CharPrevA.USER32(009588C0,00000000,?,00000001), ref: 009542B6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00954371
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00954385

Strings

SHELL32.DLL, xrefs: 0095420F
SHGetPathFromIDList, xrefs: 00954254
SHBrowseForFolder, xrefs: 00954226

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: f76d9dd4a2e4c1b4d01e3e1b678cf1bf990b79bb3c2c1939669dba552e868afa
Instruction ID: d2841e0ba63d5e3534766c0f692ff546db9f6e0ff97804b11725e1f6d56508c2
Opcode Fuzzy Hash: f76d9dd4a2e4c1b4d01e3e1b678cf1bf990b79bb3c2c1939669dba552e868afa
Instruction Fuzzy Hash: A541F370A14300AFD711DF739C89A6E7FA8EB4534AF040269EE11B72A1CB748D49DB65

Function 00954495 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159memorywindowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 009544F4
MessageBoxA.USER32(?,?,BWCStartMSI,00010010), ref: 00954530
LocalAlloc.KERNEL32(00000040,00000065), ref: 0095457F
LocalAlloc.KERNEL32(00000040,00000065), ref: 009545BF
LocalAlloc.KERNEL32(00000040,00000002), ref: 009545E9
MessageBeep.USER32(00000000), ref: 0095460C
MessageBoxA.USER32(?,00000000,BWCStartMSI,00000000), ref: 00954642
LocalFree.KERNEL32(00000000), ref: 0095464B

Part of subcall function 009567CB: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0095681A
Part of subcall function 009567CB: GetSystemMetrics.USER32(0000004A), ref: 00956853
Part of subcall function 009567CB: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00956878
Part of subcall function 009567CB: RegQueryValueExA.ADVAPI32(?,00951140,00000000,?,?,?), ref: 009568A0
Part of subcall function 009567CB: RegCloseKey.ADVAPI32(?), ref: 009568AE

Strings

BWCStartMSI, xrefs: 00954521, 00954636
LoadString() Error. Could not load string resource., xrefs: 009544C0

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: BWCStartMSI$LoadString() Error. Could not load string resource.
API String ID: 3244514340-3358035227
Opcode ID: e9eb171a1c7577c4767b4cd8f66dc87f25b444f9b0b25fc81e396ffc747fbf9e
Instruction ID: 22d5e74d7ff8cc6c7a4f3bc092f1488d9024008d3a049c81bfe3217a9bfa4cb8
Opcode Fuzzy Hash: e9eb171a1c7577c4767b4cd8f66dc87f25b444f9b0b25fc81e396ffc747fbf9e
Instruction Fuzzy Hash: DA511871905215AFDB21DF26DC08BAA7B79EF8530AF100194FD09A7241DB31DE4EDB60

Function 00952770 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

CharUpperA.USER32(8005F836,00000000,00000000,00000000), ref: 009527A5
CharNextA.USER32(?), ref: 009527B2
CharNextA.USER32(00000000), ref: 009527B9
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00952826
RegQueryValueExA.ADVAPI32(?,00951140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0095284F
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0095286D
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0095289D
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 009528A7
GetSystemDirectoryA.KERNEL32(-00000005,00000104), ref: 009528B6

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 009527E1

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: d50723f4a2c8b661d56e7851f1c4945c624e5963ac426ae023fa07d05805a08e
Instruction ID: 6744a26d5e114e2905ecc838ca6733d133720e3a8eb4dad6a3414d96bd411877
Opcode Fuzzy Hash: d50723f4a2c8b661d56e7851f1c4945c624e5963ac426ae023fa07d05805a08e
Instruction Fuzzy Hash: F541D670A1411CAFDB24DB66DC85AEE7BBDEF56702F0000A9FA45E2140DB708E89DF65

Function 0095226E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 009522AA
RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?,00000001), ref: 009522DF
memset.MSVCRT ref: 009522FC
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0095230C
RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,?), ref: 00952375
RegCloseKey.ADVAPI32(?), ref: 00952381

Strings

wextract_cleanup0, xrefs: 00952283, 009522D4, 0095236A
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 009522A0
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00952328
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00952334

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 3027380567-1146919470
Opcode ID: d62a303ef648ce663eee9e3b9f4c526d3f6744321a811aed8551ecac1ce383e1
Instruction ID: 1af96c892301d2720a652a7613c315531b3927971536aed55624ec7423ceb42f
Opcode Fuzzy Hash: d62a303ef648ce663eee9e3b9f4c526d3f6744321a811aed8551ecac1ce383e1
Instruction Fuzzy Hash: E131D471A14218ABCB21DB22DC49FDB7B7CEF55706F0001E9F90DA6080EA70AB8CCB50

Function 009530F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 0095312B
GetDesktopWindow.USER32 ref: 0095313B
SetDlgItemTextA.USER32(?,00000834), ref: 0095315A
SetWindowTextA.USER32(?,BWCStartMSI), ref: 00953166
SetForegroundWindow.USER32(?), ref: 0095316D
GetDlgItem.USER32(?,00000834), ref: 00953175
GetWindowLongA.USER32(00000000,000000FC), ref: 00953180
SetWindowLongA.USER32(00000000,000000FC,009530B0), ref: 00953193
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 009531BA

Strings

BWCStartMSI, xrefs: 00953160

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: BWCStartMSI
API String ID: 3785188418-3637052039
Opcode ID: 860a13ea8992c8ad61493b3dea1f0cd0cbca95d6758188612cce52fcc747cfb2
Instruction ID: 3c3827dc786b7caff5deb960c33c89c8b8067d270267ced113aaae32423bdd18
Opcode Fuzzy Hash: 860a13ea8992c8ad61493b3dea1f0cd0cbca95d6758188612cce52fcc747cfb2
Instruction Fuzzy Hash: 8D11C03115CB15BBDB119B379C0DB5A3B68FB4A367F008610FD21A11E0DB748A45E74A

Function 00954669 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095467A
SizeofResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00954683
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095469D
LoadResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546A6
LockResource.KERNEL32(00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546AD
memcpy_s.MSVCRT ref: 009546BF
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 009546C9

Strings

BWCStartMSI, xrefs: 009546BE
TITLE, xrefs: 00954677, 0095469A

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: BWCStartMSI$TITLE
API String ID: 3370778649-3323271489
Opcode ID: 87bcfce1162d7f3b7320b37d59b34d88dbc49838a7d05583dd9e4e1db5eb62b8
Instruction ID: 74c93a4d99902171f1721af845fda9a2f2533aeee163dbefe2bd76b14c87c88f
Opcode Fuzzy Hash: 87bcfce1162d7f3b7320b37d59b34d88dbc49838a7d05583dd9e4e1db5eb62b8
Instruction Fuzzy Hash: 6B01A9322593107BE35017A7AC4DF6B7E2DEBC6B67F040114FE0596190C9718C94977A

Function 0095180E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,009518FB), ref: 0095183A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0095184C
AllocateAndInitializeSid.ADVAPI32(009518FB,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,009518FB), ref: 00951875
FreeSid.ADVAPI32(?,?,?,?,009518FB), ref: 009518A3
FreeLibrary.KERNEL32(00000000,?,?,?,009518FB), ref: 009518AA

Strings

advapi32.dll, xrefs: 00951830
CheckTokenMembership, xrefs: 00951846

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: a950dd544fbccc55b9d68df251db2e4e323761901ffa9aee0466a89d6f07031b
Instruction ID: 5ac6e3e519de8f759f42c44f0b1bfcc22b1e2e285da6e13994a477b4f1e36a32
Opcode Fuzzy Hash: a950dd544fbccc55b9d68df251db2e4e323761901ffa9aee0466a89d6f07031b
Instruction Fuzzy Hash: 16118131E24305ABDB109FB6DC49BBEBBB8EF45712F100129EA11E2290DA709D049B55

Function 00953440 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 00953480
GetDesktopWindow.USER32 ref: 0095348A
SetWindowTextA.USER32(?,BWCStartMSI), ref: 009534A2
SetDlgItemTextA.USER32(?,00000838), ref: 009534B4
SetForegroundWindow.USER32(?), ref: 009534BB
EndDialog.USER32(?,00000002), ref: 009534C8

Strings

BWCStartMSI, xrefs: 0095349C

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: BWCStartMSI
API String ID: 852535152-3637052039
Opcode ID: ad5c99d3f0a8049b58fec950b794254c696cc680cab85c29c9c6451894eaf46d
Instruction ID: c398723c734cba5c7192c7b058782794e5a2ed87127d76bb8fdbd92bb7b99b7f
Opcode Fuzzy Hash: ad5c99d3f0a8049b58fec950b794254c696cc680cab85c29c9c6451894eaf46d
Instruction Fuzzy Hash: 1B0124312A8628ABD7169F77CC0C96D3B19EB09383F00C910FD46865B0CB348F45EB85

Function 00952AA5 Relevance: 12.1, APIs: 8, Instructions: 117COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00952ADF
IsDBCSLeadByte.KERNEL32(00000000), ref: 00952AEB
CharNextA.USER32(?), ref: 00952B0B
CharUpperA.USER32 ref: 00952B17
CharPrevA.USER32(?,?), ref: 00952B4E
CharNextA.USER32(?), ref: 00952BCD

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: ee62b37526615ea5ea074c9ce3b74d93967c5e88f6d2216d5ef356da9b14890e
Instruction ID: 3844717e472fda003f563cbbad83699136e00236d945aa8c3074b2d930ce0c7b
Opcode Fuzzy Hash: ee62b37526615ea5ea074c9ce3b74d93967c5e88f6d2216d5ef356da9b14890e
Instruction Fuzzy Hash: 3A4101345082459FDB15DF368C14AFD7BAD9F97302F1401AAECC297242DB358E8ACB60

Function 009543AE Relevance: 10.6, APIs: 7, Instructions: 96COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009543CF
GetWindowRect.USER32(00000000,?), ref: 009543E9
GetDC.USER32(?), ref: 00954401
GetDeviceCaps.GDI32(00000000,00000008), ref: 0095440C
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00954418
ReleaseDC.USER32(?,00000000), ref: 00954425
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 00954480

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: e3fd61053c8085c88e1c8b2554b979780a53983d4ffff2bcff7cfc58af0177f8
Instruction ID: 0f6f7edbf2dd59b500d15e5a82f237755866a151caf168659e9321e51320d09e
Opcode Fuzzy Hash: e3fd61053c8085c88e1c8b2554b979780a53983d4ffff2bcff7cfc58af0177f8
Instruction Fuzzy Hash: 07316131E14219AFCF14CFB9DD889EEBBB5EB89311F144229F905F3290D674AC458B64

Function 00956246 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 0095173E: _vsnprintf.MSVCRT ref: 00951770

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,0095518A,00000004,00000024,00952F64,?,00000002,00000000), ref: 0095627B
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,0095518A,00000004,00000024,00952F64,?,00000002,00000000), ref: 00956282
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,0095518A,00000004,00000024,00952F64,?,00000002,00000000), ref: 009562C9
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 009562F3
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,0095518A,00000004,00000024,00952F64,?,00000002,00000000), ref: 00956305

Strings

UPDFILE%lu, xrefs: 00956261, 009562D7

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 407722992273f843356ce2d423ec1b1e342bc1a54ea16c2acdde846f75b7c760
Instruction ID: ac3e8f8466f5348be5e0ae98e4369cd7b82c8aa20a8d6bbc7bb3d1c0851a672c
Opcode Fuzzy Hash: 407722992273f843356ce2d423ec1b1e342bc1a54ea16c2acdde846f75b7c760
Instruction Fuzzy Hash: 6421E175A14219ABDB00DF66DC45ABE7B7CEF88716F004219ED02E3240DB759D0A8BA4

Function 009567CB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0095681A
GetSystemMetrics.USER32(0000004A), ref: 00956853
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00956878
RegQueryValueExA.ADVAPI32(?,00951140,00000000,?,?,?), ref: 009568A0
RegCloseKey.ADVAPI32(?), ref: 009568AE

Part of subcall function 009566A1: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,009568C6), ref: 009566E9

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0095686E

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 61562020e2c6e4fabd98a55b0674c3385577d83bb2b45e13537c1b7d9a22129e
Instruction ID: b0b3e36ae31d9971c1cf5b1a27cc822d834ab3d7f5887e50f4a5b959905b9c90
Opcode Fuzzy Hash: 61562020e2c6e4fabd98a55b0674c3385577d83bb2b45e13537c1b7d9a22129e
Instruction Fuzzy Hash: AB318031A183289FDB20CB23CD05BAAB7BDEB41766F4001A5EA49A3140DB30DDC9DF56

Function 00953A2B Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095467A
Part of subcall function 00954669: SizeofResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00954683
Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095469D
Part of subcall function 00954669: LoadResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546A6
Part of subcall function 00954669: LockResource.KERNEL32(00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546AD
Part of subcall function 00954669: memcpy_s.MSVCRT ref: 009546BF
Part of subcall function 00954669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 009546C9

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00952F57,?,00000002,00000000), ref: 00953A49
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00953A9F

Part of subcall function 00954495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 009544F4
Part of subcall function 00954495: MessageBoxA.USER32(?,?,BWCStartMSI,00010010), ref: 00954530

Part of subcall function 00956233: GetLastError.KERNEL32(00955B72), ref: 00956233

lstrcmpA.KERNEL32(<None>,00000000), ref: 00953ABC
LocalFree.KERNEL32 ref: 00953AFF

Part of subcall function 009564C3: FindResourceA.KERNEL32(00950000,000007D6,00000005), ref: 009564D6
Part of subcall function 009564C3: LoadResource.KERNEL32(00950000,00000000,?,?,00952EDF,00000000,00951A00,00000547,0000083E,?,?,?,?,?,?,?), ref: 009564E4
Part of subcall function 009564C3: DialogBoxIndirectParamA.USER32(00950000,00000000,00000547,00951A00,00000000), ref: 00956503
Part of subcall function 009564C3: FreeResource.KERNEL32(00000000,?,?,00952EDF,00000000,00951A00,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 0095650C

LocalFree.KERNEL32(00000000,009530F0,00000000,00000000), ref: 00953AE0

Strings

<None>, xrefs: 00953AB1
LICENSE, xrefs: 00953A32

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 5149576f5b4d8082b4953c2806ebc7c03d9296a9e02102b3323f5c0784022427
Instruction ID: 0f1e0a6558db36ecd2b955e8e3a810e8f9aa9ec0ccc1642c78bc443dda98e7a5
Opcode Fuzzy Hash: 5149576f5b4d8082b4953c2806ebc7c03d9296a9e02102b3323f5c0784022427
Instruction Fuzzy Hash: 2A11B731219301ABD760DF73AC09F177AF9DBD5743B10852EBD46EA1F0DAB98408A724

Function 009524E5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 0095250B
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 00952531
_lopen.KERNEL32(?,00000040), ref: 00952540
_llseek.KERNEL32(00000000,00000000,00000002), ref: 00952551
_lclose.KERNEL32(00000000), ref: 0095255A

Strings

wininit.ini, xrefs: 00952515

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 15cfed8ecfedb122cfc5744ce9baf5e32fb57e29a659840065c1498f756e8944
Instruction ID: 20ff5741d7aa95d568971cf0374b4221d843f68eb744d719a33eba5ab4d9110e
Opcode Fuzzy Hash: 15cfed8ecfedb122cfc5744ce9baf5e32fb57e29a659840065c1498f756e8944
Instruction Fuzzy Hash: 070192316142186BC720DB769C08EDF7A6CEB86762F400264FA45D31D0EA749A498765

Function 009536DC Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 242windowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00953711
MessageBeep.USER32(00000000), ref: 009539B1
MessageBoxA.USER32(00000000,00000000,BWCStartMSI,00000030), ref: 009539DF

Strings

BWCStartMSI, xrefs: 009539D7, 00953A07
3, xrefs: 00953773

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$BWCStartMSI
API String ID: 2519184315-499029135
Opcode ID: 0d06fb4e24ca05635aa69e174450b9927e2af6f40fbfd1bbe42ee8adb7334928
Instruction ID: c2daeb73e8efd11a76ab50113178d309d2e2789794227024bfe292e47fedd8d3
Opcode Fuzzy Hash: 0d06fb4e24ca05635aa69e174450b9927e2af6f40fbfd1bbe42ee8adb7334928
Instruction Fuzzy Hash: B29116B1E052149BEB34CB17CC917AAB7B4EB85386F1484A9DD49EB240D7708E89DF40

Function 00956443 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 0095648D
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 009564A7
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 009564B0

Strings

advpack.dll, xrefs: 00956470, 0095647B, 009564AF
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 0095645A

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-3594766426
Opcode ID: e46b5151da1ab7ca329c806a19224c608bb525c46cc9076d734f5be43f8d7ac4
Instruction ID: f67bbe4da87da4d2e17f164515167f585ccaeba3ece44fbbfe83a0ace6a59a5e
Opcode Fuzzy Hash: e46b5151da1ab7ca329c806a19224c608bb525c46cc9076d734f5be43f8d7ac4
Instruction Fuzzy Hash: 54F0F430A28204ABDB50DF36DC49BEE7778DB94312F900294F985A31D0DFB09D8E8B10

Function 009528E3 Relevance: 7.6, APIs: 5, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00952A6A

Part of subcall function 00952770: CharUpperA.USER32(8005F836,00000000,00000000,00000000), ref: 009527A5
Part of subcall function 00952770: CharNextA.USER32(?), ref: 009527B2
Part of subcall function 00952770: CharNextA.USER32(00000000), ref: 009527B9
Part of subcall function 00952770: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00952826
Part of subcall function 00952770: RegQueryValueExA.ADVAPI32(?,00951140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0095284F
Part of subcall function 00952770: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0095286D
Part of subcall function 00952770: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0095289D

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00953926,?,?,?,?,-00000005), ref: 00952953
GlobalLock.KERNEL32(00000000), ref: 00952964
GlobalUnlock.KERNEL32(00000000), ref: 00952A1C
GlobalUnlock.KERNEL32(00000000), ref: 00952A7A

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID:
API String ID: 3949799724-0
Opcode ID: 890bd814deb9a2cef119cedf170f00be5b162c71aaa5fe8891a33965c165e5d7
Instruction ID: 0e1750d113ff83e6d7dcf62118af6dcf939c32d01848c9de45e18ed104b686aa
Opcode Fuzzy Hash: 890bd814deb9a2cef119cedf170f00be5b162c71aaa5fe8891a33965c165e5d7
Instruction Fuzzy Hash: 0A514D31E00219DFCB21CF9AD884AAEFBB9FF49712F14412AE911E3291D7309D45DBA4

Function 00954153 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095467A
Part of subcall function 00954669: SizeofResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00954683
Part of subcall function 00954669: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 0095469D
Part of subcall function 00954669: LoadResource.KERNEL32(00000000,00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546A6
Part of subcall function 00954669: LockResource.KERNEL32(00000000,?,00952D11,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 009546AD
Part of subcall function 00954669: memcpy_s.MSVCRT ref: 009546BF
Part of subcall function 00954669: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 009546C9

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,009530A5), ref: 00954173
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,009530A5), ref: 009541D1

Part of subcall function 00954495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 009544F4
Part of subcall function 00954495: MessageBoxA.USER32(?,?,BWCStartMSI,00010010), ref: 00954530

Strings

FINISHMSG, xrefs: 0095415D, 00954195
<None>, xrefs: 009541AF

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: a816d16da6f31eac126224b49ddc9642daf9d9f37ce4d88c020015baca0a39cf
Instruction ID: 3a1f96d4b946be6d7f56bb398e2d454f0ddbc4532c8eaa4445d49a669831f3b3
Opcode Fuzzy Hash: a816d16da6f31eac126224b49ddc9642daf9d9f37ce4d88c020015baca0a39cf
Instruction Fuzzy Hash: 2601F2A13047103BE36096675C85F7B108DCBD578BF104025BF05D9190C968CC881379

Function 00951A00 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 00951A38
GetDesktopWindow.USER32 ref: 00951A44
LoadStringA.USER32(?,?,00000200), ref: 00951A6F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00951A82
MessageBeep.USER32(000000FF), ref: 00951A8A

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 0289f48742464000a738c07278612c294c332dcc72a5ca833c90dc6574176368
Instruction ID: 6211a38a89e5fa6e9f01fd7cdcce15f78a2da56face5435929e88361a2a42d46
Opcode Fuzzy Hash: 0289f48742464000a738c07278612c294c332dcc72a5ca833c90dc6574176368
Instruction Fuzzy Hash: 7B11D631514219AFDB11EF76DE08BAE7BB8EF49302F108250F912D3191DB349E49EB59

Function 009547BA Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00954E3F), ref: 009547C4
LocalAlloc.KERNEL32(00000040,?), ref: 009547FD
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00954821

Part of subcall function 00954495: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 009544F4
Part of subcall function 00954495: MessageBoxA.USER32(?,?,BWCStartMSI,00010010), ref: 00954530

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 0095482B

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 359063898-816172423
Opcode ID: b39c88df6fdb2cf80474df0876330fcaf3bd904036c2e3fe7092ccc241f12b81
Instruction ID: cf03388a593014e7d21afa2ea267406165948b7387811bb2e4ad3682260c245d
Opcode Fuzzy Hash: b39c88df6fdb2cf80474df0876330fcaf3bd904036c2e3fe7092ccc241f12b81
Instruction Fuzzy Hash: CD1106B920C701AFE754CF369C08F733B59EBC5306B144629FE429B240DA358C4A9720

Function 009564C3 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00950000,000007D6,00000005), ref: 009564D6
LoadResource.KERNEL32(00950000,00000000,?,?,00952EDF,00000000,00951A00,00000547,0000083E,?,?,?,?,?,?,?), ref: 009564E4
DialogBoxIndirectParamA.USER32(00950000,00000000,00000547,00951A00,00000000), ref: 00956503
FreeResource.KERNEL32(00000000,?,?,00952EDF,00000000,00951A00,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 0095650C

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 7b6302aec38165b8fff667bb7695c08014f12bf30b7791ce18a16282cd5aaa61
Instruction ID: 7f38338c7998d8641c7699d7add6fcad18b3a89e64573a4535957673d0730550
Opcode Fuzzy Hash: 7b6302aec38165b8fff667bb7695c08014f12bf30b7791ce18a16282cd5aaa61
Instruction Fuzzy Hash: 62012672100205BBDB109F7B9C08DAB7A6CEF85366F000524FE11A3190DB70CC0197B1

Function 00953670 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0095368F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 009536A2
DispatchMessageA.USER32(?), ref: 009536BB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 009536CA

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 6b276e9af6524c3cfdadb42c9e037625b553d5e95026e70beab3984ec49c289e
Instruction ID: b9172783898ad2d9100cb890224cbd808146d742a8036ef756c89fed94ebce73
Opcode Fuzzy Hash: 6b276e9af6524c3cfdadb42c9e037625b553d5e95026e70beab3984ec49c289e
Instruction Fuzzy Hash: DC01A272905214BBDF308BA79C49EEB7BBCEBC5B52F04422CBD01E2284D660C644D774

Function 00956592 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,00000000,00000000,?,00000000,00952B2C), ref: 009565AC
CharPrevA.USER32(?,00000000), ref: 009565BC
CharPrevA.USER32(?,00000000), ref: 009565D3
CharNextA.USER32(00000000), ref: 009565DF

Memory Dump Source

Source File: 00000000.00000002.15746611759.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.15746577806.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746644390.0000000000958000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.15746673753.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_BWCStartMSI.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 988037937722a4fd8b43affb3f166207753091ea3dc82cca5278232eccafde00
Instruction ID: 794cda2de369b5a5d5712bba9cbfb98349fc556233b7c0f5b36c67a15131fa07
Opcode Fuzzy Hash: 988037937722a4fd8b43affb3f166207753091ea3dc82cca5278232eccafde00
Instruction Fuzzy Hash: BBF0F9710085506EE7325F2B4C889BB7F9C8F87257B5902AFF9D183014E6550D4BD761

Analysis Process: BWCStartMSI.exePID: 1096, Parent PID: 3436COMMON

Execution Graph

Execution Coverage:	33.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	0

Executed Functions

Function 0310057C Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserGeoID.KERNEL32(00000010), ref: 03101AD7

Memory Dump Source

Source File: 00000002.00000002.15745687858.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3100000_BWCStartMSI.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 77dfe555deed6ca1d60a30653fdb27a0555541735e69a35652d8661a7ae1d0d9
Instruction ID: adf174c1d7936c17e54a0cbf56cefa4b03b90b9a4b70b1818eee63f85a908c52
Opcode Fuzzy Hash: 77dfe555deed6ca1d60a30653fdb27a0555541735e69a35652d8661a7ae1d0d9
Instruction Fuzzy Hash: 9A1136B5800649CFCB10DF9AD484BEEFBF4EB48324F24841AD419B3240C378A944CFA4

Function 03101A71 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserGeoID.KERNEL32(00000010), ref: 03101AD7

Memory Dump Source

Source File: 00000002.00000002.15745687858.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3100000_BWCStartMSI.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 2622e93d0f5c5867bd6a113edb205a4349777a534d86fc1d03d304483c7ff5bf
Instruction ID: f11fc1a318767e8c091ebda66fdf6ef32be017ebba49fb99aae735157c4f1869
Opcode Fuzzy Hash: 2622e93d0f5c5867bd6a113edb205a4349777a534d86fc1d03d304483c7ff5bf
Instruction Fuzzy Hash: B01106B5800649CFDB50DF9AD484B9EFBF4EB49324F24845AD429B7640C378A544CFA5

Analysis Process: rundll32.exePID: 3516, Parent PID: 4324COMMON

Executed Functions

Function 074027C0 Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ab99490f6a320eddc312bf41f0a0d93a9f591722c07ebc51d4417f02fb9ad3
Instruction ID: 2038cefe6a26da06a546a4d4a9fe4ca6b9f024d0f72ff53a90d22b59e33fea66
Opcode Fuzzy Hash: f1ab99490f6a320eddc312bf41f0a0d93a9f591722c07ebc51d4417f02fb9ad3
Instruction Fuzzy Hash: C7520438A41309CFC72ADF64D6D095A7773FB95304BA186ACE5011B395CB7AEA42CF84

Function 07401080 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c90f3cdd6db52a6b063b8882208d05bb2ba3d9c61bc9a87ed43e795e5ee333
Instruction ID: 45f1db5987a1ae3b7bf0b782cdeb615d561ae19bc94a0f4413ed26973f7ea8ee
Opcode Fuzzy Hash: 20c90f3cdd6db52a6b063b8882208d05bb2ba3d9c61bc9a87ed43e795e5ee333
Instruction Fuzzy Hash: 6F719471B00219CFDB18ABB5D8547AEB7E7AFC9300F14803AE506AB3A4DE759D028791

Function 07401630 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ababaef160767aab861c63745a4de94cee7ec87e227e6d5455672c2a257e7c3
Instruction ID: d526e8595a3ea363d4a28bd029c1c8bb804b3024d26f516e3799dc2a7687898b
Opcode Fuzzy Hash: 2ababaef160767aab861c63745a4de94cee7ec87e227e6d5455672c2a257e7c3
Instruction Fuzzy Hash: AF51EDB5B012088FDB18DF78D8846EEBBE6BBC9350B54853BD805D73A5DA349D0287E1

Function 07400C1C Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3a0820f2ab1a9cfe35ea804309677dd22f3e46a2fa7dfe0cc744e252761a6a
Instruction ID: b203d41a78ef5a22e73e467318940354c796c0082e8d6f90ed54e0e53d8e4b0a
Opcode Fuzzy Hash: 0d3a0820f2ab1a9cfe35ea804309677dd22f3e46a2fa7dfe0cc744e252761a6a
Instruction Fuzzy Hash: CE51E171B042489FDB099B64D8957EE7BB6AFC9310F14446BE406AB3E1CE794C06C7E2

Function 0740101C Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae62abe1b37c135e3cc4b1d9daa81e78519c2b4ba6a886a574aa6c7fe59ea67
Instruction ID: 03b425686409e56d499e51f6719157f0a0191d51845e8fa5c7076a34e8b1fe95
Opcode Fuzzy Hash: 9ae62abe1b37c135e3cc4b1d9daa81e78519c2b4ba6a886a574aa6c7fe59ea67
Instruction Fuzzy Hash: E841D3717042118FEB189B75A8A47BF7BABABC5600F14447EE806CB3D4EE389D0287D5

Function 074036A0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fe4cc26e2b8aa774b948e75c6cbb7034e1b9ebf68ded296df8a11193c9f940
Instruction ID: c2b47432627c2f720518c25cfec69ab23ad205b0e432d75d375864a089c3b7ab
Opcode Fuzzy Hash: 22fe4cc26e2b8aa774b948e75c6cbb7034e1b9ebf68ded296df8a11193c9f940
Instruction Fuzzy Hash: C231C6B67002044FD7189A79A895AAFBBABEFC1615B58C43FD505CB390DE35E80743D0

Function 07402268 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7682c107e2de5bff6f5f8c6b8a2ff09c13c4d328369d4f65b1d63883f161a5
Instruction ID: e3210674921683c60ef6b7bf23036bf16bcd9f240e6cfecd4c335928366018ba
Opcode Fuzzy Hash: 0e7682c107e2de5bff6f5f8c6b8a2ff09c13c4d328369d4f65b1d63883f161a5
Instruction Fuzzy Hash: C541E675B002189FCB54DF69D8849DEBBB6FF89310B14816AE905EB3A4DB31DD42CB90

Function 07403290 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3d7b70ca14f0cade80a995bcf442c31b8053ab860e6156e49dadb5f60e0386
Instruction ID: 9c53b8894a657cc1aa66a87e7380db39ac69b647a79782b42a216e5bcda0c8bf
Opcode Fuzzy Hash: 3b3d7b70ca14f0cade80a995bcf442c31b8053ab860e6156e49dadb5f60e0386
Instruction Fuzzy Hash: 5A219CB17042128FDB18DF7998957BF7BAAAB85210F14447FE806CB2D5EF38D9018791

Function 0740103C Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef05bacc55ecfda0eaf860e929836a51773ff5a6640836c640159659e5ecd19
Instruction ID: 495878e2339da524424f207eda37cd86fa9a96fe3c91ab7ad728ce1c7894bb37
Opcode Fuzzy Hash: 8ef05bacc55ecfda0eaf860e929836a51773ff5a6640836c640159659e5ecd19
Instruction Fuzzy Hash: EA2134726863589FD7062AB1B8443FB3F69DF82231F11407BED08872E1C9398945D3D2

Function 07401072 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576992e2d894823793061c57a68bf0bc4020ab48c313ed15433024cc1a1dd210
Instruction ID: 220f7501db490ad31d1ab0199ff2830615c2b1ae402701029da257611baa3aa2
Opcode Fuzzy Hash: 576992e2d894823793061c57a68bf0bc4020ab48c313ed15433024cc1a1dd210
Instruction Fuzzy Hash: 1C11DAB6B10218CBDB148AB5AD507FEBBEAAB88351F04813BD906D7394DE74CD0687D0

Function 07402258 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af10fa1a519cb5e2819e57ec6638c453d5fe1deb096c2cceb6fd416749727173
Instruction ID: bae49358c6df24471e18f93194dabd3597bd80794012c504fc3b8d159de30933
Opcode Fuzzy Hash: af10fa1a519cb5e2819e57ec6638c453d5fe1deb096c2cceb6fd416749727173
Instruction Fuzzy Hash: 3B211A76E401149FCB54DFA9D8849DEBBB2FF8C321B10812AE905E7360D7319941CBA0

Function 07403181 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efff546e78e9358706ba7de183a45fe65d4c0fa7fc6a0c63da289a0832e2374
Instruction ID: 057ec7773b76f3416598789674f829bf78795c468a379d158616939924558458
Opcode Fuzzy Hash: 8efff546e78e9358706ba7de183a45fe65d4c0fa7fc6a0c63da289a0832e2374
Instruction Fuzzy Hash: 59119D707402048FC729DF75E9946AA7BA7AB98215B14413EEA0987384DB399942CBD1

Function 07401958 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d134c02f7866ef9f91f22c1f594c0779ebeff3ccf38398aca08fd486d2b954
Instruction ID: 7d4b1ede7add0f07048f7b4951828f18cd3fb2e46ade877323c9729ade69dc4f
Opcode Fuzzy Hash: 25d134c02f7866ef9f91f22c1f594c0779ebeff3ccf38398aca08fd486d2b954
Instruction Fuzzy Hash: 39115435A14204AFDB08CFA4D895AED7FB6AF8C325F148069E809A7361CF795946CB90

Function 074035B0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287390fc6b579b6a16ee539af5b366acc562443f28a20dd5152f181804cda662
Instruction ID: c8e399566ed944505fdb31ea706b787fe9c12534d627c266be549ab2ccb3a4a8
Opcode Fuzzy Hash: 287390fc6b579b6a16ee539af5b366acc562443f28a20dd5152f181804cda662
Instruction Fuzzy Hash: D2117274A142089FDB08DB65C890AEE7BB7AFCC310F10843AE505A7390CF7A9846CB91

Function 074035AD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cb332ed901bbdfaae9db2668b31b1ef5c026d78f6a36e7f07abd74e4bfbd2f
Instruction ID: aed61310f7b4593ec3d018ed932e7b1e8652cc9eb1d1fa46500e15856112cd58
Opcode Fuzzy Hash: 23cb332ed901bbdfaae9db2668b31b1ef5c026d78f6a36e7f07abd74e4bfbd2f
Instruction Fuzzy Hash: 80117274A142089FDB08DF65C891AED7BB7AFCC310F14843AE505A7390CF7A9846CB91

Function 07401378 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296645d833db627ea06b698e67ea366474122a4b4c8b368923348df06de15950
Instruction ID: 261336f9b10b7872346f8e6349774f55eb718796d670d422240db27e707d5a53
Opcode Fuzzy Hash: 296645d833db627ea06b698e67ea366474122a4b4c8b368923348df06de15950
Instruction Fuzzy Hash: F521FEB5D0024A8FDB14DFAAD484BEEFBB0FF88324F50852AD459A7240C7746905CFA1

Function 07403190 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b252e7948b833bd38497846220ca486e158180a49735bba84dc8e19eaa5235d5
Instruction ID: acd3a3ae7f4898ffea193caf06195bd7b1a35ff8095a81b5e83fc78b7a3396d3
Opcode Fuzzy Hash: b252e7948b833bd38497846220ca486e158180a49735bba84dc8e19eaa5235d5
Instruction Fuzzy Hash: 37116D707402048FCB29EF75D9947AE7BA7EBD9214B14413EEA09C7384DF399942CB91

Function 07401380 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed11291407745dfa3c8d9ef799f319d5e09f80b875c33a4e8ba1537480c57c80
Instruction ID: 843ac23c2ca9f3ee144eaf5f110dcbdf66b4d14f196b3c177d0e8a967a912c0e
Opcode Fuzzy Hash: ed11291407745dfa3c8d9ef799f319d5e09f80b875c33a4e8ba1537480c57c80
Instruction Fuzzy Hash: EB11E0B5D002498FDB14DFAAD484BEEFBB4FB88324F50842AD45967240C774A905CFA5

Function 07401968 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecf4239564817c942121e8c88538936363ba529e07049cc616cbefc79e401a5
Instruction ID: b4ed0b1174d78ac55fc5f9a76312b6256489e68561247630082fcf524364b642
Opcode Fuzzy Hash: 1ecf4239564817c942121e8c88538936363ba529e07049cc616cbefc79e401a5
Instruction Fuzzy Hash: E9112435614204AFDB08DF64D895AAD7FFAEF8C315F144069F909A73A0CF795846CBA0

Function 07401440 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7100101e829925a4b78930f043411e7e09cd2538c0f33b58bdced1daa5be0b9c
Instruction ID: 8cf4c2db5cb844d3538a3bb3a2979cd05e522dc7c9529695b9498248e9981679
Opcode Fuzzy Hash: 7100101e829925a4b78930f043411e7e09cd2538c0f33b58bdced1daa5be0b9c
Instruction Fuzzy Hash: 2401D87072934A8FD71D8B346D6526E3FAAAFC220175905FFD505CB2B1FA39480583D1

Function 0740182A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d465857617194023c387a00b8cfebe221883295125fb7078ee5e3e5b77b167d
Instruction ID: 9130f3b2eb4b7cbdb26666bb18fac4c1af8dcc2cd8fa39f2fb226e4ccf1892d2
Opcode Fuzzy Hash: 7d465857617194023c387a00b8cfebe221883295125fb7078ee5e3e5b77b167d
Instruction Fuzzy Hash: DF018FB6A0011987EB18AA69D5527EF7BB6ABC8310F25443FD101F37D0CE790D0587E2

Function 04D3D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.15731798122.0000000004D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d3d000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7227247478e19373555bb3d82330329e0c11e2968997533ca6e69c2a67277223
Instruction ID: 95cd9e8f9b5c3ae21d93b9f58503a2970e25168898e211f7ead3e9c8640410d6
Opcode Fuzzy Hash: 7227247478e19373555bb3d82330329e0c11e2968997533ca6e69c2a67277223
Instruction Fuzzy Hash: 4E015E6110E3C05FE7128B259C94B52BFB4EF43624F1981DBD8988F193C2695849CB72

Function 04D3D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.15731798122.0000000004D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d3d000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aff82be94bce464b1cb23f9c2c1a0516b1d603c498519d424b009251a8cd146
Instruction ID: 0a7b37987b0de893df3f66e59d84e38b6b43a343b6e644b7b47b279ead7a3b47
Opcode Fuzzy Hash: 8aff82be94bce464b1cb23f9c2c1a0516b1d603c498519d424b009251a8cd146
Instruction Fuzzy Hash: B401F771604340AFE7204F26E8C4766BF99EF41725F18801AEC991B142D279A841CEB1

Function 07401431 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875d535dd6c16853b9e337fcdc2a31bdef1b96ba8917cbaeb691ff78abbeca70
Instruction ID: 49847687a000e90261a63915c44d42f626552eb037eaeadca9fde6362e2a697c
Opcode Fuzzy Hash: 875d535dd6c16853b9e337fcdc2a31bdef1b96ba8917cbaeb691ff78abbeca70
Instruction Fuzzy Hash: B3F096B07597468FD75D9B75696625E3FA9ABC221434C04BFD106CF2A0FA3A880187D1

Function 0740324F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0649f15e6e5b5575ef38db2fda1d5f0f6bee2c2562e55483a6488e083bb523
Instruction ID: 9bbbd3dd1855f3e1bd9c55d307f06a8bf2a197a2cb307c6e4ff71a5524deaff0
Opcode Fuzzy Hash: ef0649f15e6e5b5575ef38db2fda1d5f0f6bee2c2562e55483a6488e083bb523
Instruction Fuzzy Hash: 3AE0DF33642250CBE31646B0A9101D1B7624B4432631105BBCE048B286C23ADE4487C1

Function 074037D1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d28fa10e7aa509039e955355a96ed831799969f964d1b6cea61143e7ae028ce
Instruction ID: 42c0080d0d42d90e085d34be1ed4354c6ae146ba096bbe7bedb658fd6aa5f238
Opcode Fuzzy Hash: 9d28fa10e7aa509039e955355a96ed831799969f964d1b6cea61143e7ae028ce
Instruction Fuzzy Hash: B2D02E3634A6200FC302D7B8F4209D43FB4CB4A32170002EBE005CB362C9699D008781

Function 074017F0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5c0598ad378426f9cfa31dd7e1fadeeab0450139f52edb60784de35b09aae4
Instruction ID: 4edd5667563f156895390cc1e9591608c5b6259d316a68ecb62213f361466aef
Opcode Fuzzy Hash: bc5c0598ad378426f9cfa31dd7e1fadeeab0450139f52edb60784de35b09aae4
Instruction Fuzzy Hash: 77D05B3724A5508FD3075B50E8615D97F71A7592213094467E941C7361CA394D15C7D1

Function 07400C48 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef26dbf790bc538a8bffd6fee38082090cabcf258bb1a6fbc58d973f9b1bad96
Instruction ID: eb0dad3cfe0bf6263db0c3a48931f09a097bf7c3ee6a5a9ac45e56799022e159
Opcode Fuzzy Hash: ef26dbf790bc538a8bffd6fee38082090cabcf258bb1a6fbc58d973f9b1bad96
Instruction Fuzzy Hash: 45D0A7313146244FC204671CE498A5977ACDB4F710B50046EF50AC7360C992EC0003C9

Function 07403260 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae9d40904c0fe87317c94617206008a3230447017539e551ac0db420c4e1d20
Instruction ID: 6f87d414e30adb8f21934d91cd37493a7ce2719f729d47df3ac70a4fc4a86a99
Opcode Fuzzy Hash: aae9d40904c0fe87317c94617206008a3230447017539e551ac0db420c4e1d20
Instruction Fuzzy Hash: 44D0A731741224C3D7255AF5A444696735A9B84755B10003EDE04C7388D63BDD4047D0

Function 07400C0C Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeaeaf5145419e9ef16c23d657577ed256602af448e4786707ee954a0207a4db
Instruction ID: 7fea92d635e7cbed2c0499a96312b9aa86a5a488818b194e8df44ec2bd946d37
Opcode Fuzzy Hash: aeaeaf5145419e9ef16c23d657577ed256602af448e4786707ee954a0207a4db
Instruction Fuzzy Hash: 88D0A73225411C5B42096615D8D5AAE77A9E7952607504437FE0283260DD745D1187E6

Function 07400440 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.15730651933.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae843a2b81fd4a92ecd07efbc5204e535ee8115cef67d400fbd6081cc4406848
Instruction ID: c5612c9a71be42c9cc58a918b63894049c5e8de9247dbc2107cb3c2869f71138
Opcode Fuzzy Hash: ae843a2b81fd4a92ecd07efbc5204e535ee8115cef67d400fbd6081cc4406848
Instruction Fuzzy Hash: DFC08C3622D3C10FC70383A0A8020D0FF30AAA321634E43E7E182C5013C21D4649C3B1

Analysis Process: BingWallpaperApp.exePID: 7648, Parent PID: 3516COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	152

Executed Functions

Function 6BEE7D20 Relevance: 95.9, APIs: 39, Strings: 15, Instructions: 1427registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\ContinuousBrowsing,00000000,00000001,?), ref: 6BEE7DD4
RegQueryValueExW.ADVAPI32(00000000,Enabled,00000000,00000000,00000000,00000004), ref: 6BEE7DF6
RegCloseKey.ADVAPI32(00000000), ref: 6BEE7E07
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\Main,00000000,00000001,?), ref: 6BEE7E49
RegQueryValueExW.KERNELBASE(?,Start Page,00000000,00000000,?,00000FA0), ref: 6BEE7E77
RegCloseKey.ADVAPI32(?), ref: 6BEE7E92
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\Main,00000000,00000001,?), ref: 6BEE7FA5
RegQueryValueExW.KERNELBASE(?,Secondary Start Pages,00000000,00000000,?,00000FA0), ref: 6BEE7FD3
RegCloseKey.ADVAPI32(?), ref: 6BEE7FEE
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\SearchScopes,00000000,00000001,?), ref: 6BEE81CD
RegQueryValueExW.KERNELBASE(?,DefaultScope,00000000,00000000,?,00000104), ref: 6BEE81F9
RegCloseKey.ADVAPI32(?), ref: 6BEE8215
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Internet Explorer\SearchScopes,00000000,00000201,?), ref: 6BEE8244
RegQueryValueExW.ADVAPI32(?,DefaultScope,00000000,00000000,?,00000104), ref: 6BEE826E
RegCloseKey.ADVAPI32(?), ref: 6BEE8289
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 6BEE8504
RegQueryValueExW.KERNELBASE(?,Name,00000000,00000000,?,00000104), ref: 6BEE852E
RegCloseKey.ADVAPI32(?), ref: 6BEE8549
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 6BEE8589
RegQueryValueExW.KERNELBASE(?,DisplayName,00000000,00000000,?,00000104), ref: 6BEE85B3
RegCloseKey.ADVAPI32(?), ref: 6BEE85CE
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000201,?), ref: 6BEE8611
RegQueryValueExW.ADVAPI32(?,Name,00000000,00000000,?,00000104), ref: 6BEE863B
RegCloseKey.ADVAPI32(?), ref: 6BEE8656
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000201,?), ref: 6BEE8699
RegQueryValueExW.ADVAPI32(?,DisplayName,00000000,00000000,?,00000104), ref: 6BEE86C3
RegCloseKey.ADVAPI32(?), ref: 6BEE86DE
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 6BEE87D0
RegQueryValueExW.KERNELBASE(?,URL,00000000,00000000,?,00000FA0), ref: 6BEE87FA
RegCloseKey.ADVAPI32(?), ref: 6BEE8815
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000201,?), ref: 6BEE8858
RegQueryValueExW.ADVAPI32(?,URL,00000000,00000000,?,00000FA0), ref: 6BEE8882
RegCloseKey.ADVAPI32(?), ref: 6BEE889D
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Internet Explorer,00000000,00000201,?,7565E430,?,7565E2C0), ref: 6BEE8A5E
RegQueryValueExW.KERNELBASE(?,svcVersion,00000000,00000000,?,00000040), ref: 6BEE8A88
RegCloseKey.ADVAPI32(?), ref: 6BEE8AA9
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Internet Explorer,00000000,00000201,?), ref: 6BEE8AD1
RegQueryValueExW.ADVAPI32(00000000,Version,00000000,00000000,?,00000040), ref: 6BEE8AF4
RegCloseKey.ADVAPI32(00000000), ref: 6BEE8B05

Strings

svcVersion, xrefs: 6BEE8A7D
0eu, xrefs: 6BEE7E07, 6BEE7E92, 6BEE7FEE
Name, xrefs: 6BEE8523, 6BEE8630
Software\Microsoft\Internet Explorer\SearchScopes, xrefs: 6BEE81C3, 6BEE8234, 6BEE833D
Software\Microsoft\Internet Explorer\ContinuousBrowsing, xrefs: 6BEE7DCA
Software\Microsoft\Internet Explorer\Main, xrefs: 6BEE7E3F, 6BEE7F95
DefaultScope, xrefs: 6BEE81EE, 6BEE8263
Software\Microsoft\Internet Explorer, xrefs: 6BEE8A54, 6BEE8AC7
Version, xrefs: 6BEE8AE9
DisplayName, xrefs: 6BEE85A8, 6BEE86B8
Secondary Start Pages, xrefs: 6BEE7FC8
URL, xrefs: 6BEE87EF, 6BEE8877
Start Page, xrefs: 6BEE7E6C
Enabled, xrefs: 6BEE7DEB
@, xrefs: 6BEE8A3B

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: 0eu$@$DefaultScope$DisplayName$Enabled$Name$Secondary Start Pages$Software\Microsoft\Internet Explorer$Software\Microsoft\Internet Explorer\ContinuousBrowsing$Software\Microsoft\Internet Explorer\Main$Software\Microsoft\Internet Explorer\SearchScopes$Start Page$URL$Version$svcVersion
API String ID: 3677997916-2391979940
Opcode ID: 3da664dfb19ced7812331faf8f1994eea2a64e3fbb584855433e4a6224c45fa7
Instruction ID: ed3dbe32dac3a5aac2d2e1130ef3d58b00174a2d76d7ed1e49aba04f4884eb75
Opcode Fuzzy Hash: 3da664dfb19ced7812331faf8f1994eea2a64e3fbb584855433e4a6224c45fa7
Instruction Fuzzy Hash: 52C27F71A002299BDF24CF24CC49BDEB7B5AF45304F2046E9E519A7290DB789F89CF61

Function 6BEEE930 Relevance: 93.6, APIs: 14, Strings: 37, Instructions: 4301COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,62F1F502,0000000F), ref: 6BEEEE5C
PathFileExistsW.SHLWAPI(00000000,62F1F502,0000000F), ref: 6BEF02E4
PathFileExistsW.SHLWAPI(00000000,62F1F502,?), ref: 6BEF1297
GetCurrentProcess.KERNEL32(00000000,6BFDC88C,00000000,62F1F502,?,?,00000000), ref: 6BEF19B3
IsWow64Process.KERNEL32(00000000,?,?,00000000), ref: 6BEF19BA
SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 6BEF19F6
PathFileExistsW.SHLWAPI(00000000,?,?,?,?,?,00000000,00000000,?,?,\Google\Chrome,0000000E,\Application\chrome.exe,00000017,?,?), ref: 6BEF1C89
PathFileExistsW.SHLWAPI(00000000,?,?,?,?,?,\Application\chrome.exe,00000017,?,?,00000000), ref: 6BEF1D59
ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104,?,?,00000000), ref: 6BEF1DC7
PathFileExistsW.SHLWAPI(00000000,?,?,?,?,?,?,?,\Google\Chrome,0000000E,\Application\chrome.exe,00000017,?,?,00000000), ref: 6BEF1FFF
GetFileVersionInfoSizeW.KERNELBASE(00000000,?,?,?,00000000), ref: 6BEF2031
GetFileVersionInfoW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 6BEF20AD
VerQueryValueW.VERSION(00000000,6BFE2EF4,00000000,?,?,?,?,00000000), ref: 6BEF20E8

Strings

%ProgramW6432%, xrefs: 6BEF1DC2
preferences, xrefs: 6BEEF4B6
true, xrefs: 6BEEF567, 6BEF0517
url, xrefs: 6BEF1642
default_search_provider_data, xrefs: 6BEF13BC, 6BEF13C4
ids, xrefs: 6BEEEFC6
\Preferences, xrefs: 6BEF2368
\Application\chrome.exe, xrefs: 6BEF1A12, 6BEF1CD9, 6BEF1DD7
short_name, xrefs: 6BEF15DA
default_search_provider, xrefs: 6BEF13B6
\Google\Chrome, xrefs: 6BEF1A4B, 6BEF1E12
extensions, xrefs: 6BEEEEEA, 6BEEF192
homepage, xrefs: 6BEF09A3, 6BEF09EF
H, xrefs: 6BEEFB27
@, xrefs: 6BEF005F
default_search_provider.enabled, xrefs: 6BEEF50C
search_provider, xrefs: 6BEEF7E4
restore_on_startup, xrefs: 6BEF065A, 6BEF0811
manifest, xrefs: 6BEEF744
4, xrefs: 6BEF20F2
install_parameter, xrefs: 6BEEF9ED
search_url, xrefs: 6BEEF8A2, 6BEF1512
install_signature, xrefs: 6BEEEF6E
session, xrefs: 6BEF054F, 6BEF059B, 6BEF06C5
settings, xrefs: 6BEEF143, 6BEEF1DF
template_url_data, xrefs: 6BEF157D
startup_urls, xrefs: 6BEF0B58, 6BEF0B60
install_time, xrefs: 6BEEF450
name, xrefs: 6BEEF834, 6BEF14AD
state, xrefs: 6BEEF36E
__PARAM__, xrefs: 6BEEF918, 6BEEFA4D
\Secure Preferences, xrefs: 6BEEECAA, 6BEF012E, 6BEF10E2
chrome_settings_overrides, xrefs: 6BEEF794
session.startup_urls, xrefs: 6BEEF59B
urls_to_restore_on_startup, xrefs: 6BEF0B52
\User Data, xrefs: 6BEEEBD4, 6BEF0046, 6BEF1015, 6BEF22A4
homepage_is_newtabpage, xrefs: 6BEF0408, 6BEF045F

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$Path$Exists$InfoProcessVersion$CurrentEnvironmentExpandFolderQuerySizeStringsValueWow64
String ID: %ProgramW6432%$4$@$H$\Application\chrome.exe$\Google\Chrome$\Preferences$\Secure Preferences$\User Data$__PARAM__$chrome_settings_overrides$default_search_provider$default_search_provider.enabled$default_search_provider_data$extensions$homepage$homepage_is_newtabpage$ids$install_parameter$install_signature$install_time$manifest$name$preferences$restore_on_startup$search_provider$search_url$session$session.startup_urls$settings$short_name$startup_urls$state$template_url_data$true$url$urls_to_restore_on_startup
API String ID: 1738303021-700438144
Opcode ID: bf2cbd9ecc40c23ba4418046bf5b833aacef7711715c92611a334ab416326207
Instruction ID: 282cfd28a4e432c0e2e408e8794c81d958376750223a3bcc6c74824b6b4c2064
Opcode Fuzzy Hash: bf2cbd9ecc40c23ba4418046bf5b833aacef7711715c92611a334ab416326207
Instruction Fuzzy Hash: 2183B071E01259CFDB14CF68C944B9EBBB5AF45308F2081DCD419AB391DB39AA86CF91

Function 6BEE9960 Relevance: 84.2, APIs: 20, Strings: 27, Instructions: 1988registryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000201,?,62F1F502), ref: 6BEE99E3
RegQueryValueExW.ADVAPI32(?,CurrentVersion,00000000,00000000,?,00000040), ref: 6BEE9A13
RegCloseKey.ADVAPI32(?), ref: 6BEE9A2F
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000101,?), ref: 6BEE9A54
RegQueryValueExW.KERNELBASE(?,CurrentVersion,00000000,00000000,?,00000040), ref: 6BEE9A82
RegCloseKey.ADVAPI32(?), ref: 6BEE9A9D
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000201,?,\Main,00000005,?,?,SOFTWARE\Mozilla\Mozilla Firefox\,00000021), ref: 6BEE9B73
RegQueryValueExW.ADVAPI32(?,Install Directory,00000000,00000000,?,00000104), ref: 6BEE9BA1
RegCloseKey.ADVAPI32(?), ref: 6BEE9BBC
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?), ref: 6BEE9BF1
RegQueryValueExW.KERNELBASE(?,Install Directory,00000000,00000000,?,00000104), ref: 6BEE9C1F
RegCloseKey.ADVAPI32(?), ref: 6BEE9C3A
GetTempPathW.KERNEL32(000000F6,?,6BFDC88C,00000000,62F1F502,00000000,00000000), ref: 6BEEA483
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,?,searchTemp.json,0000000F), ref: 6BEEA655
GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6BEEA672
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 6BEEA6C5
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,00000001), ref: 6BEEA844
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 6BEEA871
CloseHandle.KERNEL32(00000000), ref: 6BEEA891
CloseHandle.KERNEL32(?), ref: 6BEEA8EF

Part of subcall function 6BEC7C20: CreateFileW.KERNEL32(?,?,00000001,00000000,00000003,00000080,00000000,62F1F502), ref: 6BEC7CA2
Part of subcall function 6BEC7C20: GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6BEC7CB8
Part of subcall function 6BEC7C20: ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6BEC7CF5
Part of subcall function 6BEC7C20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 6BEC7D26

Strings

firefox.exe, xrefs: 6BEE9D2D
Install Directory, xrefs: 6BEE9B96, 6BEE9C14
current, xrefs: 6BEEA9B8
SOFTWARE\Mozilla\Mozilla Firefox\, xrefs: 6BEE9AEC
browser.startup.homepage, xrefs: 6BEEA076
searchform, xrefs: 6BEEB09D
params, xrefs: 6BEEB1BB
metaData, xrefs: 6BEEA95C
@, xrefs: 6BEE99BA
engines, xrefs: 6BEEAC53
template, xrefs: 6BEEB125
0eu, xrefs: 6BEE9A24
bing, xrefs: 6BEEB19C
CurrentVersion, xrefs: 6BEE9A08, 6BEE9A77
__searchForm, xrefs: 6BEEADAD
name, xrefs: 6BEEB26C
_urls, xrefs: 6BEEAE44
mozLz40, xrefs: 6BEEA77E
searchTemp.json, xrefs: 6BEEA4AA
rels, xrefs: 6BEEAFDD
SOFTWARE\Mozilla\Mozilla Firefox, xrefs: 6BEE99D9, 6BEE9A44
searchDefault, xrefs: 6BEEAA41
null, xrefs: 6BEEAE14
\Main, xrefs: 6BEE9B2A
_name, xrefs: 6BEEAD1E
value, xrefs: 6BEEB2EF
browser.startup.page, xrefs: 6BEE9F40

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$Close$HandleOpenQueryValue$Create$InformationRead$ByteCharMultiPathTempWideWrite
String ID: 0eu$@$CurrentVersion$Install Directory$SOFTWARE\Mozilla\Mozilla Firefox$SOFTWARE\Mozilla\Mozilla Firefox\$\Main$__searchForm$_name$_urls$bing$browser.startup.homepage$browser.startup.page$current$engines$firefox.exe$metaData$mozLz40$name$null$params$rels$searchDefault$searchTemp.json$searchform$template$value
API String ID: 2456597948-2425237140
Opcode ID: c276f7e9c85a5d67261271d51a111b64075619bc5318504be5f197ca94e63070
Instruction ID: 0ecbc58c21247c2c486a6139a57f46d95575d540dc81e4f3748f2eee69c7e1f5
Opcode Fuzzy Hash: c276f7e9c85a5d67261271d51a111b64075619bc5318504be5f197ca94e63070
Instruction Fuzzy Hash: E703C071E002159BDB24CF28CD85B9EBBB5AF44318F2041DCD419AB391D779AE86CFA1

Function 6BECDBD3 Relevance: 45.2, APIs: 8, Strings: 17, Instructions: 1413COMMON

Download Yara Rule

Strings

urls, xrefs: 6BECED8D
@, xrefs: 6BECEF98
app_locale, xrefs: 6BECE4D9
d, xrefs: 6BECED72
\Preferences, xrefs: 6BECDEC9
visits, xrefs: 6BECED9F
a, xrefs: 6BECDE28
%s-0%d, xrefs: 6BECEE19, 6BECEE43
chrome.exe, xrefs: 6BECEADF
SELECT url_visited FROM (SELECT date(((visits.visit_time/1000000)-11644473600),'unixepoch','localtime') as visit_time, urls.url as url_visited FROM urls, visits WHERE urls.id = visits.url) WHERE visit_time > ', xrefs: 6BECEF37
\User Data\Local State, xrefs: 6BECE38D
`, xrefs: 6BECED21
\History, xrefs: 6BECE922, 6BECEB59
intl, xrefs: 6BECE0D0, 6BECE46A
\User Data, xrefs: 6BECDDCC, 6BECE819
accept_languages, xrefs: 6BECE127
url_visited, xrefs: 6BECF100

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID:
String ID: %s-0%d$@$SELECT url_visited FROM (SELECT date(((visits.visit_time/1000000)-11644473600),'unixepoch','localtime') as visit_time, urls.url as url_visited FROM urls, visits WHERE urls.id = visits.url) WHERE visit_time > '$\History$\Preferences$\User Data$\User Data\Local State$`$a$accept_languages$app_locale$chrome.exe$d$intl$url_visited$urls$visits
API String ID: 0-3742388885
Opcode ID: 535ce1acce846000934e1acd02e197326b590b29b3622924950713fa176e0d97
Instruction ID: 6b307a5f06af21464ca45b68ce3807dceb7cee0f8f1e0c7942724ac706e3de13
Opcode Fuzzy Hash: 535ce1acce846000934e1acd02e197326b590b29b3622924950713fa176e0d97
Instruction Fuzzy Hash: EAD2B371910259DBDB24CF28CD89BDEB7B5AF45308F2042D9D019A7290DB79ABC4CF92

Function 6BECB5BD Relevance: 45.0, APIs: 8, Strings: 17, Instructions: 1267fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6BECCFB0: PathFileExistsW.SHLWAPI(?,?,?,?,?,\User Data\Local State,00000016,?,Default,00000007,62F1F502), ref: 6BECD090

PathFileExistsW.SHLWAPI(00000000,?,\Preferences,0000000C,?,?,?,?,?,?), ref: 6BECB8B3
PathFileExistsW.SHLWAPI(00000000,?,?,?,?,?,\User Data\Local State,00000016,?,?,?,?,?,?), ref: 6BECBC4D

Part of subcall function 6BEC7C20: CreateFileW.KERNEL32(?,?,00000001,00000000,00000003,00000080,00000000,62F1F502), ref: 6BEC7CA2
Part of subcall function 6BEC7C20: GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6BEC7CB8
Part of subcall function 6BEC7C20: ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6BEC7CF5
Part of subcall function 6BEC7C20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 6BEC7D26

CopyFileW.KERNEL32(00000000,?,00000000,?,?,?,?,?,\History,00000008,?,msedge.exe,?,?,\History,00000008), ref: 6BECC43B

Strings

urls, xrefs: 6BECC5CD
app_locale, xrefs: 6BECBD19
`, xrefs: 6BECC561
\Preferences, xrefs: 6BECB709
visits, xrefs: 6BECC5DF
@, xrefs: 6BECC7D8
%s-0%d, xrefs: 6BECC659, 6BECC683
msedge.exe, xrefs: 6BECC31F
SELECT url_visited FROM (SELECT date(((visits.visit_time/1000000)-11644473600),'unixepoch','localtime') as visit_time, urls.url as url_visited FROM urls, visits WHERE urls.id = visits.url) WHERE visit_time > ', xrefs: 6BECC777
\User Data\Local State, xrefs: 6BECBBCD
\History, xrefs: 6BECC162, 6BECC399
intl, xrefs: 6BECB910, 6BECBCAA
a, xrefs: 6BECB668
\User Data, xrefs: 6BECB60C, 6BECC059
d, xrefs: 6BECC5B2
accept_languages, xrefs: 6BECB967
url_visited, xrefs: 6BECC940

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$ExistsPath$ByteCharCopyCreateHandleInformationMultiReadWide
String ID: %s-0%d$@$SELECT url_visited FROM (SELECT date(((visits.visit_time/1000000)-11644473600),'unixepoch','localtime') as visit_time, urls.url as url_visited FROM urls, visits WHERE urls.id = visits.url) WHERE visit_time > '$\History$\Preferences$\User Data$\User Data\Local State$`$a$accept_languages$app_locale$d$intl$msedge.exe$url_visited$urls$visits
API String ID: 3127023688-3160853193
Opcode ID: 1f47f1dd12761053387006f82d227b482b87cd97ce2cd53433488f899d5562f9
Instruction ID: d38bf5befb732933c2e18301d3a364e2e5218a6a26549eec6ff216804202e06c
Opcode Fuzzy Hash: 1f47f1dd12761053387006f82d227b482b87cd97ce2cd53433488f899d5562f9
Instruction Fuzzy Hash: 04C29371E002599BDB24CF24CE89BDEBBB5AF45308F2042D9D019A7290DB799BC5CF52

Function 6BECBF50 Relevance: 37.7, APIs: 7, Strings: 14, Instructions: 974filetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BECCFB0: SHGetFolderPathAndSubDirW.SHELL32(00000000,0000001C,00000000,00000000,Microsoft\Edge,?,00000000,62F1F502,?), ref: 6BECD357

Part of subcall function 6BECCFB0: PathFileExistsW.SHLWAPI(?,?,?,?,?,\User Data\Local State,00000016,?,Default,00000007,62F1F502), ref: 6BECD090

CopyFileW.KERNEL32(00000000,?,00000000,?,?,?,?,?,\History,00000008,?,msedge.exe,?,?,\History,00000008), ref: 6BECC43B
PathFileExistsW.SHLWAPI(00000000,msedge.exe,?,?,\History,00000008,?,?,6BFE2EF4,00000001,?,?,?,?,\User Data,0000000A), ref: 6BECC52A
GetLocalTime.KERNEL32(?), ref: 6BECC5FE
wsprintfW.USER32 ref: 6BECC63C
wsprintfW.USER32 ref: 6BECC666
wsprintfW.USER32 ref: 6BECC690
DeleteFileW.KERNEL32(00000000), ref: 6BECCC9B

Strings

urls, xrefs: 6BECC5CD
MUIDB, xrefs: 6BECCF3F
`, xrefs: 6BECC561
%s-%d, xrefs: 6BECC660, 6BECC68A
visits, xrefs: 6BECC5DF
@, xrefs: 6BECC7D8
%s-0%d, xrefs: 6BECC659, 6BECC683
msedge.exe, xrefs: 6BECC31F
SELECT url_visited FROM (SELECT date(((visits.visit_time/1000000)-11644473600),'unixepoch','localtime') as visit_time, urls.url as url_visited FROM urls, visits WHERE urls.id = visits.url) WHERE visit_time > ', xrefs: 6BECC777
\History, xrefs: 6BECC162, 6BECC399
\User Data, xrefs: 6BECB60C, 6BECC059
d, xrefs: 6BECC5B2
Null Sqlite Statement pointer, xrefs: 6BECCE16, 6BECCE3C
url_visited, xrefs: 6BECC940

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$Pathwsprintf$Exists$CopyDeleteFolderLocalTime
String ID: %s-%d$%s-0%d$@$MUIDB$Null Sqlite Statement pointer$SELECT url_visited FROM (SELECT date(((visits.visit_time/1000000)-11644473600),'unixepoch','localtime') as visit_time, urls.url as url_visited FROM urls, visits WHERE urls.id = visits.url) WHERE visit_time > '$\History$\User Data$`$d$msedge.exe$url_visited$urls$visits
API String ID: 910778831-4102703592
Opcode ID: 158b04317a3c796f28d9bca9ec8ad0ca0d77071d79b1f0fc4dca73ac8f2c644a
Instruction ID: 21e99474160291c4efabb242a5bee5d4a3ce82850e50e11f34720178c6d075ac
Opcode Fuzzy Hash: 158b04317a3c796f28d9bca9ec8ad0ca0d77071d79b1f0fc4dca73ac8f2c644a
Instruction Fuzzy Hash: 3A92A171A002599BDB24CF24CE89BDEBBB5AF45308F2041D9D018A72A0DB799BC4CF52

Function 6BECE710 Relevance: 37.7, APIs: 7, Strings: 14, Instructions: 974filetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BECF770: SHGetFolderPathAndSubDirW.SHELL32(00000000,0000001C,00000000,00000000,Google\Chrome,?,00000000,62F1F502,?), ref: 6BECFB17

Part of subcall function 6BECF770: PathFileExistsW.SHLWAPI(?,?,?,?,?,\User Data\Local State,00000016,?,Default,00000007,62F1F502), ref: 6BECF850

CopyFileW.KERNEL32(00000000,?,00000000,?,?,?,?,?,\History,00000008,?,chrome.exe,?,?,\History,00000008), ref: 6BECEBFB
PathFileExistsW.SHLWAPI(00000000,chrome.exe,?,?,\History,00000008,?,?,6BFE2EF4,00000001,?,?,?,?,\User Data,0000000A), ref: 6BECECEA
GetLocalTime.KERNEL32(?), ref: 6BECEDBE
wsprintfW.USER32 ref: 6BECEDFC
wsprintfW.USER32 ref: 6BECEE26
wsprintfW.USER32 ref: 6BECEE50
DeleteFileW.KERNEL32(00000000), ref: 6BECF45B

Strings

urls, xrefs: 6BECED8D
@, xrefs: 6BECEF98
MUIDB, xrefs: 6BECF6FF
d, xrefs: 6BECED72
%s-%d, xrefs: 6BECEE20, 6BECEE4A
visits, xrefs: 6BECED9F
%s-0%d, xrefs: 6BECEE19, 6BECEE43
chrome.exe, xrefs: 6BECEADF
SELECT url_visited FROM (SELECT date(((visits.visit_time/1000000)-11644473600),'unixepoch','localtime') as visit_time, urls.url as url_visited FROM urls, visits WHERE urls.id = visits.url) WHERE visit_time > ', xrefs: 6BECEF37
`, xrefs: 6BECED21
\History, xrefs: 6BECE922, 6BECEB59
\User Data, xrefs: 6BECDDCC, 6BECE819
Null Sqlite Statement pointer, xrefs: 6BECF5D6, 6BECF5FC
url_visited, xrefs: 6BECF100

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$Pathwsprintf$Exists$CopyDeleteFolderLocalTime
String ID: %s-%d$%s-0%d$@$MUIDB$Null Sqlite Statement pointer$SELECT url_visited FROM (SELECT date(((visits.visit_time/1000000)-11644473600),'unixepoch','localtime') as visit_time, urls.url as url_visited FROM urls, visits WHERE urls.id = visits.url) WHERE visit_time > '$\History$\User Data$`$chrome.exe$d$url_visited$urls$visits
API String ID: 910778831-1942304528
Opcode ID: e1b860f3d96e335bcf54a6935c14f66c714723efc5ca04a5e5c48c2142bfc729
Instruction ID: e88e3eaff49d6ae0a3daafea58fb03a018f276063d829bbe874686dec10a2e02
Opcode Fuzzy Hash: e1b860f3d96e335bcf54a6935c14f66c714723efc5ca04a5e5c48c2142bfc729
Instruction Fuzzy Hash: E7929F719112599BDB25CF24CE89BDEB7B5AF45308F2041D8D018A72A0DB7DABC8CF52

Function 6BEC67C0 Relevance: 19.7, APIs: 13, Instructions: 201
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000400,00000000,00000000,?), ref: 6BEC67F2
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 6BEC680E
CloseHandle.KERNEL32(00000000), ref: 6BEC6819
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 6BEC6864
GetLastError.KERNEL32 ref: 6BEC686E
GetProcessHeap.KERNEL32(00000008,00000000), ref: 6BEC6883
HeapAlloc.KERNEL32(00000000), ref: 6BEC688A
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000104,00000000), ref: 6BEC68AC
LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 6BEC68DA
GetProcessHeap.KERNEL32(00000000,?), ref: 6BEC69FD
HeapFree.KERNEL32(00000000), ref: 6BEC6A04
CloseHandle.KERNEL32(00000000), ref: 6BEC6A15
CloseHandle.KERNEL32(00000000), ref: 6BEC6A18

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: HeapProcess$CloseHandleToken$InformationOpen$AccountAllocErrorFreeLastLookup
String ID:
API String ID: 621498774-0
Opcode ID: 6569afba01206e6eebd1e7af6286e2b2cf5afe77f9437804bcb43778129b6713
Instruction ID: 0a9ce9c673526a4e3f1535eee6726e424b0252433d3bd1d9ade93410a477aadd
Opcode Fuzzy Hash: 6569afba01206e6eebd1e7af6286e2b2cf5afe77f9437804bcb43778129b6713
Instruction Fuzzy Hash: ED61CC72614341AFDB10CF74CD99BAFB7A9ABC4308F104A1DF5A587290DB78E908CB52

Function 6BECADF0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 403
comtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?,62F1F502), ref: 6BECAE7C
CoInitialize.OLE32(00000000), ref: 6BECAE8C
CoCreateInstance.OLE32(6BFE2EE4,00000000,00000001,6BFDC870,?), ref: 6BECAEA4

Strings

MUIDB, xrefs: 6BECB2DF
http, xrefs: 6BECB0FA

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CreateInitializeInstanceLocalTime
String ID: MUIDB$http
API String ID: 3077042458-4134574334
Opcode ID: ed8d2b56999d4c4199346633792f6a15561c9412a5f7a74aaf4e5ff1db8ad573
Instruction ID: 68fcdd712ccc13a4b7d04f014689a5ff99bb469d6c4eef7af1b5c683da177397
Opcode Fuzzy Hash: ed8d2b56999d4c4199346633792f6a15561c9412a5f7a74aaf4e5ff1db8ad573
Instruction Fuzzy Hash: A8F16A71E00209DFDB14CFA8C995BEEBBB5FF44304F208159E415AB390D779AA85CB92

Function 6BEED970 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileStringW.KERNEL32(?,Default,6BFDC88C,?,00000104,?), ref: 6BEEDBDD
GetPrivateProfileStringW.KERNEL32(?,Path,6BFDC88C,?,00000104,?), ref: 6BEEDCC5
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,?,000000FF,?,Path,6BFDC88C,?,00000104,?,00000000,00000007), ref: 6BEEDCE5

Strings

Default, xrefs: 6BEEDBD7
install, xrefs: 6BEEDB3F
Path, xrefs: 6BEEDCBF

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: String$PrivateProfile$Compare
String ID: Default$Path$install
API String ID: 365521158-1684057064
Opcode ID: 98ee2d98c34f90605462d8def55402d6d02baa976779783660b655febb699f05
Instruction ID: f90fa31c6c06f42c419b6a6fad7b62c9189f0c0ef892ab2af9f110b4e14f334c
Opcode Fuzzy Hash: 98ee2d98c34f90605462d8def55402d6d02baa976779783660b655febb699f05
Instruction Fuzzy Hash: D1C1E1B5A002188BDF24CF24CD80B9DB7B5EB85308F6082DDE509972A0E7789EC5CF65

Function 6BEC5210 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 272processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,6BFDC88C,00000000,6BFDC88C,00000000,62F1F502), ref: 6BEC52AE

Part of subcall function 6BEC67C0: OpenProcess.KERNEL32(00000400,00000000,00000000,?), ref: 6BEC67F2
Part of subcall function 6BEC67C0: OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 6BEC680E
Part of subcall function 6BEC67C0: CloseHandle.KERNEL32(00000000), ref: 6BEC6819

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6BEC52E5
Process32FirstW.KERNEL32(00000000,0000022C), ref: 6BEC5324
Process32NextW.KERNEL32(00000000,0000022C), ref: 6BEC54ED
CloseHandle.KERNEL32(00000000), ref: 6BEC5515

Strings

}Pk, xrefs: 6BEC5595

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: Process$CloseHandleOpenProcess32$CreateCurrentFirstNextSnapshotTokenToolhelp32
String ID: }Pk
API String ID: 11435499-4118343697
Opcode ID: 6bab9a990f8652422e4ae9c1d3d0281b96c21cf350608aa12528fd1910c5b45c
Instruction ID: bec67868cbbfbf00f0ccc1f51082beb79783a29be00f7762f510401a1b91037d
Opcode Fuzzy Hash: 6bab9a990f8652422e4ae9c1d3d0281b96c21cf350608aa12528fd1910c5b45c
Instruction Fuzzy Hash: CFA1B131E00208DFDF14CFA8CD8ABDEBBB5BF45308F244158D515A7251D778AA89CB62

Function 6BEDC660 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 219fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,*.xml,00000005,\searchplugins\,0000000F,?,62F1F502), ref: 6BEDC6DA
FindNextFileW.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,\searchplugins\,0000000F,?), ref: 6BEDC8F3
FindClose.KERNEL32(00000000), ref: 6BEDC909

Strings

*.xml, xrefs: 6BEDC6BA
\searchplugins\, xrefs: 6BEDC6A4, 6BEDC785

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: *.xml$\searchplugins\
API String ID: 3541575487-545082465
Opcode ID: de4bb82530f94a63fb3773b1728fffd59b8beb673fe2ebf7b9402b7d5f91eb2f
Instruction ID: 4d1b6a20f8d7eb416e339b55b6e342e9d2bc445be74c892d583bb29ce1eeba59
Opcode Fuzzy Hash: de4bb82530f94a63fb3773b1728fffd59b8beb673fe2ebf7b9402b7d5f91eb2f
Instruction Fuzzy Hash: E0918C71A102589BDB14CF64CD85BDEBBB9BF45308F204299E009A7291DB786B89CF51

Function 6BFA8EC6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BFB860C: RtlFreeHeap.NTDLL(00000000,00000000,?,6BFC20B7,?,00000000,?,?,6BFC2358,?,00000007,?,?,6BFC1833,?,?), ref: 6BFB8622
Part of subcall function 6BFB860C: GetLastError.KERNEL32(?,?,6BFC20B7,?,00000000,?,?,6BFC2358,?,00000007,?,?,6BFC1833,?,?), ref: 6BFB862D

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,6BFA9079,00000000,00000000,00000000), ref: 6BFA8F38

Strings

Eastern Daylight Time, xrefs: 6BFA8FE5
Eastern Standard Time, xrefs: 6BFA8FD1

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Daylight Time$Eastern Standard Time
API String ID: 3335090040-1879052519
Opcode ID: 6b15344b9a5998407dcd737aef18b47639aa759b815e1bbecf8c7bec0ca54191
Instruction ID: a7185bb6dd94d422a587a721f81065c2911c2e4a83e07d147909ec362157d1b3
Opcode Fuzzy Hash: 6b15344b9a5998407dcd737aef18b47639aa759b815e1bbecf8c7bec0ca54191
Instruction Fuzzy Hash: 9741B573C00216EACF189FB98C46A8A7BBCEF45764B10C165E414E72B1EF79D904CB91

Function 6BECFD26 Relevance: 44.7, APIs: 4, Strings: 21, Instructions: 915
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?,moz_historyvisits), ref: 6BED0295
wsprintfW.USER32 ref: 6BED02D3
wsprintfW.USER32 ref: 6BED02FD
wsprintfW.USER32 ref: 6BED0327

Strings

PPB, xrefs: 6BED0A25
0, xrefs: 6BED008E
MUIDB, xrefs: 6BED0B0F
RQ7(, xrefs: 6BED097F
%s-%d, xrefs: 6BED02F7, 6BED0321
w9RQG1, xrefs: 6BED006D
*r, xrefs: 6BED0A80
`, xrefs: 6BED01F8
/r, xrefs: 6BED0A7B
%s-0%d, xrefs: 6BED02F0, 6BED031A
4r, xrefs: 6BED0A76
URLS, xrefs: 6BED05D2
general.useragent.locale, xrefs: 6BECFD4F
PvB, xrefs: 6BED09FF
moz_historyvisits, xrefs: 6BED0264
SELECT Temp.URL_Visited AS URLS FROM (SELECT date(moz_historyvisits.visit_date/1000000,'unixepoch','localtime') AS DATE_Visited, moz_places.url AS URL_Visited FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id) AS Temp WHERE Te, xrefs: 6BED0412
k], xrefs: 6BECFFF0
moz_places, xrefs: 6BED0276
\places.sqlite, xrefs: 6BED01AC
Null Sqlite Statement pointer, xrefs: 6BED09DF, 6BED0A05
d, xrefs: 6BED0249

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: wsprintf$LocalTime
String ID: %s-%d$%s-0%d$MUIDB$Null Sqlite Statement pointer$PPB$PvB$RQ7($SELECT Temp.URL_Visited AS URLS FROM (SELECT date(moz_historyvisits.visit_date/1000000,'unixepoch','localtime') AS DATE_Visited, moz_places.url AS URL_Visited FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id) AS Temp WHERE Te$URLS$\places.sqlite$`$d$general.useragent.locale$moz_historyvisits$moz_places$w9RQG1$*r$/r$4r$k]$0
API String ID: 4235281863-2564450914
Opcode ID: 012f2699c409193b644124898cd9e348f2125cbaf3e96a9f95d2ae8714e5af4f
Instruction ID: d0032fb382e4fdba99002a7fa3ff58369708dc2f0d00688e36226822dc66327a
Opcode Fuzzy Hash: 012f2699c409193b644124898cd9e348f2125cbaf3e96a9f95d2ae8714e5af4f
Instruction Fuzzy Hash: 3B82F271E002599BDB24CF68CD98BDEBBB5AF44308F2441D8D018A7291DB799BC5CFA1

Function 6BEEB5A0 Relevance: 38.6, APIs: 1, Strings: 20, Instructions: 1837COMMON

Download Yara Rule

APIs

Part of subcall function 6BEE9960: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000201,?,62F1F502), ref: 6BEE99E3
Part of subcall function 6BEE9960: RegCloseKey.ADVAPI32(?), ref: 6BEE9A2F
Part of subcall function 6BEE9960: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000101,?), ref: 6BEE9A54
Part of subcall function 6BEE9960: RegCloseKey.ADVAPI32(?), ref: 6BEE9A9D

Part of subcall function 6BEED180: GetPrivateProfileSectionNamesW.KERNEL32(?,00000400,00000000), ref: 6BEED2BD

PathFileExistsW.SHLWAPI(?,?,?,?,?,\search-metadata.json,00000015,6BFDC88C,00000000,00000000,6BFDC88C,00000000,6BFDC88C,00000000,62F1F502), ref: 6BEEBD86

Strings

browser.search.param.ms-pc, xrefs: 6BEECBDD
https://www.bing.com, xrefs: 6BEEB9C9, 6BEEBC3D
browser.search.isUS, xrefs: 6BEEC1D3
bing, xrefs: 6BEEB99C, 6BEEBC12
true, xrefs: 6BEEC270
current, xrefs: 6BEEBEA0
), xrefs: 6BEECD5F
hash, xrefs: 6BEEBE42
searchdefault, xrefs: 6BEEBFBC
browser.search.countryCode, xrefs: 6BEEC44D
ms-pc, xrefs: 6BEECBAD
browser.search.selectedEngine, xrefs: 6BEECA2B
browser.search.defaultenginename, xrefs: 6BEEC2D5, 6BEEC502, 6BEEC788, 6BEEC959, 6BEECAF0
\search.json.mozlz4, xrefs: 6BEEB823, 6BEEBAD3
.US, xrefs: 6BEEC2AE
[global], xrefs: 6BEEBDE6
browser.urlbar.placeholderName, xrefs: 6BEEB76D
browser.search.region, xrefs: 6BEEC6D3
\search-metadata.json, xrefs: 6BEEBD54
?pc=, xrefs: 6BEECD46

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CloseOpen$ExistsFileNamesPathPrivateProfileSection
String ID: )$.US$?pc=$[global]$\search-metadata.json$\search.json.mozlz4$bing$browser.search.countryCode$browser.search.defaultenginename$browser.search.isUS$browser.search.param.ms-pc$browser.search.region$browser.search.selectedEngine$browser.urlbar.placeholderName$current$hash$https://www.bing.com$ms-pc$searchdefault$true
API String ID: 203803860-3920838181
Opcode ID: fe41f73c0187ccc76055008c1737f128d40c5a7cca2ab081b4153a79cc887880
Instruction ID: 233032e4d29d8a6e3dc35405736de2f8b30e1fe287a672fee2d7afe67a7eb728
Opcode Fuzzy Hash: fe41f73c0187ccc76055008c1737f128d40c5a7cca2ab081b4153a79cc887880
Instruction Fuzzy Hash: 82F27F71E00258DFDB14CFA8CD84BDDBBB1AF45308F248199D019AB391D7799A86CF61

Function 6BED0B80 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 172
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000201,?,6BFDC88C,00000000,62F1F502,?,?), ref: 6BED0BED
RegQueryValueExW.ADVAPI32(?,CurrentVersion,00000000,00000000,?,00000040), ref: 6BED0C1D
RegCloseKey.ADVAPI32(?), ref: 6BED0C39
RegOpenKeyExW.ADVAPI32(80000002,00000021,00000000,00000201,?,\Main,00000005,?,?,SOFTWARE\Mozilla\Mozilla Firefox\,00000021), ref: 6BED0CED
RegQueryValueExW.ADVAPI32(?,Install Directory,00000000,00000000,?,00000104), ref: 6BED0D1B
RegCloseKey.ADVAPI32(?), ref: 6BED0D36

Strings

0eu, xrefs: 6BED0C2E
Default, xrefs: 6BED1120
@, xrefs: 6BED0BCA
SOFTWARE\Mozilla\Mozilla Firefox\, xrefs: 6BED0C4D
CurrentVersion, xrefs: 6BED0C12
Name, xrefs: 6BED11A2
Install Directory, xrefs: 6BED0D10
profiles.ini, xrefs: 6BED107B
SOFTWARE\Mozilla\Mozilla Firefox, xrefs: 6BED0BDD
default, xrefs: 6BED11B0
\Main, xrefs: 6BED0CA4
IsRelative, xrefs: 6BED12BA
Path, xrefs: 6BED122B

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: 0eu$@$CurrentVersion$Default$Install Directory$IsRelative$Name$Path$SOFTWARE\Mozilla\Mozilla Firefox$SOFTWARE\Mozilla\Mozilla Firefox\$\Main$default$profiles.ini
API String ID: 3677997916-2264790727
Opcode ID: c6313cac45810821c069318d423e59438a1099c689d7805d28367d783a395d1b
Instruction ID: 8dd850d44cbde2ce1ff75a15172832d7071bd15b7d629cef34a4b94fb0952e9b
Opcode Fuzzy Hash: c6313cac45810821c069318d423e59438a1099c689d7805d28367d783a395d1b
Instruction Fuzzy Hash: 6151A472A00229ABDB20DF24CC59FDEB778EF44704F1401DAE919A7251DB78AE85CF64

Function 6BEED180 Relevance: 32.0, APIs: 11, Strings: 7, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6BEED180: SHGetFolderPathAndSubDirW.SHELL32(00000000,0000001A,00000000,00000000,Mozilla\Firefox,?,6BFDC88C,00000000,7565E430), ref: 6BEED026

GetPrivateProfileSectionNamesW.KERNEL32(?,00000400,00000000), ref: 6BEED2BD
GetPrivateProfileStringW.KERNEL32(?,Default,6BFDC88C,?,00000020,00000000), ref: 6BEED356
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,6BFE2FB4,000000FF), ref: 6BEED36D
GetPrivateProfileStringW.KERNEL32(?,Name,6BFDC88C,?,00000104,00000000), ref: 6BEED47D
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,default,000000FF), ref: 6BEED497
GetPrivateProfileStringW.KERNEL32(?,Path,6BFDC88C,?,00000104,00000000), ref: 6BEED5CD
PathRemoveBlanksW.SHLWAPI(?), ref: 6BEED5DE
GetPrivateProfileIntW.KERNEL32(?,IsRelative,00000001,00000000), ref: 6BEED673
PathIsRelativeW.SHLWAPI(?), ref: 6BEED684
PathCanonicalizeW.SHLWAPI(?,00000000,?,?,?), ref: 6BEED739
CompareStringW.KERNEL32(0000007F,00000001,00000000,00000000,?,00000000,?,?,?,?,?), ref: 6BEED7D0

Strings

Default, xrefs: 6BEED350
Name, xrefs: 6BEED477
Mozilla\Firefox, xrefs: 6BEED019
default, xrefs: 6BEED485
profiles.ini, xrefs: 6BEED269
IsRelative, xrefs: 6BEED66D
Path, xrefs: 6BEED5C7

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: String$PrivateProfile$Path$Compare$BlanksCanonicalizeFolderNamesRelativeRemoveSection
String ID: Default$IsRelative$Mozilla\Firefox$Name$Path$default$profiles.ini
API String ID: 1186689555-1773336731
Opcode ID: fcf5731ffd1e047f9c6a9e0969688ea95c2f89c8f20b23e6353773a859f8c3f7
Instruction ID: 8b196c1a804d9e7832fb06de07c7ce95e3dad9d62baa536c87e0c42e0e9fad1c
Opcode Fuzzy Hash: fcf5731ffd1e047f9c6a9e0969688ea95c2f89c8f20b23e6353773a859f8c3f7
Instruction Fuzzy Hash: C4129275A501199BEB24CF28CC95FEDB775AB80308F2042D9D01DA7290DF79AAC9CF61

Function 6BEDA880 Relevance: 30.2, APIs: 12, Strings: 5, Instructions: 470
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000000,00000101,?,62F1F502,?,?,?), ref: 6BEDA8E9
RegQueryValueExW.KERNELBASE(?,6BFDC88C,00000000,00000000,?,00000040,?,?,?), ref: 6BEDA915
RegCloseKey.ADVAPI32(?,?,?,?), ref: 6BEDA931
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000000,00000201,?,?,?,?), ref: 6BEDA956
RegQueryValueExW.KERNELBASE(?,6BFDC88C,00000000,00000000,?,00000040,?,?,?), ref: 6BEDA980
RegCloseKey.ADVAPI32(?,?,?,?), ref: 6BEDA99B
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000201,?,?,?,?), ref: 6BEDA9C4
RegQueryValueExW.ADVAPI32(?,CurrentVersion,00000000,00000000,?,00000040,?,?,?), ref: 6BEDA9EE
RegCloseKey.ADVAPI32(?,?,?,?), ref: 6BEDAA09
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000101,?,?,?,?), ref: 6BEDAA32
RegQueryValueExW.KERNELBASE(?,CurrentVersion,00000000,00000000,?,00000040,?,?,?), ref: 6BEDAA5C
RegCloseKey.ADVAPI32(?,?,?,?), ref: 6BEDAA77

Strings

0eu, xrefs: 6BEDA926
SOFTWARE\Mozilla\Mozilla Firefox, xrefs: 6BEDA9B4, 6BEDAA22
CurrentVersion, xrefs: 6BEDA9E3, 6BEDAA51
Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe, xrefs: 6BEDA8D9, 6BEDA946
@, xrefs: 6BEDA8CE

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: 0eu$@$CurrentVersion$SOFTWARE\Mozilla\Mozilla Firefox$Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
API String ID: 3677997916-2904677899
Opcode ID: 4941389e6cf53bc3f1e48a7de308d8c84e61f755829b30dac8d654fa6e8892a2
Instruction ID: 51aefd19f9e1e88839831e6e0257b67c0d897352ae2f4221023d31dfa3b04c7e
Opcode Fuzzy Hash: 4941389e6cf53bc3f1e48a7de308d8c84e61f755829b30dac8d654fa6e8892a2
Instruction Fuzzy Hash: 84029471A402299BEB24CF34CC85F9DB7B6AF44304F2046D9E61DA7290D7B89B85CF61

Function 6BED6B00 Relevance: 29.3, APIs: 1, Strings: 15, Instructions: 1328fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 6BED76A1

Strings

\omni.ja, xrefs: 6BED714F, 6BED71AF
\browser, xrefs: 6BED712A
\prefs.js, xrefs: 6BED6EED, 6BED76DF
\chrome\, xrefs: 6BED6CBA
\omni.jar, xrefs: 6BED721F
\defaults\preferences\firefox.js, xrefs: 6BED6E47
resource:/browserconfig.properties, xrefs: 6BED79B4
defaults/pref/firefox.js, xrefs: 6BED7579
defaults/preferences/firefox-branding.js, xrefs: 6BED763C
defaults/preferences/firefox.js, xrefs: 6BED75A9
\browserconfig.properties, xrefs: 6BED6B81
defaults/pref/firefox-branding.js, xrefs: 6BED760E
\defaults\pref\firefox.js, xrefs: 6BED6D97
chrome://browser-region/locale/region.properties, xrefs: 6BED7A34, 6BED7C0B
chrome://branding/locale/browserconfig.properties, xrefs: 6BED7B8D

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: DeleteFile
String ID: \browser$\browserconfig.properties$\chrome\$\defaults\pref\firefox.js$\defaults\preferences\firefox.js$\omni.ja$\omni.jar$\prefs.js$chrome://branding/locale/browserconfig.properties$chrome://browser-region/locale/region.properties$defaults/pref/firefox-branding.js$defaults/pref/firefox.js$defaults/preferences/firefox-branding.js$defaults/preferences/firefox.js$resource:/browserconfig.properties
API String ID: 4033686569-2390963644
Opcode ID: 0251e5d8a0c87805b40a25308220e54fdc273a2dddb3202063810709b6562a6b
Instruction ID: dd3cffb952c2c9240e23f0dfaa264ac16ef39b7fe71aa18c7ec6c8179fb790b3
Opcode Fuzzy Hash: 0251e5d8a0c87805b40a25308220e54fdc273a2dddb3202063810709b6562a6b
Instruction Fuzzy Hash: 46B2B231A00219DFDB14CF68CD80BEDBB72FF45318F248298D415AB295D779AE86CB61

Function 6BED5F00 Relevance: 25.8, APIs: 1, Strings: 13, Instructions: 1316fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6BF895B0: CreateFileW.KERNEL32(6BFDC88C,80000000,00000001,00000000,00000003,00000080,00000000,?,?), ref: 6BF895F5
Part of subcall function 6BF895B0: GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6BF8960C
Part of subcall function 6BF895B0: ReadFile.KERNEL32(6F636E69,00000000,?,00000000,00000000,00000000), ref: 6BF8963C

DeleteFileW.KERNEL32(00000000), ref: 6BED6151

Strings

defaults/pref/firefox-l10n.js, xrefs: 6BED6034
locale/branding/browserconfig.properties, xrefs: 6BED65D3
\prefs.js, xrefs: 6BED6EED
\chrome\, xrefs: 6BED6CBA
\defaults\preferences\firefox.js, xrefs: 6BED6E47
resource:/browserconfig.properties, xrefs: 6BED79B4
general.useragent.locale, xrefs: 6BED6186
\browserconfig.properties, xrefs: 6BED6B81
defaults/preferences/firefox-l10n.js, xrefs: 6BED6067
\defaults\pref\firefox.js, xrefs: 6BED6D97
chrome/, xrefs: 6BED6330, 6BED66E1
locale/browser-region/region.properties, xrefs: 6BED6222
pref\s*$\s*"(.+)"\s*,\s*(.+)\s*$\s*;, xrefs: 6BED6113

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$CreateDeleteHandleInformationRead
String ID: \browserconfig.properties$\chrome\$\defaults\pref\firefox.js$\defaults\preferences\firefox.js$\prefs.js$chrome/$defaults/pref/firefox-l10n.js$defaults/preferences/firefox-l10n.js$general.useragent.locale$locale/branding/browserconfig.properties$locale/browser-region/region.properties$pref\s*$\s*"(.+)"\s*,\s*(.+)\s*$\s*;$resource:/browserconfig.properties
API String ID: 2082933912-399515152
Opcode ID: e38f7eaae00f30cc140cd9f7fd3a6e8d4df2478dd074bc5c04f12bc57e66eaee
Instruction ID: ecf94db464eafd6930f8554e5c63b77dd8c95cf22d1c80029bf1e029b48e04df
Opcode Fuzzy Hash: e38f7eaae00f30cc140cd9f7fd3a6e8d4df2478dd074bc5c04f12bc57e66eaee
Instruction Fuzzy Hash: 67B2C431A00259DFDB24CF68CD85BDDBBB2BF44308F208298D409AB295D7799E85CF61

Function 6BECA750 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 452
registrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\International,00000000,00000001,?), ref: 6BECA812
RegQueryValueExW.KERNELBASE(?,AcceptLanguage,00000000,00000000,?,00000104), ref: 6BECA840
RegCloseKey.ADVAPI32(?), ref: 6BECA85B
CoInitialize.OLE32(00000000), ref: 6BECAABB
CoCreateInstance.OLE32(6BFDC860,00000000,00000001,6BFE3134,00000000), ref: 6BECAAD6
GetUserDefaultUILanguage.KERNEL32(?), ref: 6BECAB0E
GetUserDefaultLCID.KERNEL32(?), ref: 6BECAB18
GetSystemDefaultUILanguage.KERNEL32(?), ref: 6BECAC70
GetSystemDefaultLCID.KERNEL32(?), ref: 6BECAC7A

Strings

0eu, xrefs: 6BECA85B
AcceptLanguage, xrefs: 6BECA835
Software\Microsoft\Internet Explorer\International, xrefs: 6BECA808
en-us, xrefs: 6BECABE2

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: Default$LanguageSystemUser$CloseCreateInitializeInstanceOpenQueryValue
String ID: 0eu$AcceptLanguage$Software\Microsoft\Internet Explorer\International$en-us
API String ID: 497577694-3552334259
Opcode ID: 048658d6613d8eff5cc8888300d1e730a456c1645973610216e73b4abe0bd51d
Instruction ID: b1d6e2a2c2ad75ab316a67c3680fc89832a363e4219a5d69ab095b81c5be2d6a
Opcode Fuzzy Hash: 048658d6613d8eff5cc8888300d1e730a456c1645973610216e73b4abe0bd51d
Instruction Fuzzy Hash: BA02B371A402189BDF24CF34CD89B9EB775EB44308F6042D9E419A72A4DB399E85CF52

Function 6BED5720 Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 398
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000201,?,user_pref\s*$\s*"(.+)"\s*,\s*(.+)\s*$\s*;,0000002B,00000026,00000026,00000010,(.+?)\s*=\s*(.+),00000010,?,?), ref: 6BED5AB8
RegQueryValueExW.ADVAPI32(?,CurrentVersion,00000000,00000000,?,00000040), ref: 6BED5AEE
RegCloseKey.ADVAPI32(?), ref: 6BED5B06
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000101,?), ref: 6BED5B2B
RegQueryValueExW.KERNELBASE(?,CurrentVersion,00000000,00000000,?,00000040), ref: 6BED5B59
RegCloseKey.ADVAPI32(?), ref: 6BED5B70

Strings

0eu, xrefs: 6BED5AFB
(.+?)\s*=\s*(.+), xrefs: 6BED5827, 6BED5901
SOFTWARE\Mozilla\Mozilla Firefox, xrefs: 6BED5AA8, 6BED5B1B
CurrentVersion, xrefs: 6BED5AE3, 6BED5B4E
@, xrefs: 6BED5A9D
user_pref\s*$\s*"(.+)"\s*,\s*(.+)\s*$\s*;, xrefs: 6BED5A7B
pref\s*$\s*"(.+)"\s*,\s*(.+)\s*$\s*;, xrefs: 6BED597F, 6BED59FD

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: (.+?)\s*=\s*(.+)$0eu$@$CurrentVersion$SOFTWARE\Mozilla\Mozilla Firefox$pref\s*$\s*"(.+)"\s*,\s*(.+)\s*$\s*;$user_pref\s*$\s*"(.+)"\s*,\s*(.+)\s*$\s*;
API String ID: 3677997916-134303973
Opcode ID: 74828750267a17911c87d00ba875e2b8f26e65a6d0e48b9f14d324d989f8f4ae
Instruction ID: 23e479d64ba99cb02c52b28fbcafc0d5bbae74688764e0f128cbf6471cd88f22
Opcode Fuzzy Hash: 74828750267a17911c87d00ba875e2b8f26e65a6d0e48b9f14d324d989f8f4ae
Instruction Fuzzy Hash: F3025BB1901315DFEB21CF24C999B9ABBF0EF05304F1481D9D94CAB291D3B99A85CFA1

Function 6BF0F260 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 335
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 6BF0F45D

Strings

etilqs_, xrefs: 6BF0F09C
cannot open file at line %d of [%.10s], xrefs: 6BF0F595
delayed %dms for lock/sharing conflict at line %d, xrefs: 6BF0F4E6
os_win.c:%d: (%lu) %s(%s) - %s, xrefs: 6BF0EE28, 6BF0EF35, 6BF0F077, 6BF0F1F7
winGetTempname5, xrefs: 6BF0F06B
cf538e2783e468bbc25e7cb2a9ee64d3e0e80b2f, xrefs: 6BF0F58B
winGetTempname1, xrefs: 6BF0EE1C
psow, xrefs: 6BF0F60C
winGetTempname2, xrefs: 6BF0EF2A
winGetTempname4, xrefs: 6BF0F1EB
winOpen, xrefs: 6BF0F512

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CreateFile
String ID: cannot open file at line %d of [%.10s]$cf538e2783e468bbc25e7cb2a9ee64d3e0e80b2f$delayed %dms for lock/sharing conflict at line %d$etilqs_$os_win.c:%d: (%lu) %s(%s) - %s$psow$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5$winOpen
API String ID: 823142352-2714259951
Opcode ID: f5e3fd0b5c0bfdba53611b4d828a2e0da90e82744b17cde4fec0863039668d98
Instruction ID: 1f0ea2ebe44bc321920926d09d8314fffb9cbbfc0841a12c6c4df1c3e4d31c4e
Opcode Fuzzy Hash: f5e3fd0b5c0bfdba53611b4d828a2e0da90e82744b17cde4fec0863039668d98
Instruction Fuzzy Hash: 12C1E372604302ABEB508F24D85276AB7F4EF85328F04092DF855D72F1EB79E845DB86

Function 6BECF770 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6BECF770: SHGetFolderPathAndSubDirW.SHELL32(00000000,0000001C,00000000,00000000,Google\Chrome,?,00000000,62F1F502,?), ref: 6BECFB17

PathFileExistsW.SHLWAPI(?,?,?,?,?,\User Data\Local State,00000016,?,Default,00000007,62F1F502), ref: 6BECF850

Part of subcall function 6BEC7C20: CreateFileW.KERNEL32(?,?,00000001,00000000,00000003,00000080,00000000,62F1F502), ref: 6BEC7CA2
Part of subcall function 6BEC7C20: GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6BEC7CB8
Part of subcall function 6BEC7C20: ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6BEC7CF5
Part of subcall function 6BEC7C20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 6BEC7D26

Strings

Default, xrefs: 6BECF7D2
\User Data\Local State, xrefs: 6BECF820
profile, xrefs: 6BECF8AD
p5, xrefs: 6BECFC0A
Google\Chrome, xrefs: 6BECFB0A
last_used, xrefs: 6BECF907

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$Path$ByteCharCreateExistsFolderHandleInformationMultiReadWide
String ID: Default$Google\Chrome$\User Data\Local State$last_used$profile$p5
API String ID: 2435013005-4198945570
Opcode ID: 3126cc8267dbc520855018b3666892d8f37d6a90aff631ce677290de0df294ff
Instruction ID: 18330836336e27ead810796aba1bbf9b20e6776df5adbe9ebd31cfc2b434cab3
Opcode Fuzzy Hash: 3126cc8267dbc520855018b3666892d8f37d6a90aff631ce677290de0df294ff
Instruction Fuzzy Hash: AED1B471A00205EBDB24CFA4CD55BAEB7B5AF44308F20419DE4259B690DB7DAA48CBD2

Function 6BECCFB0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6BECCFB0: SHGetFolderPathAndSubDirW.SHELL32(00000000,0000001C,00000000,00000000,Microsoft\Edge,?,00000000,62F1F502,?), ref: 6BECD357

PathFileExistsW.SHLWAPI(?,?,?,?,?,\User Data\Local State,00000016,?,Default,00000007,62F1F502), ref: 6BECD090

Part of subcall function 6BEC7C20: CreateFileW.KERNEL32(?,?,00000001,00000000,00000003,00000080,00000000,62F1F502), ref: 6BEC7CA2
Part of subcall function 6BEC7C20: GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6BEC7CB8
Part of subcall function 6BEC7C20: ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6BEC7CF5
Part of subcall function 6BEC7C20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 6BEC7D26

Strings

Default, xrefs: 6BECD012
\User Data\Local State, xrefs: 6BECD060
profile, xrefs: 6BECD0ED
last_used, xrefs: 6BECD147
Microsoft\Edge, xrefs: 6BECD34A
0], xrefs: 6BECD44A

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$Path$ByteCharCreateExistsFolderHandleInformationMultiReadWide
String ID: Default$Microsoft\Edge$\User Data\Local State$last_used$profile$0]
API String ID: 2435013005-3379677144
Opcode ID: 435ae2943e17694933afe635ecaf10c761e54aa963cb1db8d10d0336106cd092
Instruction ID: b37596e0b22791364c73420eb8ed45b430dde2556ce00cc460d15119da3c1fa0
Opcode Fuzzy Hash: 435ae2943e17694933afe635ecaf10c761e54aa963cb1db8d10d0336106cd092
Instruction Fuzzy Hash: 21D1D371A40205EFDB24CF68CD45BAFB7B5FF44308F20419DE4259B690DB79AA44CB92

Function 6BF899D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(000000F6,?,00000000,00000000), ref: 6BF89A10
GetTempFileNameW.KERNEL32(?,ZMG,00000000,?), ref: 6BF89A3E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000000), ref: 6BF89A98
WriteFile.KERNEL32(00000000,?,00000008,00000000,00000000), ref: 6BF89AF0
CloseHandle.KERNEL32(00000000), ref: 6BF89B09
CloseHandle.KERNEL32(00000000), ref: 6BF89B59
DeleteFileW.KERNEL32(?), ref: 6BF89B91

Strings

ZMG, xrefs: 6BF89A32

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$CloseHandleTemp$CreateDeleteNamePathWrite
String ID: ZMG
API String ID: 2444442441-856004367
Opcode ID: 5186ee61fd7f09452ef2a17e2c4834aacdabf11a3a4c3c871983c00e82bae4a6
Instruction ID: e9e62421f12300606eb229ca5625716bc5b879af87d9cfb3adc49bdc22254c45
Opcode Fuzzy Hash: 5186ee61fd7f09452ef2a17e2c4834aacdabf11a3a4c3c871983c00e82bae4a6
Instruction Fuzzy Hash: 71510872A00105ABDB14CF78DC55BBAB7F9EB84700F1041EDE8159B1A2CB78DB85CB60

Function 6BFBC619 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 6BFBC89A, 6BFBC89D

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 835c3363c665ae30ce7dddc20d8ea90ad348cfc6da0583b261ba343b318fbe19
Instruction ID: 34becf7e0557974b8bfc61a8d559d49969ac93355ebe07d9993c3a5a1022588b
Opcode Fuzzy Hash: 835c3363c665ae30ce7dddc20d8ea90ad348cfc6da0583b261ba343b318fbe19
Instruction Fuzzy Hash: 81B10672E04206AFEB01CFAAC881BAF7FB5BF4A314F104199E515972B1C779D941CBA1

Function 6BEC7C20 Relevance: 9.2, APIs: 6, Instructions: 226fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,00000001,00000000,00000003,00000080,00000000,62F1F502), ref: 6BEC7CA2
GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6BEC7CB8
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6BEC7CF5
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 6BEC7D26
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6BEC7D54
CloseHandle.KERNEL32(00000000), ref: 6BEC7E68

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$ByteCharHandleMultiWide$CloseCreateInformationRead
String ID:
API String ID: 390388180-0
Opcode ID: 43d22615bb661ab4299451deba861ad2945689396d916b78b23d53e99f697649
Instruction ID: 2308748c3de60c1f9918e810b25f5887718b8bc235068c1ae1f14737d62f9bcc
Opcode Fuzzy Hash: 43d22615bb661ab4299451deba861ad2945689396d916b78b23d53e99f697649
Instruction Fuzzy Hash: 3071A772A002099FDB14CF74CD55BAF77B9EB45714F20821DE4269B390DB39E944CB62

Function 6BFA8C34 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,6BFA9079,00000000,00000000,00000000), ref: 6BFA8F38

Strings

Eastern Daylight Time, xrefs: 6BFA8FE5
Eastern Standard Time, xrefs: 6BFA8FD1

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: InformationTimeZone
String ID: Eastern Daylight Time$Eastern Standard Time
API String ID: 565725191-1879052519
Opcode ID: c08c0d1c6ac7c2075e83f4c51dbfdbc5faaf95a390f9097dd59dfff35b4bc1d4
Instruction ID: ebc1808f12801b65690f2b5002bb760fbbef4002eac190cd2ecbcae05668b597
Opcode Fuzzy Hash: c08c0d1c6ac7c2075e83f4c51dbfdbc5faaf95a390f9097dd59dfff35b4bc1d4
Instruction Fuzzy Hash: 5EC12973D00116EBDB189FB4CC42AAE7BB9EF45754F108065E915EB2B1EB799E00C790

Function 6BEFC960 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 393COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 6BEFCD2A

Strings

%d.%d.%d.%d, xrefs: 6BEFCD24
RQXc, xrefs: 6BEFCE5E

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: wsprintf
String ID: %d.%d.%d.%d$RQXc
API String ID: 2111968516-3894869463
Opcode ID: 03c95e688c2d9caecc3264cad0891d73983c428a3302dd3a888298ee7ca90599
Instruction ID: 8b586813115b9c816c7c3345bb15ebea5f5abd14105901e6a8d9edc5ad5b21eb
Opcode Fuzzy Hash: 03c95e688c2d9caecc3264cad0891d73983c428a3302dd3a888298ee7ca90599
Instruction Fuzzy Hash: EEF1B671A00209DFDB14CF68CD51BEEB7B9FF45304F204289E419A7391DB39AA95CBA1

Function 6BEFBA30 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

\Preferences, xrefs: 6BEFBB88
\User Data, xrefs: 6BEF7A64, 6BEF8ED0, 6BEFA1BD, 6BEFBAC4

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: Path$ExistsFileFolder
String ID: \Preferences$\User Data
API String ID: 391931419-966589237
Opcode ID: 868e3797df7a486cd47bb3594a130159e59feaea4008f9a017f467dacfbaffe3
Instruction ID: 4b22f83037a845ea2507b2a9db279931a112ca6a7f4f08dee1bc29de51acec69
Opcode Fuzzy Hash: 868e3797df7a486cd47bb3594a130159e59feaea4008f9a017f467dacfbaffe3
Instruction Fuzzy Hash: A791B070D00248DEDB14CFB4C945BDEBBB5FF45308F20869CD015AB291DB79AA85CB62

Function 6BF0D080 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 6BF0D15D

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 6BF0D20E
winRead, xrefs: 6BF0D1D4

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: 6ebecf643d4f3b93614da6f8a65b114e727bea994d3082dd4df297cf021a99f8
Instruction ID: e50fde3e258249ad4e5d307f63382dfb72f7ebd7bdbb5aa0bdb4c7faa7ca8fa8
Opcode Fuzzy Hash: 6ebecf643d4f3b93614da6f8a65b114e727bea994d3082dd4df297cf021a99f8
Instruction Fuzzy Hash: 0A519476E40209ABDF04DFA8DC91A9EB7BAFF88310B54455AE814E7271DF38D941CB90

Function 6BF0F6D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 6BF0F743

Strings

winDelete, xrefs: 6BF0F819
delayed %dms for lock/sharing conflict at line %d, xrefs: 6BF0F7EC

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: AttributesFile
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 3188754299-1405699761
Opcode ID: e0cf4901bb38c76eecdb27a14c5828fd20b0cf557eb71c3e49dfa8390b0b0c69
Instruction ID: 7f0b2aaa8195d51406bbfb1b45ea9cf682fdb7dbd34cb4214ed49e93177150c5
Opcode Fuzzy Hash: e0cf4901bb38c76eecdb27a14c5828fd20b0cf557eb71c3e49dfa8390b0b0c69
Instruction Fuzzy Hash: 18315B73A085027BAB504AB5AC95E6F376DDB83324B100372F928C51F1EF18D805E2BB

Function 6BEC1101 Relevance: 4.7, APIs: 3, Instructions: 233threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00001420,?,00000000,00000000), ref: 6BEC12DD
WaitForMultipleObjects.KERNEL32(00000001,?,00000001,000000FF,62F1F502), ref: 6BEC1322

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CreateMultipleObjectsThreadWait
String ID:
API String ID: 2381563339-0
Opcode ID: e7cf1f2f71b0e9702d5c640a2f4f98f8b2f22cfe93822ad64e425a4f82f0ed96
Instruction ID: 01761af52660b663566a65d24a23fe24b99b22204a4c788089669a48de159f9d
Opcode Fuzzy Hash: e7cf1f2f71b0e9702d5c640a2f4f98f8b2f22cfe93822ad64e425a4f82f0ed96
Instruction Fuzzy Hash: 31917AB5D00228EFDB14CFE8D981BDEBBF1AF49718F214169E825A7340D778A941CB52

Function 6BF895B0 Relevance: 4.7, APIs: 3, Instructions: 162fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(6BFDC88C,80000000,00000001,00000000,00000003,00000080,00000000,?,?), ref: 6BF895F5
GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6BF8960C
ReadFile.KERNEL32(6F636E69,00000000,?,00000000,00000000,00000000), ref: 6BF8963C

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$CreateHandleInformationRead
String ID:
API String ID: 1028778949-0
Opcode ID: a1f238d6d0e0aa6195762fddb8adc30c8e2b56ffb6838f1b5ede3e4329dab3aa
Instruction ID: 152b0ec0cb50eb63b107a5776198026a7f59440845d521a75867b84bc92dd5e8
Opcode Fuzzy Hash: a1f238d6d0e0aa6195762fddb8adc30c8e2b56ffb6838f1b5ede3e4329dab3aa
Instruction Fuzzy Hash: 07513772A00205EFDB24CFB8CC84B9DBBB5FF44314F60826DD025AB5A1DB78A489CB55

Function 6BF85040 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

gfff, xrefs: 6BF85406

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 2460ec127305faf8839a2343e990cac5f9e7e4148a3c47eaa897edde200d6d60
Instruction ID: 0adeafa18534a64567b663b542009b63b9d0b701a42178d34415c3dec4339a8f
Opcode Fuzzy Hash: 2460ec127305faf8839a2343e990cac5f9e7e4148a3c47eaa897edde200d6d60
Instruction Fuzzy Hash: 8BB1B872A20602ABEF048F64E85571537FCE74730AF108169FA5A562B1DFB9D44CCF81

Function 6BFB860C Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,6BFC20B7,?,00000000,?,?,6BFC2358,?,00000007,?,?,6BFC1833,?,?), ref: 6BFB8622
GetLastError.KERNEL32(?,?,6BFC20B7,?,00000000,?,?,6BFC2358,?,00000007,?,?,6BFC1833,?,?), ref: 6BFB862D

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 300865abf0fde21bade5d6d51a57a34a76fcdc5c932696ab4f0feb4bb1e030cc
Instruction ID: 3063b4959de3d2ec7bf7f2fa76c60f59952e34ea8fedc52c107ee25717aa09ea
Opcode Fuzzy Hash: 300865abf0fde21bade5d6d51a57a34a76fcdc5c932696ab4f0feb4bb1e030cc
Instruction Fuzzy Hash: 27E08C33101205BBCF011FB6EC2DB8E3B69AF82799F144064F60887170DB79C840CB98

Function 6BFB8646 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,6BFA31A7,?,?,6BEC445A,0000000C), ref: 6BFB8678

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1185e0ad530ce8df66f89efe2485333d243249de28e59082dd75355c5e0f8b61
Instruction ID: 5bb2142f2ab72d226365df3c576506bda01e27416dd6e227614a4232fc19d9d7
Opcode Fuzzy Hash: 1185e0ad530ce8df66f89efe2485333d243249de28e59082dd75355c5e0f8b61
Instruction Fuzzy Hash: 82E0653354125766E6111B77DC14B8B3A4E9FC27A4F150159ED58961F1DB7CCC0085A5

Function 6BF89530 Relevance: 1.3, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(6F636E69,?,6BED56C6,?,6BFDC88C,00000000,?,?,00000000), ref: 6BF89555

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c436f08f367223b53327b0fc5243584d7c8cde734480b41ec5de38563181c61d
Instruction ID: f29033b673e41ec4ec0f90f500d35a1f11d1c0a93d952d7f1ee7c46ab983d7f5
Opcode Fuzzy Hash: c436f08f367223b53327b0fc5243584d7c8cde734480b41ec5de38563181c61d
Instruction Fuzzy Hash: 2A01A7721106018BD7288F38D899B2A73F19F44318F109E0CD4668BEB1CB3CF5458741

Non-executed Functions

Function 6BFC3537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,6BFC3849,00000002,00000000,?,?,?,6BFC3849,?,00000000), ref: 6BFC35D0
GetLocaleInfoW.KERNEL32(00000000,20001004,6BFC3849,00000002,00000000,?,?,?,6BFC3849,?,00000000), ref: 6BFC35F9
GetACP.KERNEL32(?,?,6BFC3849,?,00000000), ref: 6BFC360E

Strings

OCP, xrefs: 6BFC358B
ACP, xrefs: 6BFC3555

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fb89f402ec3091a481b6de1f6f50188ab4d39de65a9f1086140ebba299a9b264
Instruction ID: c27068952188e791d65fbbc2b346d49312b24733543c1558fa91bdc0f3118ff3
Opcode Fuzzy Hash: fb89f402ec3091a481b6de1f6f50188ab4d39de65a9f1086140ebba299a9b264
Instruction Fuzzy Hash: 8121B633B44103AAD7358F28C901B8777B6AB45FD4B5688A4E806D7234E73ADDC0C352

Function 6BFC3713 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 6BFB675A: GetLastError.KERNEL32(00000000,?,6BFBFE8C,?,?,?,?,00000000,00000000), ref: 6BFB675E
Part of subcall function 6BFB675A: SetLastError.KERNEL32(00000000,00000000,000000FF,00000017,000000FF,?,?,?,?,00000000,00000000), ref: 6BFB6800

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6BFC381B
IsValidCodePage.KERNEL32(00000000), ref: 6BFC3859
IsValidLocale.KERNEL32(?,00000001), ref: 6BFC386C
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6BFC38B4
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6BFC38CF

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: c863561c35dffcb188f792b181dadd51871aa5f7bf6aaf08b0baa3e93ea6f2a3
Instruction ID: 44450b73d9f98434b9358264acfd88866396515e0631ac19719256ad7a18d9ae
Opcode Fuzzy Hash: c863561c35dffcb188f792b181dadd51871aa5f7bf6aaf08b0baa3e93ea6f2a3
Instruction Fuzzy Hash: A2515073A00217ABEF20DFB9CC45AAB77B8FF49744F144469A510E71A0DB78D984CB62

Function 6BFC2D9E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 6BFB675A: GetLastError.KERNEL32(00000000,?,6BFBFE8C,?,?,?,?,00000000,00000000), ref: 6BFB675E
Part of subcall function 6BFB675A: SetLastError.KERNEL32(00000000,00000000,000000FF,00000017,000000FF,?,?,?,?,00000000,00000000), ref: 6BFB6800

GetACP.KERNEL32(?,?,?,?,?,?,6BFB718A,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6BFC2E5D
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6BFB718A,?,?,?,00000055,?,-00000050,?,?), ref: 6BFC2E94
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6BFC2FF7

Strings

utf8, xrefs: 6BFC2F66

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: c81c848eddec8c6e815ef4daa3d8eb31c5fcfc45d3fc42a3d8ffaa147d40e63e
Instruction ID: c878032876dbf3262b1321a4322c6273a28400fdf63c1f3bc9dd33c8aceeae6b
Opcode Fuzzy Hash: c81c848eddec8c6e815ef4daa3d8eb31c5fcfc45d3fc42a3d8ffaa147d40e63e
Instruction Fuzzy Hash: FC712973B04207AAEB159B38CC82BAB73B8EF45744F101069E515D71A0EB7EE484C7A2

Function 6BFA3DB1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6BFA3DBD
IsDebuggerPresent.KERNEL32 ref: 6BFA3E89
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6BFA3EA9
UnhandledExceptionFilter.KERNEL32(?), ref: 6BFA3EB3

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 673de8a3a5db20e48e07a2a95e350e11163e5cda4b61acbfffe68aa900c9a99d
Instruction ID: 5eb6d7fbcaea0c101d82d587467a06327efecc12154d1dc2fe8f6837d2818900
Opcode Fuzzy Hash: 673de8a3a5db20e48e07a2a95e350e11163e5cda4b61acbfffe68aa900c9a99d
Instruction Fuzzy Hash: 63311A75D0521DDBDB21DFB4D9897CDBBB8AF08305F1040DAE408AB250EB749A898F45

Function 6BFA393E Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6BFA3A5E,6BFD2308), ref: 6BFA3943
UnhandledExceptionFilter.KERNEL32(6BFA3A5E,?,6BFA3A5E,6BFD2308), ref: 6BFA394C
GetCurrentProcess.KERNEL32(C0000409,?,6BFA3A5E,6BFD2308), ref: 6BFA3957
TerminateProcess.KERNEL32(00000000,?,6BFA3A5E,6BFD2308), ref: 6BFA395E

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 7e115b81c158ca4ce320bd31044800628f5b1e6e00594c91db9cc66855a0fb2a
Instruction ID: c6142953e69621026deff65f45cd110235473fef4d9bb84ca6e2b8926d8e16fe
Opcode Fuzzy Hash: 7e115b81c158ca4ce320bd31044800628f5b1e6e00594c91db9cc66855a0fb2a
Instruction Fuzzy Hash: 19D0C932051108ABCF012BF0D82CB083B28BB8A202F048400F30981461CAB1C4058B55

Function 6BFA7AA3 Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,000000FF), ref: 6BFA7B9B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,000000FF), ref: 6BFA7BA5
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,000000FF), ref: 6BFA7BB2

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 940a3c408dabe4ada3150e6155a7ae57c19e0c1e2993fcb37692393053904276
Instruction ID: 8a99a8eb350b0f3af599cdd68983b62a23b514085f40625c41ac4e64296c9c96
Opcode Fuzzy Hash: 940a3c408dabe4ada3150e6155a7ae57c19e0c1e2993fcb37692393053904276
Instruction Fuzzy Hash: AA31C576D11219EBCB25DF68D889B8DBBB8BF08314F5041DAE41CA72A0E7749B858F44

Function 6BFA3F75 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6BFA3F8B

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e7b8ec4b743aa4d84fbeefa90dd0d1063f89adc978c5f253c44d518f4b8e66ae
Instruction ID: 15732abdf6fafcc332b3db12d7bc5289c1b893d386a5b6da1d71a25e3c0d7f52
Opcode Fuzzy Hash: e7b8ec4b743aa4d84fbeefa90dd0d1063f89adc978c5f253c44d518f4b8e66ae
Instruction Fuzzy Hash: DC517CB2A11605CFDB09CF98D5817AABBF8FB48310F20C56AD415EB361DB79E904CB50

Function 6BFC3095 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 6BFB675A: GetLastError.KERNEL32(00000000,?,6BFBFE8C,?,?,?,?,00000000,00000000), ref: 6BFB675E
Part of subcall function 6BFB675A: SetLastError.KERNEL32(00000000,00000000,000000FF,00000017,000000FF,?,?,?,?,00000000,00000000), ref: 6BFB6800

EnumSystemLocalesW.KERNEL32(6BFC31BB,00000001,00000000,?,-00000050,?,6BFC37EF,00000000,?,?,?,00000055,?), ref: 6BFC3107

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4812ef8861ab2088cc2f1b50326da4bece3d5c177785fb22e1c82b2a4c4aa373
Instruction ID: ffe7462f859ada836ea901fe3dbc9b40eafe592c3634e9ee735a2109d11d795c
Opcode Fuzzy Hash: 4812ef8861ab2088cc2f1b50326da4bece3d5c177785fb22e1c82b2a4c4aa373
Instruction Fuzzy Hash: 7E11253B6047025FDB289F39D8A16ABB7A1FF803ADB14842CE94787A10D775A583C740

Function 6BFC3130 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6BFB675A: GetLastError.KERNEL32(00000000,?,6BFBFE8C,?,?,?,?,00000000,00000000), ref: 6BFB675E
Part of subcall function 6BFB675A: SetLastError.KERNEL32(00000000,00000000,000000FF,00000017,000000FF,?,?,?,?,00000000,00000000), ref: 6BFB6800

EnumSystemLocalesW.KERNEL32(6BFC340E,00000001,00000000,?,-00000050,?,6BFC37B7,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6BFC317A

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: d97024ba4d3b6b2b9e5eb32010197ec5328613cb237df75770343844bfe3b6e7
Instruction ID: dfba93594c732bf0445f6ccbb6ab6db391c9ca05db6bc6b9d323b6043c6fd57f
Opcode Fuzzy Hash: d97024ba4d3b6b2b9e5eb32010197ec5328613cb237df75770343844bfe3b6e7
Instruction Fuzzy Hash: E4F046376003062FD7244F398890A6B7BA0EF803A8B06846CF9054B660C775A882C710

Function 6BFB8ABC Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 6BFB1D69: EnterCriticalSection.KERNEL32(?,?,6BFB520E,00000000,6BFF3A30,0000000C,6BFB51D6,?,?,6BFBB71E,?,?,6BFB68F8,00000001,00000364,?), ref: 6BFB1D78

EnumSystemLocalesW.KERNEL32(6BFB8AAF,00000001,6BFF3C48,0000000C,6BFB8F24,00000000), ref: 6BFB8AF4

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 2544dec04c177f32ffabdfa020a4a84b5476f4923a9383e62b8d33fa25eacf8a
Instruction ID: 359df5368caa11aac8e1f7238f7103120a589ddeae71ec64f267e355507ace31
Opcode Fuzzy Hash: 2544dec04c177f32ffabdfa020a4a84b5476f4923a9383e62b8d33fa25eacf8a
Instruction Fuzzy Hash: 2AF06D73A20201EFDB14DFA9E456B9CB7F4EB49B64F10811AE510DB2B0CB799908CF50

Function 6BFA2E46 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,6BFA0FD0,00000000,?,00000004,6BF9FCE0,?,00000004,6BFA0015,00000000,00000000), ref: 6BFA2E5E

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8c985cb439789a3be6d83963707c3114bd2fae521690a812e67fc6616fd0d4cb
Instruction ID: 9d5cea793d360856e6471acadc34780819f33975b61d9d0ca93f8e8e62833e92
Opcode Fuzzy Hash: 8c985cb439789a3be6d83963707c3114bd2fae521690a812e67fc6616fd0d4cb
Instruction Fuzzy Hash: 2FE0D8337A0205F5D7064B799D0BFBB36A8E70170AF000291A551E40F0CABACA809151

Function 6BFC304A Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6BFB675A: GetLastError.KERNEL32(00000000,?,6BFBFE8C,?,?,?,?,00000000,00000000), ref: 6BFB675E
Part of subcall function 6BFB675A: SetLastError.KERNEL32(00000000,00000000,000000FF,00000017,000000FF,?,?,?,?,00000000,00000000), ref: 6BFB6800

EnumSystemLocalesW.KERNEL32(6BFC2FA3,00000001,00000000,?,?,6BFC3811,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6BFC3081

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 08de1afa5f29ee6f2a5557a70ce3069dd4a0fa5f7ad59f40a449a36b89f017b5
Instruction ID: 63c1cca3dd9a3888fe4c6d02c3c1717c6d3b0ecb276f9de5daa55a119fbc9c1e
Opcode Fuzzy Hash: 08de1afa5f29ee6f2a5557a70ce3069dd4a0fa5f7ad59f40a449a36b89f017b5
Instruction Fuzzy Hash: 81F05C3B70020657C7049F39C8187577F64EFC1354B064098EE098B260C776D482C790

Function 6BFB907F Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6BFB7D00,?,20001004,00000000,00000002,?,?,6BFB72F2), ref: 6BFB90B3

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d165b19d8b7567d4d2c8beb062f5b3eca3bf1c5f0231f95fefcd6ecac0035cc1
Instruction ID: d4dc4d7ad6e4ef69a2c8abd6f8944796feab8fff4ee98c406a761bd90bb1ffc4
Opcode Fuzzy Hash: d165b19d8b7567d4d2c8beb062f5b3eca3bf1c5f0231f95fefcd6ecac0035cc1
Instruction Fuzzy Hash: 8FE04F37541619BBCF122F76DC04E9E3F16EF957A1F008110FD1565531CB76C9219AD1

Function 6BEFD440 Relevance: 51.2, APIs: 6, Strings: 23, Instructions: 442filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,6BFDC88C,00000000,62F1F502), ref: 6BEFD4F6
GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6BEFD515
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6BEFD550
CloseHandle.KERNEL32(00000000), ref: 6BEFD6A2
GetSystemTime.KERNEL32(?), ref: 6BEFD862
SystemTimeToFileTime.KERNEL32(?,?), ref: 6BEFD873

Strings

expires_utc, xrefs: 6BF01FD8
VPhO, xrefs: 6BF01221
profile, xrefs: 6BF0153A
\User Data\, xrefs: 6BF016F6
' and host_key='www.bing.com';, xrefs: 6BF01C5E
cookies, xrefs: 6BF01B9F
%, xrefs: 6BF02662
select value, encrypted_value, expires_utc from cookies where name=', xrefs: 6BF01C99
2V, xrefs: 6BF02678
last_used, xrefs: 6BF015AB
\Cookies, xrefs: 6BF0179B, 6BF01977
msedge.exe, xrefs: 6BF018F8
wV, xrefs: 6BF02633
value, xrefs: 6BF01E41
mV, xrefs: 6BF0263D
\User Data\Local State, xrefs: 6BF014B5
\Low, xrefs: 6BEFE3F6
hV, xrefs: 6BF02642
encrypted_value, xrefs: 6BF01EAD
\*.txt, xrefs: 6BEFE0E6, 6BEFE41C
www.bing.com/, xrefs: 6BEFE298, 6BEFE5A6
Microsoft\Edge, xrefs: 6BF01232
Null Sqlite Statement pointer, xrefs: 6BF0267D, 6BF026AD

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: File$Time$HandleSystem$CloseCreateInformationRead
String ID: ' and host_key='www.bing.com';$Microsoft\Edge$Null Sqlite Statement pointer$VPhO$\*.txt$\Cookies$\Low$\User Data\$\User Data\Local State$cookies$encrypted_value$expires_utc$last_used$msedge.exe$profile$select value, encrypted_value, expires_utc from cookies where name='$value$www.bing.com/$2V$hV$mV$wV$%
API String ID: 3647255302-349697009
Opcode ID: 9086ae1425000423dfee74e0e4ec596773c5bd1aeb8e2bc5440f53178dd3e2d1
Instruction ID: 9e06de12a8866be5f02d9c5b0d6e0c9143c6afebf7558d6aa2686fd55c11a677
Opcode Fuzzy Hash: 9086ae1425000423dfee74e0e4ec596773c5bd1aeb8e2bc5440f53178dd3e2d1
Instruction Fuzzy Hash: 0602E575A00248DFDF04CF78CD85BDEBB79EF45308F208198E4156B291D7799A86CB62

Function 6BEDAFA0 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 327registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Mozilla\Mozilla Firefox ESR,00000000,00000201,?,6BFDC88C,00000000,6BFDC88C,00000000,62F1F502,-0000001C,?), ref: 6BEDB08A
RegQueryValueExW.ADVAPI32(?,CurrentVersion,00000000,00000000,?,00000040), ref: 6BEDB0B9
RegCloseKey.ADVAPI32(?), ref: 6BEDB0CF
RegOpenKeyExW.ADVAPI32(80000002,Software\Mozilla\Mozilla Firefox ESR,00000000,?,?,?,?), ref: 6BEDB12C
RegQueryValueExW.ADVAPI32(?,6BFDC88C,00000000,00000000,?,00000040), ref: 6BEDB15A
RegCloseKey.ADVAPI32(?), ref: 6BEDB175
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,?,?), ref: 6BEDB323
RegQueryValueExW.ADVAPI32(?,ESR,00000000,00000000,?,00000040), ref: 6BEDB351
RegCloseKey.ADVAPI32(?), ref: 6BEDB36C

Strings

Software\Mozilla\Mozilla Firefox ESR, xrefs: 6BEDB07A, 6BEDB122
0eu, xrefs: 6BEDB0CF, 6BEDB175, 6BEDB36C
SOFTWARE\Mozilla\Mozilla Firefox, xrefs: 6BEDB1B4
CurrentVersion, xrefs: 6BEDB0AE
ESR, xrefs: 6BEDB20B
ESR, xrefs: 6BEDB346
@, xrefs: 6BEDB057

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: ESR$0eu$@$CurrentVersion$ESR$SOFTWARE\Mozilla\Mozilla Firefox$Software\Mozilla\Mozilla Firefox ESR
API String ID: 3677997916-2438916691
Opcode ID: bfa101caa036bae2488e0af5bd82dc9953ed639a1e6acb10413c1ad00dc30e5b
Instruction ID: f372924e887103e6ac71fdd4d49eed5629e9903dbeffd64dcdf6652e29deb21c
Opcode Fuzzy Hash: bfa101caa036bae2488e0af5bd82dc9953ed639a1e6acb10413c1ad00dc30e5b
Instruction Fuzzy Hash: 52C1B031E00218DBEB24CF34CD55F9EB7B5AF45304F1082D9E519A7290EBB89A85CF61

Function 6BEC14E0 Relevance: 28.3, APIs: 4, Strings: 12, Instructions: 325registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice,00000000,00020219,?,6BFDC88C,00000000,62F1F502,00000000,00000000,?), ref: 6BEC1560
RegQueryValueExW.ADVAPI32(?,Progid,00000000,00000001,?,?), ref: 6BEC15A3

Strings

FriendlyTypeName, xrefs: 6BEC1841
Software\Classes\, xrefs: 6BEC1778
ChromeHTML, xrefs: 6BEC16F7
SafariURL, xrefs: 6BEC1729
Progid, xrefs: 6BEC1598
<, xrefs: 6BEC1B1B
MSEdgeHTM, xrefs: 6BEC1693
<#bh#>, xrefs: 6BEC1C44
MicrosoftEdge, xrefs: 6BEC1911
FirefoxURL, xrefs: 6BEC16C5
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice, xrefs: 6BEC1550
IE.HTTP, xrefs: 6BEC1661

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: OpenQueryValue
String ID: <$<#bh#>$ChromeHTML$FirefoxURL$FriendlyTypeName$IE.HTTP$MSEdgeHTM$MicrosoftEdge$Progid$SafariURL$Software\Classes\$Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
API String ID: 4153817207-1756411790
Opcode ID: 9c457b2a5d95660a910c440857b699e00c4522f931d675e588c2a8b907f8fb74
Instruction ID: dcb51e796e65ce2cb1b1217e631b89c680b21fca8254f37b819fd165c2e1ddd2
Opcode Fuzzy Hash: 9c457b2a5d95660a910c440857b699e00c4522f931d675e588c2a8b907f8fb74
Instruction Fuzzy Hash: 71C117B2A001289BDB24CB24CD81BDEB775AB44314F6042DDE62DA7291DB385AC5CF67

Function 6BEC5050 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 110sleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6BEC5210: GetCurrentProcessId.KERNEL32(00000000,6BFDC88C,00000000,6BFDC88C,00000000,62F1F502), ref: 6BEC52AE
Part of subcall function 6BEC5210: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6BEC52E5
Part of subcall function 6BEC5210: Process32FirstW.KERNEL32(00000000,0000022C), ref: 6BEC5324

ShellExecuteExW.SHELL32(?), ref: 6BEC50C0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BEC50D3
CloseHandle.KERNEL32(?), ref: 6BEC50DC
OpenProcess.KERNEL32(00100001,00000000,00000000,?,?,msedge.exe), ref: 6BEC5123
TerminateProcess.KERNEL32(00000000,00000000,?,?,msedge.exe), ref: 6BEC5132
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,msedge.exe), ref: 6BEC513B
CloseHandle.KERNEL32(00000000,?,?,msedge.exe), ref: 6BEC5147
Sleep.KERNEL32(00002710,msedge.exe,?,?,msedge.exe), ref: 6BEC5171
Sleep.KERNEL32(000007D0), ref: 6BEC51B1

Strings

https://www.bing.com, xrefs: 6BEC50AB
<, xrefs: 6BEC5088
open, xrefs: 6BEC509D
@, xrefs: 6BEC508F
msedge.exe, xrefs: 6BEC5062, 6BEC50EC, 6BEC514E

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: Process$CloseHandleObjectSingleSleepWait$CreateCurrentExecuteFirstOpenProcess32ShellSnapshotTerminateToolhelp32
String ID: <$@$https://www.bing.com$msedge.exe$open
API String ID: 2051953499-3290845781
Opcode ID: 0d4ce6d3a662c762ca6e4616c9a15c381916ba9b1e4a8f96a1a71172c0724ed9
Instruction ID: be4f818e6947b58e932a6aca8b9cbd48015c370db36407857002b12bac90c266
Opcode Fuzzy Hash: 0d4ce6d3a662c762ca6e4616c9a15c381916ba9b1e4a8f96a1a71172c0724ed9
Instruction Fuzzy Hash: 4141B272A10109EBDF00DFF4D86ABAFBBB4FF45304F500249E92567290DBB98905CBA1

Function 6BEC1A60 Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 411networkCOMMON

Download Yara Rule

APIs

InternetCrackUrlW.WININET(?,00000000,00000000,0000003C), ref: 6BEC1B5C
AssocQueryStringW.SHLWAPI(00000000,00000002,.html,00000000,?,00000104), ref: 6BEC1E09

Strings

firefox, xrefs: 6BEC1F33
msedge, xrefs: 6BEC1F01
<, xrefs: 6BEC1B1B
<#bh#>, xrefs: 6BEC1C44
safari, xrefs: 6BEC1F91
.html, xrefs: 6BEC1E01
iexplore, xrefs: 6BEC1ECF
chrome, xrefs: 6BEC1F62

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: AssocCrackInternetQueryString
String ID: .html$<$<#bh#>$chrome$firefox$iexplore$msedge$safari
API String ID: 1984373703-2955560001
Opcode ID: 6c3359e14620bb7fa63f09af4c9a074b3bf90bf3c0bafb8f47cae65bd611f961
Instruction ID: baf75080f9af28f53ce41e69ffe58204c02c00e570067338af14fd1e6faae859
Opcode Fuzzy Hash: 6c3359e14620bb7fa63f09af4c9a074b3bf90bf3c0bafb8f47cae65bd611f961
Instruction Fuzzy Hash: B9E1C931E002299BCB24DF64CD95BDEB7B5AF48304F1001D9E929A7291D738AF94CF92

Function 6BEC4ED0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 90comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 6BEC4EE5
CoCreateInstance.OLE32(6BFD0360,00000000,00000003,6BFE2ED4,?), ref: 6BEC4F04
CoUninitialize.OLE32 ref: 6BEC4FAE

Strings

MSEdgeHTM, xrefs: 6BEC4F20, 6BEC4F35, 6BEC4F4C, 6BEC4F63, 6BEC4F7A
.htm, xrefs: 6BEC4F47
.pdf, xrefs: 6BEC4F75
http, xrefs: 6BEC4F1B
.html, xrefs: 6BEC4F5E
https, xrefs: 6BEC4F30

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .htm$.html$.pdf$MSEdgeHTM$http$https
API String ID: 948891078-1444453974
Opcode ID: 13a59285715c8051947fdfadbedcc88d52a62f538fe8246cf699d3fbbabf57e8
Instruction ID: b7180be0eba4ac84ad10a7226f850503674fb5c91fdfa4f53d60a1d4382f9121
Opcode Fuzzy Hash: 13a59285715c8051947fdfadbedcc88d52a62f538fe8246cf699d3fbbabf57e8
Instruction Fuzzy Hash: 10312C72E00204BFCB10DFA5C858EAF7BB8AB89715F24009AF505D7250CB3AD942DB65

Function 6BFB8C89 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,62F1F502,?,6BFB8D98,?,?,00000000,?), ref: 6BFB8D4A

Strings

ext-ms-, xrefs: 6BFB8CF4
api-ms-, xrefs: 6BFB8CE0

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 043a057aa0875572352d57b9635a034c7a38ab0db85da1f87b2e5e7057fa187a
Instruction ID: 3e92f7a7f6c3b5f54e9ef3d9c740e7013173bb8b84422f1bfe3ba8ad1fd630a0
Opcode Fuzzy Hash: 043a057aa0875572352d57b9635a034c7a38ab0db85da1f87b2e5e7057fa187a
Instruction Fuzzy Hash: 3A21D573901113ABDB129F36DC44B8A7778AFC6764F140562ED15A72B1DB38E904C6F0

Function 6BF90D6A Relevance: 9.2, APIs: 6, Instructions: 224COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 6BF90DF5
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 6BF90E83
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6BF90EF5
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 6BF90F0F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6BF90F72
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 6BF90F8F

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 02f9f18d86e45f465ef749b7dd4d3767b38dc343bff793ef66f13984abb5dc41
Instruction ID: 362faf247c2d4052befdb5e35eadfc732f96b000d53220cace0c0c8204ab85bf
Opcode Fuzzy Hash: 02f9f18d86e45f465ef749b7dd4d3767b38dc343bff793ef66f13984abb5dc41
Instruction Fuzzy Hash: 7671A03390420AAEFF11AFB4E851EDF7BB6EF46758F1400A9E914A6170D7B9C544CBA0

Function 6BF90FEE Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6BF91037
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6BF910A2
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6BF910BF
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 6BF910FE
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6BF9115D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6BF91180

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: e7afd52fb46f60ba25202c98944a5f88f3c7f9c03dba750a845e2b6ca2b852d0
Instruction ID: c8f84c99e90dc8b6c6c873b98fa6191c98b742aa5b597099c9da5339898b0e30
Opcode Fuzzy Hash: e7afd52fb46f60ba25202c98944a5f88f3c7f9c03dba750a845e2b6ca2b852d0
Instruction Fuzzy Hash: 8351AC7360022ABBFF11AF64EC45FAA3BADEB41B44F104065FA2496170D779DA50CB90

Function 6BFA76F2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6BFA77B3,00000000,?,00000001,00000000,?,6BFA782A,00000001,FlsFree,6BFD2E08,FlsFree,00000000), ref: 6BFA7782

Strings

api-ms-, xrefs: 6BFA7742

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 4dccbdb3d0bd510e6972c666d32b7c6eb1ef78616a0ac9c40b93cab8220c271c
Instruction ID: f713e78c692014263940444a495a9b3fcb88f50af2d52bc0d342509c5ef95a6d
Opcode Fuzzy Hash: 4dccbdb3d0bd510e6972c666d32b7c6eb1ef78616a0ac9c40b93cab8220c271c
Instruction Fuzzy Hash: B511A333A51221EBDF168A7CCC44F4E77B4AF42B60F1505A0E910A72A8DF78F90487E5

Function 6BFB56A1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,62F1F502,00000000,?,00000000,6BFCE3F0,000000FF,?,6BFB563B,?,?,6BFB560F,00000000), ref: 6BFB56D6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6BFB56E8
FreeLibrary.KERNEL32(00000000,?,00000000,6BFCE3F0,000000FF,?,6BFB563B,?,?,6BFB560F,00000000), ref: 6BFB570A

Strings

mscoree.dll, xrefs: 6BFB56CF
CorExitProcess, xrefs: 6BFB56E0

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 885f97cd6673ea3515ccd440a600eb9fefd870ab54f6ea6238e40c01b760daed
Instruction ID: c66e207697c58dba0ee541f2a186e6eb37f6872dea43479c36d4b6aeee960b2f
Opcode Fuzzy Hash: 885f97cd6673ea3515ccd440a600eb9fefd870ab54f6ea6238e40c01b760daed
Instruction Fuzzy Hash: 5601A232924519FFDF028B64CC54BAFBBB8FB45711F100625F821E22A0DB7DD904CA90

Function 6BED5350 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 306fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 6BED566E

Strings

', xrefs: 6BED560B
locale/browser-region/region.properties, xrefs: 6BED5611
.jar, xrefs: 6BED5417

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: DeleteFile
String ID: '$.jar$locale/browser-region/region.properties
API String ID: 4033686569-1282198002
Opcode ID: bcc8ab4ef09c42d1d011100ad4727e70504e18f32559ef95806d05058943fb5c
Instruction ID: ef8bf58adeeb5efaa01dbc35ee9f1d05095268400e3d0347511dd15532faa864
Opcode Fuzzy Hash: bcc8ab4ef09c42d1d011100ad4727e70504e18f32559ef95806d05058943fb5c
Instruction Fuzzy Hash: 2EB1B371D00209DFDB14CFA8C985BEEBBF1FF44318F204159D512AB6A4DB78A985CB91

Function 6BEC4FE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 6BEC4FF3
CoCreateInstance.OLE32(6BFD0360,00000000,00000003,6BFE2ED4,?), ref: 6BEC500C
CoUninitialize.OLE32 ref: 6BEC5036

Strings

Microsoft Edge, xrefs: 6BEC501A

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: Microsoft Edge
API String ID: 948891078-4201763747
Opcode ID: db4e7e14fee60c2c1282b0c693ee9eb432dfa6b05e58b3fc0225826076401482
Instruction ID: 781d3dc225c35ae6d722ca01df49ffd7e6ebe7a73bee0a8c41fa70ab65633751
Opcode Fuzzy Hash: db4e7e14fee60c2c1282b0c693ee9eb432dfa6b05e58b3fc0225826076401482
Instruction Fuzzy Hash: B0F08131700108AFD700DFB4C895F6EBBACEF05245F0000A9F906DB260DA36AD098B61

Function 6BFBABE5 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(62F1F502,00000000,00000000,?), ref: 6BFBAC48

Part of subcall function 6BFB8A43: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6BFB82B5,?,00000000,-00000008), ref: 6BFB8AA4

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6BFBAE9A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6BFBAEE0
GetLastError.KERNEL32 ref: 6BFBAF83

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: fc99cf40c13280eae98017c3c78d4f5c3bdf5288ce4c605acc52c1690fae36b0
Instruction ID: 0479d1f3f8935d40261f465380691c4ff3ad8d6654b84c5a7a6cce704afb1a6d
Opcode Fuzzy Hash: fc99cf40c13280eae98017c3c78d4f5c3bdf5288ce4c605acc52c1690fae36b0
Instruction Fuzzy Hash: 9ED169B6D04649AFCF05CFA9C880ADDBBF8EF09314F14456AE416EB261DB34E946CB50

Function 6BFA3CD8 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6BFA3CEA
GetCurrentThreadId.KERNEL32 ref: 6BFA3CF9
GetCurrentProcessId.KERNEL32 ref: 6BFA3D02
QueryPerformanceCounter.KERNEL32(?), ref: 6BFA3D0F

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: a99a146f43f5083fb41b605d202033833e082667fa205ac3b962d89976b79350
Instruction ID: 320c874b42cb01d8ff9c045ece159543e410776050da489a484bf9687003bec5
Opcode Fuzzy Hash: a99a146f43f5083fb41b605d202033833e082667fa205ac3b962d89976b79350
Instruction Fuzzy Hash: E5F05F71C20209EBCF00DBB4C559B9EBBF8EF59205F5188969412E7150D774EB08DB51

Function 6BEC5D10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 246COMMON

Download Yara Rule

APIs

GetUserPreferredUILanguages.KERNEL32(00000008,00000000,00000000,00000000,6BFDC88C,00000000,62F1F502,-00000022,00000002), ref: 6BEC5D8F
GetUserPreferredUILanguages.KERNEL32(00000008,00000000,00000000,00000000), ref: 6BEC5DFA

Strings

en-us, xrefs: 6BEC5F8B

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: LanguagesPreferredUser
String ID: en-us
API String ID: 293538599-3889756054
Opcode ID: 9a5f289e308207ce92d61da130daac55a49e270c4f3ce2f440ecfd57fedea4a9
Instruction ID: a37802b2807b06135c66970ac5c9f02a492b5c14c5fbd17cddde01598153d3ed
Opcode Fuzzy Hash: 9a5f289e308207ce92d61da130daac55a49e270c4f3ce2f440ecfd57fedea4a9
Instruction Fuzzy Hash: 2891AE71D002099BDB18CFA8C955BEEBBB5FF44314F24421AE925B7290D778AA84CB91

Function 6BFA418B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6BED3560: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000), ref: 6BED3565
Part of subcall function 6BED3560: GetLastError.KERNEL32(?,00000000,00000000), ref: 6BED356F

IsDebuggerPresent.KERNEL32(?,?,?,6BEC105A), ref: 6BFA41BE
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6BEC105A), ref: 6BFA41CD

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6BFA41C8

Memory Dump Source

Source File: 00000007.00000002.20791651400.000000006BEC1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6BEC0000, based on PE: true

Associated: 00000007.00000002.20791615108.000000006BEC0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20792987092.000000006BFD0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793203961.000000006BFF6000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000007.00000002.20793258976.000000006BFFB000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bec0000_BingWallpaperApp.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 4b339fb092d19712dc97a3f4cf59ebdb19319aacf16e1f1ce4beb96cdfad361f
Instruction ID: dc924954ca15a898d1a35ca5c6391dcd5031f467e6d7b5de84dd77b3f241f2b2
Opcode Fuzzy Hash: 4b339fb092d19712dc97a3f4cf59ebdb19319aacf16e1f1ce4beb96cdfad361f
Instruction Fuzzy Hash: 98E09AB2100711CFD7668F38E506702BFE5AF15344F10886DD896C7760EBF9D4088BA1

Analysis Process: rundll32.exePID: 3400, Parent PID: 4324COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.6%
Total number of Nodes:	1238
Total number of Limit Nodes:	33

Executed Functions

Function 6CF56A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174
encryptionfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56ABC
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56AD5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56ADF
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56AFA
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56B18
lstrlenW.KERNEL32(F82B3070-8C29-42FF-9A74-28699A1F2BCD,00000000,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56B2D
CryptHashData.ADVAPI32(?,F82B3070-8C29-42FF-9A74-28699A1F2BCD,00000000,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56B3C
CryptDeriveKey.ADVAPI32(?,00006801,?,00800000,?,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56B5E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?), ref: 6CF56B80
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,-00000008,00000000,00000000,?,?,?,?), ref: 6CF56BC1
CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,-00000008,?,?,?,?), ref: 6CF56BD9
CreateFileW.KERNEL32(?,00000002,00000001,00000000,00000002,00000080,00000000,?,?,?,?), ref: 6CF56BF5
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?), ref: 6CF56C0D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56C27
CryptDestroyHash.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56C42
CryptDestroyKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56C57
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,6CF525AA), ref: 6CF56C67

Strings

F82B3070-8C29-42FF-9A74-28699A1F2BCD, xrefs: 6CF56B28, 6CF56B34
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 6CF56AC5, 6CF56AF0

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: Crypt$ContextHash$AcquireByteCharCreateDestroyFileMultiWidelstrlen$CloseDataDeriveEncryptErrorHandleLastReleaseWrite
String ID: F82B3070-8C29-42FF-9A74-28699A1F2BCD$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 583119173-1302254563
Opcode ID: d2c798fc79ae8eae91a7a45289c7607c6214da8758e3104a40c49676d32164cd
Instruction ID: 53917e9678ff442a631d84de0c8a06def0d011d5573f88159b6de56017d03d56
Opcode Fuzzy Hash: d2c798fc79ae8eae91a7a45289c7607c6214da8758e3104a40c49676d32164cd
Instruction Fuzzy Hash: 4D519371F40205BBEF20AFE28D49FAE7BB8EB05B15F204115BAB5F56C0D77495148A60

Function 6CF56C80 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 177
encryptionfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,00000001,00000001,00000000,00000003,00000080,00000000,?), ref: 6CF56CD2
GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6CF56CE4
CloseHandle.KERNEL32(00000000), ref: 6CF56D07
CryptDestroyHash.ADVAPI32(?), ref: 6CF56D22
CryptDestroyKey.ADVAPI32(6CF51F91), ref: 6CF56D37
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CF56D47
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000), ref: 6CF56D6F
GetLastError.KERNEL32 ref: 6CF56D79
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008), ref: 6CF56D95
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 6CF56DB3
lstrlenW.KERNEL32(F82B3070-8C29-42FF-9A74-28699A1F2BCD,00000000), ref: 6CF56DC8
CryptHashData.ADVAPI32(?,F82B3070-8C29-42FF-9A74-28699A1F2BCD,00000000), ref: 6CF56DD7
CryptDeriveKey.ADVAPI32(?,00006801,?,00800000,6CF51F91), ref: 6CF56DF9
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6CF56E2F
CryptDecrypt.ADVAPI32(6CF51F91,00000000,00000001,00000000,00000000,00000000), ref: 6CF56E4B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 6CF56E69

Strings

F82B3070-8C29-42FF-9A74-28699A1F2BCD, xrefs: 6CF56DC3, 6CF56DCF
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 6CF56D64, 6CF56D8A

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: Crypt$ContextFileHash$AcquireCreateDestroyHandle$ByteCharCloseDataDecryptDeriveErrorInformationLastMultiReadReleaseWidelstrlen
String ID: F82B3070-8C29-42FF-9A74-28699A1F2BCD$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 4286853541-1302254563
Opcode ID: 7ad8c35e1587b60f5af3ef2f37cc93055b9ec8ad2ed1186063dd449bb839a9b8
Instruction ID: 63d7148da237e8f3c742b9cfeeb3f374605aeb364cf4f38ba32e8d2592bcb1a6
Opcode Fuzzy Hash: 7ad8c35e1587b60f5af3ef2f37cc93055b9ec8ad2ed1186063dd449bb839a9b8
Instruction Fuzzy Hash: 6651D130F01208BBEF209FA28C46FAE7BB9AF15B14F604515F665E66C0EB719910CB60

Function 6CF537BF Relevance: 30.7, APIs: 8, Strings: 9, Instructions: 961registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF54B60: IsNetworkAlive.SENSAPI(?,C6365386,?,?,00000000,6CF6B1E2,000000FF,?,?), ref: 6CF54BA1

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Dispatcher,00000000,000F003F,00000000,false,00000005,6CF71ABC,00000000,6CF71ABC), ref: 6CF53C74
RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Dispatcher,00000000,00000000,00000001,000F003F,00000000,00000000,00000000), ref: 6CF53C9E
RegSetValueExW.KERNEL32(00000000,DataInQueueToSend,00000000,00000001,00000000,?), ref: 6CF53CBE
RegCloseKey.ADVAPI32(00000000), ref: 6CF53CCF
SHGetFolderPathAndSubDirW.SHELL32(00000000,0000801C,00000000,00000000,Microsoft,?,C6365386,?,00000000), ref: 6CF53F00

Strings

Software\Microsoft\Dispatcher, xrefs: 6CF53C6A, 6CF53C94
DataInQueueToSend, xrefs: 6CF53CB3
Microsoft, xrefs: 6CF53EF0
\*.bin, xrefs: 6CF54106, 6CF54346
%}, xrefs: 6CF545C4
wNRQTI, xrefs: 6CF54574
true, xrefs: 6CF53C12
Dispatcher, xrefs: 6CF540EC, 6CF54323
false, xrefs: 6CF53BCF

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: AliveCloseCreateFolderNetworkOpenPathValue
String ID: DataInQueueToSend$Dispatcher$Microsoft$Software\Microsoft\Dispatcher$\*.bin$false$true$wNRQTI$%}
API String ID: 1057130902-857652906
Opcode ID: a2501e86fd2d1720cf0b8514944208124ed9aa9843627c21fcdce81d3535d4fe
Instruction ID: ef33125688c9dcfc3aeb9ed727094580f4de97b3f0980c1bd0d296072d769c42
Opcode Fuzzy Hash: a2501e86fd2d1720cf0b8514944208124ed9aa9843627c21fcdce81d3535d4fe
Instruction Fuzzy Hash: B3821671A11218CBDB14CF28CC94BDDB772FF55308F50869CD649ABA90DB74AAA8CF50

Function 6CF53FC7 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\*.bin, xrefs: 6CF54106
%}, xrefs: 6CF545C4
wNRQTI, xrefs: 6CF54574
Dispatcher, xrefs: 6CF540EC

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID:
String ID: Dispatcher$\*.bin$wNRQTI$%}
API String ID: 0-3204596351
Opcode ID: 4241856e2fdb1fb08de2ef000eb0c9eb5ca4bd3fed00223ba1c07b6d3ec7068b
Instruction ID: 9495367c87aeeef1220ede4481f66af99fba996412cbbd1e4ffff4f9f8f4d30e
Opcode Fuzzy Hash: 4241856e2fdb1fb08de2ef000eb0c9eb5ca4bd3fed00223ba1c07b6d3ec7068b
Instruction Fuzzy Hash: 96D13670A112149BDB24CF28CC94B9DBB71FF91308F50869CD6499BB94DB34ABA8CF50

Function 6CF557F0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 356
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\BingWallpaperApp,00000000,00000001,?,C6365386,?,?), ref: 6CF5585A
RegQueryValueExW.KERNEL32(?,Testing,00000000,00000000,?,00000208,?,?), ref: 6CF5587F
RegCloseKey.ADVAPI32(?,?,?), ref: 6CF558D4
CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,?,?,00000000,\BingWA.log,0000000B,?,?), ref: 6CF55A35
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,00000000,\BingWA.log,0000000B,?,?), ref: 6CF55A51
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,6CF71ABC,00000000), ref: 6CF55C12
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,\BingWA.log), ref: 6CF55C49
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CF55C6D
CloseHandle.KERNEL32(?), ref: 6CF55C7D

Strings

true, xrefs: 6CF55889
Testing, xrefs: 6CF55874
Software\Microsoft\BingWallpaperApp, xrefs: 6CF55850
\BingWA.log, xrefs: 6CF5590F

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: File$ByteCharCloseMultiWide$CreateHandleOpenPointerQueryValueWrite
String ID: Software\Microsoft\BingWallpaperApp$Testing$\BingWA.log$true
API String ID: 2507764954-4284893737
Opcode ID: 14237cdcfc6bfdad5327816dd8b26f6ce57897927942af07aa659f126d2e19ed
Instruction ID: fe3f5dd3f614483ed7ece4f78f6c118188d13eea3cb5aca5d3f58a482c5f174f
Opcode Fuzzy Hash: 14237cdcfc6bfdad5327816dd8b26f6ce57897927942af07aa659f126d2e19ed
Instruction Fuzzy Hash: E4E1F171A11228ABEB20DF24CC8DBDDB775EF54304F6042D9E609A7690DB74AB98CF50

Function 6CF54B60 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 797
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsNetworkAlive.SENSAPI(?,C6365386,?,?,00000000,6CF6B1E2,000000FF,?,?), ref: 6CF54BA1
wsprintfW.USER32 ref: 6CF550AC
InternetCreateUrlW.WININET(?,00000000,?,?), ref: 6CF551F5
InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 6CF554B9
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,04280300,00000000), ref: 6CF554D8
InternetCloseHandle.WININET(00000000), ref: 6CF554E9
InternetCloseHandle.WININET(00000000), ref: 6CF554F7
InternetCloseHandle.WININET(00000000), ref: 6CF5550A

Strings

?MI=%s&LV=%s&OS=%s%s, xrefs: 6CF550A6
TV=, xrefs: 6CF54CEE, 6CF54D71
<, xrefs: 6CF55188

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: Internet$CloseHandle$Open$AliveCreateNetworkwsprintf
String ID: <$?MI=%s&LV=%s&OS=%s%s$TV=
API String ID: 145654822-2364758559
Opcode ID: 34bc0548eb801fbea7da0f5f67862184cc4fca49d716b4f6a60ab00edbe72af0
Instruction ID: 18a5080aa61eb1422567108e94c7e534bef5f65a9e514a53cbbffb1f3e108d1e
Opcode Fuzzy Hash: 34bc0548eb801fbea7da0f5f67862184cc4fca49d716b4f6a60ab00edbe72af0
Instruction Fuzzy Hash: 9E62A171E111188BEF14CF28CC85FDDB7B2AF94308F508299D549ABA95DB34AAD8CF50

Function 6CF576E6 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 168
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.ADVAPI32(?), ref: 6CF57725
RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Dispatcher,00000000,000F003F,00000000), ref: 6CF5780B
RegCreateKeyExW.KERNEL32(80000001,Software\Microsoft\Dispatcher,00000000,00000000,00000001,000F003F,00000000,00000000,00000000), ref: 6CF57835
RegSetValueExW.KERNEL32(00000000,MachineID,00000000,00000001,00000000,?), ref: 6CF57855
RegCloseKey.ADVAPI32(00000000), ref: 6CF57866

Strings

Software\Microsoft\Dispatcher, xrefs: 6CF57801, 6CF5782B
t*j, xrefs: 6CF57813
0J, xrefs: 6CF578B9
MachineID, xrefs: 6CF5784A
Ph?, xrefs: 6CF577F9

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: Close$CreateOpenValue
String ID: MachineID$Ph?$Software\Microsoft\Dispatcher$t*j$0J
API String ID: 678895439-2774528052
Opcode ID: 01aa924cf92342ad0c386a93ec97175b2b1d81eeb9d48fc2ff5d992f6ecac0d7
Instruction ID: ab1c9276604a58250530f5b8b9a890cb95a2498f16480e136b90f89544567217
Opcode Fuzzy Hash: 01aa924cf92342ad0c386a93ec97175b2b1d81eeb9d48fc2ff5d992f6ecac0d7
Instruction Fuzzy Hash: 2161F631A2121A9BDB209F24DD48BDDB771EF94304F5086DAE60DA7A50EB74ABD4CF40

Function 6CF574DD Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 140
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Dispatcher,00000000,000F003F,00000000), ref: 6CF5780B
RegCreateKeyExW.KERNEL32(80000001,Software\Microsoft\Dispatcher,00000000,00000000,00000001,000F003F,00000000,00000000,00000000), ref: 6CF57835

Strings

Software\Microsoft\Dispatcher, xrefs: 6CF57801, 6CF5782B
5J, xrefs: 6CF578B4
t*j, xrefs: 6CF57813
0J, xrefs: 6CF578B9
MachineID, xrefs: 6CF5784A
Ph?, xrefs: 6CF577F9

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: CreateOpen
String ID: MachineID$Ph?$Software\Microsoft\Dispatcher$t*j$0J$5J
API String ID: 436179556-2698410659
Opcode ID: f22f41eb4d33c9c87aa89faa2694acf7d8bf730adb3f94c9809e016e1757e60c
Instruction ID: d7c364de61e45eb8010f0cb1e1bf830ca958d94636e939540821d6d3c39ffec8
Opcode Fuzzy Hash: f22f41eb4d33c9c87aa89faa2694acf7d8bf730adb3f94c9809e016e1757e60c
Instruction Fuzzy Hash: 62510431A2121A9BEB209F24DD48BDCB771EF94304F5046DAE60DB6691EB74ABD4CF40

Function 6CF56F86 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 337
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RpcStringFreeA.RPCRT4(?), ref: 6CF5704B
RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Dispatcher,00000000,00000001,?,6CF71ABC,00000000,C6365386,7FFFFFFE,00000007), ref: 6CF57296
RegCloseKey.ADVAPI32(?), ref: 6CF572DF

Strings

Software\Microsoft\Dispatcher, xrefs: 6CF57286
PR3, xrefs: 6CF57228
0J, xrefs: 6CF578B9

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: CloseFreeOpenString
String ID: PR3$Software\Microsoft\Dispatcher$0J
API String ID: 4227190437-3370657222
Opcode ID: 200019d5fe9c3c760ffda2c6702a29e04741f1a048667be9e277437c21520baf
Instruction ID: 0cb4d3ab76c7e75fe2533dda803323b5c1a8a9013cd007eb6657d017a5cbf09c
Opcode Fuzzy Hash: 200019d5fe9c3c760ffda2c6702a29e04741f1a048667be9e277437c21520baf
Instruction Fuzzy Hash: 50D10871E102488BDB14DF68CC44BEDBBB1EF55308F60829ED505ABB40D7756A99CF90

Function 6CF516E7 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.SHLWAPI(?,?,?), ref: 6CF51A42
CreateDirectoryW.KERNEL32(?,00000000), ref: 6CF51A6E

Strings

Dispatcher, xrefs: 6CF51877, 6CF51CEA

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: CreateDirectoryExistsFilePath
String ID: Dispatcher
API String ID: 2624722123-1283484028
Opcode ID: 02c8bd526864436eec0cb7675e780d5e46428aa5f3c51e561137cabf632676a2
Instruction ID: c5d15f8d690759eae9c1df668ad8604f0fefbb4e9aa72e088a8c5f392257e83d
Opcode Fuzzy Hash: 02c8bd526864436eec0cb7675e780d5e46428aa5f3c51e561137cabf632676a2
Instruction Fuzzy Hash: 7D12A471A112588BDB24CF28CC987DDB771EF95308F6082D9D509A7690DB39ABD8CF50

Function 6CF52230 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 315
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.SHLWAPI(?,C6365386,00000000), ref: 6CF52276
DeleteFileW.KERNEL32(?), ref: 6CF5228D

Strings

##L#B##, xrefs: 6CF523BE

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: File$DeleteExistsPath
String ID: ##L#B##
API String ID: 4234011339-2723504578
Opcode ID: 74110611f5c600fbdf789605a05c08ad2a5dca40a8e2c536819d43baaae62567
Instruction ID: 2a4fac7033cdfc56dca8a753cb16cc6b430025554553f954a265baf14cbb49a6
Opcode Fuzzy Hash: 74110611f5c600fbdf789605a05c08ad2a5dca40a8e2c536819d43baaae62567
Instruction Fuzzy Hash: BAC19F71E11209DBDF04CFA8C894BDEB7B1FF55308F60421DD505A7A80DB35AA59CBA1

Function 6CF51F20 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.SHLWAPI(?,C6365386,?,?), ref: 6CF51F67

Strings

##L#B##, xrefs: 6CF5201C

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: ExistsFilePath
String ID: ##L#B##
API String ID: 1174141254-2723504578
Opcode ID: f31704c58b0240c2755d6138847482eb65b376f10519e717447cb5d36b20dc4b
Instruction ID: 8f508bfeba7ba584a64602ab658e3ebb56210e98b63dac6f6c1c461d416359b8
Opcode Fuzzy Hash: f31704c58b0240c2755d6138847482eb65b376f10519e717447cb5d36b20dc4b
Instruction Fuzzy Hash: CE91D471A002098BDF04CFA8CC98BEEB7B6FF58318F54462DD506ABB41DB35A958CB50

Function 6CF510B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.SHLWAPI(?,C6365386,?,?), ref: 6CF51F67

Strings

##L#B##, xrefs: 6CF5201C

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: ExistsFilePath
String ID: ##L#B##
API String ID: 1174141254-2723504578
Opcode ID: 0417038ceac8f9a430545e00e2ea1c7bd821e5cd2793b6d83b1519d6904acc2c
Instruction ID: c6078d31bb5a15dd68b48f7d920f8ca7c6530004d3e60e2007050eb07a53a94d
Opcode Fuzzy Hash: 0417038ceac8f9a430545e00e2ea1c7bd821e5cd2793b6d83b1519d6904acc2c
Instruction Fuzzy Hash: 7671B370A00249DBDF04CFA4C898BEEB7F6FF58308F54462DD516ABA40DB35A959CB50

Function 6CF510D0 Relevance: 3.1, APIs: 2, Instructions: 54
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.SHLWAPI(?,C6365386,00000000), ref: 6CF52276
DeleteFileW.KERNEL32(?), ref: 6CF5228D

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: File$DeleteExistsPath
String ID:
API String ID: 4234011339-0
Opcode ID: e76e7412454f404a29146587d8fb4f0970ffaefb291c278c8cb662961fe0a52e
Instruction ID: e4d825cb33601bfce0f656583e659080a46a712236cda82781ca998710b1d45f
Opcode Fuzzy Hash: e76e7412454f404a29146587d8fb4f0970ffaefb291c278c8cb662961fe0a52e
Instruction Fuzzy Hash: 9811A531A05618EBDF14DF59D848B6AB7F8FB05710F40072EE91587E40CB31A964CAE1

Function 049524B0 Relevance: 1.8, APIs: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32(00000010), ref: 04953B17

Memory Dump Source

Source File: 00000008.00000003.15740755527.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_4950000_rundll32.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 7a5ef5aa2da3ee683f15ea25a3daec681cfe10536e96372bc7e02bb5167ef651
Instruction ID: 32bc1ccbff0cd9f0863646250c61c7808b644042cdf4626b3b0a83aa1adfcdf9
Opcode Fuzzy Hash: 7a5ef5aa2da3ee683f15ea25a3daec681cfe10536e96372bc7e02bb5167ef651
Instruction Fuzzy Hash: 8FA1AE70D043898FDB15CFA8C8547DEBFB1EF49304F14846AD855AB2A2D734A845CBA2

Function 049527C0 Relevance: 1.7, APIs: 1, Instructions: 233COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 04952A1A

Memory Dump Source

Source File: 00000008.00000003.15740755527.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_4950000_rundll32.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: de7ceb95cfcc902dfdbbc96c51b72eb1326408ccdac3c898893a50283c516ec1
Instruction ID: d7fe5c99c8a6c01ad04336adaee52b4b5fb884ccac1a64898c7e1b51ab85b8b8
Opcode Fuzzy Hash: de7ceb95cfcc902dfdbbc96c51b72eb1326408ccdac3c898893a50283c516ec1
Instruction Fuzzy Hash: B2710434B042158FD725CB78D89466EBBB6FF45314B2481BAD909CB3A2DB31EC42CB91

Function 6CF58030 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,C6365386,00000000), ref: 6CF580CE

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 4853711ee476518862cc54a9522af21900c00d31e1533f8e879f3e31cc54167f
Instruction ID: 31c404148112400352b189d9885c1aebbab3be9d25ba2cfefc8fd6acecda5ede
Opcode Fuzzy Hash: 4853711ee476518862cc54a9522af21900c00d31e1533f8e879f3e31cc54167f
Instruction Fuzzy Hash: 0821C6B4D402189BDB24DF54CC48BDABBB8FB04704F5041D9E909A7780D7746B48CF90

Function 04952488 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32(00000010), ref: 04953B17

Memory Dump Source

Source File: 00000008.00000003.15740755527.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_4950000_rundll32.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 32f02da187b29fd185b0f07e4adec8cf5674d374f0891e2f5bbd36ebb9f061f3
Instruction ID: a6f436b8efa18790f92d2fd616b763e453dac78a3a09a84f530e8bff035c39ea
Opcode Fuzzy Hash: 32f02da187b29fd185b0f07e4adec8cf5674d374f0891e2f5bbd36ebb9f061f3
Instruction Fuzzy Hash: 901113B49002498FDB20DF9AD484BAEFBF4EB48314F20845AD919A7350D374A944CFA5

Function 04953AB0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32(00000010), ref: 04953B17

Memory Dump Source

Source File: 00000008.00000003.15740755527.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_4950000_rundll32.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 81bffce140708cceb5289b5747bc1e364838e390ec7aaf7aa0e291c200ae2d55
Instruction ID: 26bdb4f6fea851ebd0a363fb23263142e30785cd60ce97a4b7177a8f27e3c51b
Opcode Fuzzy Hash: 81bffce140708cceb5289b5747bc1e364838e390ec7aaf7aa0e291c200ae2d55
Instruction Fuzzy Hash: AA1122B590024ACFDB20CFA9E4847EEFBF4EB48314F20846AC918A7750C774A955CFA5

Function 6CF60B30 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,6CF60909,00000001,00000364,?,FFFFFFFF,000000FF,?,?,6CF6031B,6CF60C6C), ref: 6CF60B71

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 780b106de7adb47fcc7bf73268ec7c588741256a266815569f6574129518dc58
Instruction ID: 2320c843c228e79fb120045ac9c081604163085f26eaf7ba282d5473f1c5a290
Opcode Fuzzy Hash: 780b106de7adb47fcc7bf73268ec7c588741256a266815569f6574129518dc58
Instruction Fuzzy Hash: 86F0E93261616867EF525A779D00F5B37689F827BCB30D121A814D7D90CBF0D40587E9

Function 6CF57642 Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?), ref: 6CF57681

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ba33d024267f7a34869f13cf892c2a7c9a0371733be4639155b8472f92419d66
Instruction ID: 67ebba933860972b7a49490505a93a40481f593c7a50a20e478641cbe36c39af
Opcode Fuzzy Hash: ba33d024267f7a34869f13cf892c2a7c9a0371733be4639155b8472f92419d66
Instruction Fuzzy Hash: FAE09279D64205CBCB20DF08C948BA5B7B4FF51348F4682CAC90D67650EB348A94CE20

Function 045BD5F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.15741885145.00000000045BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_45bd000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22095634fc7a39c511c0b0a97f19df0162b629e014d4bd363b8725df5eb2750
Instruction ID: eb7d53404f1267af44bd36e36d197b92efec15f981dc8aed7627bd8693868016
Opcode Fuzzy Hash: e22095634fc7a39c511c0b0a97f19df0162b629e014d4bd363b8725df5eb2750
Instruction Fuzzy Hash: 82212875604344DFDB05DF10E9C0B66BF75FB88310F248569D8890B256C33AE459EBE1

Function 045BD5EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.15741885145.00000000045BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_45bd000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3fc34567d93fcc23b6985a7ce179329bd3e72b02d5c4f8fec703928c4e388a
Instruction ID: 4646738e2dbc538a8fa755cfe505111b3340dafd60a42777dd87c853ae946533
Opcode Fuzzy Hash: db3fc34567d93fcc23b6985a7ce179329bd3e72b02d5c4f8fec703928c4e388a
Instruction Fuzzy Hash: 3211D376504280CFDB16CF10E5C4B56BF71FB84310F28C6A9D8480B656C33AE45ADBA1

Function 045BD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.15741885145.00000000045BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_45bd000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03802da251d9391975dc98add313424df8b57a09d8ac5e2c087efe3cc6524b4
Instruction ID: 5584d07b203f72192b91a12fc0df75242cb5c4d677594eea5750b1654d7696fa
Opcode Fuzzy Hash: d03802da251d9391975dc98add313424df8b57a09d8ac5e2c087efe3cc6524b4
Instruction Fuzzy Hash: 7101FC71104B449FE7104F25E9C47A2BFA8EF41330F14841ADC880B142E279A449EAF1

Function 045BD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.15741885145.00000000045BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_45bd000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd81dd83b97c58af6e9a066e0d3065a3ad09141c10e193da91af049ecec9edb
Instruction ID: 9ca15e422d990a07cbd8a5ec6091e5d797684e9c10dd30262c77729ba31d8baa
Opcode Fuzzy Hash: 1bd81dd83b97c58af6e9a066e0d3065a3ad09141c10e193da91af049ecec9edb
Instruction Fuzzy Hash: 29015E6100D7C45FE7128B259994BA2BFB4EF43224F1981CBD8888F193D26D5849CBB2

Non-executed Functions

Function 6CF5986F Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CF5987B
IsDebuggerPresent.KERNEL32 ref: 6CF59947
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF59967
UnhandledExceptionFilter.KERNEL32(?), ref: 6CF59971

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 451b0a384c1aed6410d451906e9a1cbd1c7908cd863f012ee8fd6744f5201b25
Instruction ID: c6b4f7b25f6bf1064f365b9d1c0aa90aca9401e2e88e2b790999d1e0e5ba7099
Opcode Fuzzy Hash: 451b0a384c1aed6410d451906e9a1cbd1c7908cd863f012ee8fd6744f5201b25
Instruction Fuzzy Hash: 343129B5D45218DBDF10DF61C9497CCBBB8AF08304F50419AE54DA7240EB715B858F55

Function 6CF59657 Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6CF59777,6CF6C310), ref: 6CF5965C
UnhandledExceptionFilter.KERNEL32(6CF59777,?,6CF59777,6CF6C310), ref: 6CF59665
GetCurrentProcess.KERNEL32(C0000409,?,6CF59777,6CF6C310), ref: 6CF59670
TerminateProcess.KERNEL32(00000000,?,6CF59777,6CF6C310), ref: 6CF59677

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 5430bf9200069bd7671ff5fefa6161f09789303b81941058e765b5f4e6c5e972
Instruction ID: e4d6013bb7a0c2809156ecc6d626dbbd0318e807a872efa1b65d00bc32e23b46
Opcode Fuzzy Hash: 5430bf9200069bd7671ff5fefa6161f09789303b81941058e765b5f4e6c5e972
Instruction Fuzzy Hash: 30D0CA32AA4208BBCE803BE2C80CBA83B38AB0A256F008001F3EAC2000CA3154008B61

Function 6CF629A7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c859fd11af0119291b4a22b45ae418c387e0afce46642759b37d1bfbd7b41499
Instruction ID: 673de9a2aab8267043a8be4c8285c7c2c5f620cea0794299044695473496e3b0
Opcode Fuzzy Hash: c859fd11af0119291b4a22b45ae418c387e0afce46642759b37d1bfbd7b41499
Instruction Fuzzy Hash: 05E08C32912628EBCB10CB99CA0498AB3FCEB84B46B114596B502D3A10C671DE40EBD0

Function 6CF5F7D2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7cd9beb17384081dcc07d1ebc8352ecaeecca6abe001530bc82f5e39eb9526
Instruction ID: bb615a3ad2ffba8df95810752e69b48b2909d95b1ea3f6b3f4d9cc4783a371c0
Opcode Fuzzy Hash: cc7cd9beb17384081dcc07d1ebc8352ecaeecca6abe001530bc82f5e39eb9526
Instruction Fuzzy Hash: 26C08C38001A804ACE05C91492713E83364A7E179AFF004CCCE030BF41C65E9886EA41

Function 6CF5929F Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6CF74B14,00000FA0,?,?,6CF5927D), ref: 6CF592AB
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,6CF5927D), ref: 6CF592B6
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6CF5927D), ref: 6CF592C7
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 6CF592D9
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 6CF592E7
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,6CF5927D), ref: 6CF5930A
DeleteCriticalSection.KERNEL32(6CF74B14,00000007,?,?,6CF5927D), ref: 6CF59326
CloseHandle.KERNEL32(00000000,?,?,6CF5927D), ref: 6CF59336

Strings

SleepConditionVariableCS, xrefs: 6CF592D3
kernel32.dll, xrefs: 6CF592C2
api-ms-win-core-synch-l1-2-0.dll, xrefs: 6CF592B1
WakeAllConditionVariable, xrefs: 6CF592DF

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: f81fba35104563f46360fcea787241f0537665005f82c083639cff7511e3fca5
Instruction ID: 58148f76650bc6ce3af1c72e36d73963541f6bdb6b11e954f904f8b270c545d5
Opcode Fuzzy Hash: f81fba35104563f46360fcea787241f0537665005f82c083639cff7511e3fca5
Instruction Fuzzy Hash: 07019271F51211BBDF513BB7A808B663A789B526097540611FEE4D2D40DF30CD018EB0

Function 6CF614BA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,C6365386,?,6CF615C7,?,?,?,00000000), ref: 6CF6157B

Strings

ext-ms-, xrefs: 6CF61525
api-ms-, xrefs: 6CF61511

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 464de37912e7f672c6d63e2d49e7f03ca336a8fb4079f1fec981a2af4a824e8c
Instruction ID: 85b8d4cfdb16ce9a1270d3e2a895cc2c9aaf43ac6c1ce4c198b5d12feaa342c9
Opcode Fuzzy Hash: 464de37912e7f672c6d63e2d49e7f03ca336a8fb4079f1fec981a2af4a824e8c
Instruction Fuzzy Hash: 4621B736E11220ABDB119B27DC80B5B77789B437A4F255211ED66A7E80D730ED01CAE0

Function 6CF5BD22 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6CF5BDE3,00000000,?,00000001,00000000,?,6CF5BE5A,00000001,FlsFree,6CF6CE3C,FlsFree,00000000), ref: 6CF5BDB2

Strings

api-ms-, xrefs: 6CF5BD72

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 5d6f407fafec9f9b260cf79811d7fa81e42451925c354bfc5c85beed3d12623f
Instruction ID: 4a56146bc31adc95d349674e2b368b83e542c1f80872a4eba897d2541113bc45
Opcode Fuzzy Hash: 5d6f407fafec9f9b260cf79811d7fa81e42451925c354bfc5c85beed3d12623f
Instruction Fuzzy Hash: 55112C36E41621ABDF125B29CC4075E33B49F13774F650A91EE60EB680D770ED108AD0

Function 6CF5F7F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C6365386,?,?,00000000,6CF6B594,000000FF,?,6CF5F784,?,?,6CF5F758,00000016), ref: 6CF5F829
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CF5F83B
FreeLibrary.KERNEL32(00000000,?,00000000,6CF6B594,000000FF,?,6CF5F784,?,?,6CF5F758,00000016), ref: 6CF5F85D

Strings

mscoree.dll, xrefs: 6CF5F822
CorExitProcess, xrefs: 6CF5F833

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 121a0e2c6a4327bf1c3086ca603408b603a5a99cffe422084212dcf4f211eeb6
Instruction ID: 5ebb961ed5fae3f5b4a61f6eba5bd778290cd2dc4caf012c3b1bdfd8f0bedde1
Opcode Fuzzy Hash: 121a0e2c6a4327bf1c3086ca603408b603a5a99cffe422084212dcf4f211eeb6
Instruction Fuzzy Hash: 78018632A14555FFDF419F51CC04BBEBBB8FB09719F100629F921A2A90DB759900CF90

Function 6CF55D70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?,6CF71ABC,00000000,C6365386), ref: 6CF55E01
wsprintfW.USER32 ref: 6CF55E48

Strings

%d.%d.%d.%d, xrefs: 6CF55E42
Windows, xrefs: 6CF55F58

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: Versionwsprintf
String ID: %d.%d.%d.%d$Windows
API String ID: 2108043187-3609678049
Opcode ID: b9087309b4ca960265c1c0df3505aa9e2e235617b7643977a49eeac47b62e70c
Instruction ID: 68fb05df192fa9e60ed0d48c85de54b3346f039295e10bd823f5fd4087354001
Opcode Fuzzy Hash: b9087309b4ca960265c1c0df3505aa9e2e235617b7643977a49eeac47b62e70c
Instruction Fuzzy Hash: 4B7103709112188BDB35CF24CC84BEDB7B9EF14308F50468DE559A7A90DB79AB98CF50

Function 6CF673C2 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(C6365386,?,00000000,?), ref: 6CF67425

Part of subcall function 6CF61315: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,6CF67DB5,0000FDE9,00000000,?,?,?,6CF67AF6,0000FDE9,00000000,?), ref: 6CF613C1

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CF67680
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CF676C8
GetLastError.KERNEL32 ref: 6CF6776B

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 416ef4550a0a644da25f4b68b9523eacdde04af4a08eeb8ff1e0141c8ddd4469
Instruction ID: 7aaef0f188b9d19ad6c2a4ce2aef79e47864f0fa87bf43d893e9406967314beb
Opcode Fuzzy Hash: 416ef4550a0a644da25f4b68b9523eacdde04af4a08eeb8ff1e0141c8ddd4469
Instruction Fuzzy Hash: 82D14775E042589FCF01CFA9D880AADFBB5FF09314F24416AE865E7B51D730A946CB50

Function 6CF63C1B Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CF63C23

Part of subcall function 6CF61315: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,6CF67DB5,0000FDE9,00000000,?,?,?,6CF67AF6,0000FDE9,00000000,?), ref: 6CF613C1

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF63C5B
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF63C7B

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 3a63ecc2da1741316958ea497aee792718f7b47e76c07be8994e6b8c3511ebaf
Instruction ID: ade290660ce00d0da227802407db481771cb26ca0487e8c0cf0103db1d9aa439
Opcode Fuzzy Hash: 3a63ecc2da1741316958ea497aee792718f7b47e76c07be8994e6b8c3511ebaf
Instruction Fuzzy Hash: 4311C0B2A456557E6B1167BB9D89CAF7AACDF872DC7200025F842D3F00EBA0DD088271

Function 6CF59796 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6CF597A8
GetCurrentThreadId.KERNEL32 ref: 6CF597B7
GetCurrentProcessId.KERNEL32 ref: 6CF597C0
QueryPerformanceCounter.KERNEL32(?), ref: 6CF597CD

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: af40f2abcdf092e41033393ee92101edfca8772d35792aa8c2a86b55a9e3bbfb
Instruction ID: 1443ae9f5b9f32147933f3468c9b5aa7f80ec63db72ccef60393a07d7aa42a99
Opcode Fuzzy Hash: af40f2abcdf092e41033393ee92101edfca8772d35792aa8c2a86b55a9e3bbfb
Instruction Fuzzy Hash: 55F04D71D24209EBCF04EBF5C649BAEBBB8FF18205F5144959562E7140E634AB049B51

Function 6CF5B395 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6CF5B3BA

Strings

MOC, xrefs: 6CF5B3CC
RCC, xrefs: 6CF5B3D4

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: ffcb3ef780381237280c659204ac90864bfb07ce25c63ea5edd5053d6cf901c0
Instruction ID: 3a9c238134c0e75d131601cb8b2a8eb37b78f7075a6c744e46a3f1bf6c69b603
Opcode Fuzzy Hash: ffcb3ef780381237280c659204ac90864bfb07ce25c63ea5edd5053d6cf901c0
Instruction Fuzzy Hash: 3F419A72900109EFCF16CF94CC80AEE7BB5FF58308F648599FA14A7610D3359961CBA0

Function 6CF59C19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6CF54980: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,6CF59C48,?,?,?,6CF5100A), ref: 6CF54985
Part of subcall function 6CF54980: GetLastError.KERNEL32(?,?,?,6CF5100A), ref: 6CF5498F

IsDebuggerPresent.KERNEL32(?,?,?,6CF5100A), ref: 6CF59C4C
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6CF5100A), ref: 6CF59C5B

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6CF59C56

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 19d6e49404283240fc5f897cc8a190555e7c1150abaf34a0626a25e61dbf9dab
Instruction ID: 5e7d936ff64f7342199b81d16fd7a264cf91dfc4f414f9191ecc6ea1a5a27a5a
Opcode Fuzzy Hash: 19d6e49404283240fc5f897cc8a190555e7c1150abaf34a0626a25e61dbf9dab
Instruction Fuzzy Hash: DCE06DB06007428BDB61AF2ED5493427AF8AF20704F91881DD5E5C7F40EBB4D5548B61

Function 6CF56710 Relevance: 5.3, APIs: 4, Instructions: 259COMMON

Download Yara Rule

APIs

Part of subcall function 6CF56060: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,C6365386,00000000,00000000,?,6CF567BB,00000000,00000000,C6365386), ref: 6CF56076

MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,?,?,?,?,?,?,?), ref: 6CF5692E
GetLastError.KERNEL32(?,?,?,?,?), ref: 6CF5693F
MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,00000000,00000000,?,?,?,?,?), ref: 6CF5695F
MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6CF5699A

Memory Dump Source

Source File: 00000008.00000002.15743159036.000000006CF51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CF50000, based on PE: true

Associated: 00000008.00000002.15743138180.000000006CF50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743198506.000000006CF6C000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743225586.000000006CF74000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.15743249863.000000006CF76000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cf50000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 388616b4623dd437a228549068ad8390df0d64a1e79bc06cd4b3084c328048e1
Instruction ID: 6dcdad9295f2dab500d3ef7749b9fde29b8794567f8efe0928c3b98553078d64
Opcode Fuzzy Hash: 388616b4623dd437a228549068ad8390df0d64a1e79bc06cd4b3084c328048e1
Instruction Fuzzy Hash: A791D4B0E04259ABEB148F64CC40BDAB7B8AF14704F5041E9FA59E7B40DB719EA8CF50

Analysis Process: BingWallpaperApp.exePID: 448, Parent PID: 5104COMMON

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	1

Executed Functions

Function 01813ADD Relevance: 1.8, APIs: 1, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.15931033004.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1810000_BingWallpaperApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5eb6e6632d825cb1c3a090a8ff12d7338b7d9979d1b3fd2889067b7e5a2b413
Instruction ID: 446854a10f89bc5645935ff91129f748ce02d718555a84b955b8c7f8b3afd8da
Opcode Fuzzy Hash: b5eb6e6632d825cb1c3a090a8ff12d7338b7d9979d1b3fd2889067b7e5a2b413
Instruction Fuzzy Hash: 48B1FC72D01349CFCB5ACFA8C840A99BBF8FF49328F64809ED505DB259D3399A46CB50

Function 01817705 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0181777B

Memory Dump Source

Source File: 0000000A.00000002.15931033004.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1810000_BingWallpaperApp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8bbe47a425ee1cd8a7ee3fba33ba712c711d70e17a05473881b3f94f3e50554b
Instruction ID: 6b9fd2e95c7e666d2a04dcebb76dd8208eb11106ffb93de3e141b37112f046dc
Opcode Fuzzy Hash: 8bbe47a425ee1cd8a7ee3fba33ba712c711d70e17a05473881b3f94f3e50554b
Instruction Fuzzy Hash: 0621F7B5D002099FDB10CFAAD484BDEFBF4EB48310F10842AD558A7251D378A555CF61

Function 01817708 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0181777B

Memory Dump Source

Source File: 0000000A.00000002.15931033004.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1810000_BingWallpaperApp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e75ec4080d27d9c7b9c183f38cb1d911cdfff1cd41a077204d1fd35d0dacb963
Instruction ID: ffee601842df59a5b2203f705950d32e7ebae49dca0f4b086b29bd6f16f1023c
Opcode Fuzzy Hash: e75ec4080d27d9c7b9c183f38cb1d911cdfff1cd41a077204d1fd35d0dacb963
Instruction Fuzzy Hash: 882117B59002099FDB10CFAAD884BDEFBF4FF48320F50842AE558A3241D378A654CFA5

Function 01814418 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0181448B

Memory Dump Source

Source File: 0000000A.00000002.15931033004.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1810000_BingWallpaperApp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a84e54806caa27f5c5c29b5937a2e1e2662fbda4ed3997b9b7bbaff8e2453451
Instruction ID: b8ff0d479872f1f25bd499f53845a024a85c82e7258c0785d4467349d8950529
Opcode Fuzzy Hash: a84e54806caa27f5c5c29b5937a2e1e2662fbda4ed3997b9b7bbaff8e2453451
Instruction Fuzzy Hash: 97212CB59002099FDB10CF9AD484BDEFBF4FF48310F50842AD558A3241D374A545CFA5

Analysis Process: BingWallpaperApp.exePID: 3332, Parent PID: 5104COMMON

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 0329439B Relevance: 1.6, APIs: 1, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0329448B

Memory Dump Source

Source File: 0000000B.00000002.15996296146.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3290000_BingWallpaperApp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f1cdef783ed75235b71e8cbdd3a82da913bfcc4f07d25b27704ab6e3b74f9ea7
Instruction ID: 35e2e54b9678d2485e3e2989c8633dbbac86dac35daeaaf078d6f65bf3bf8868
Opcode Fuzzy Hash: f1cdef783ed75235b71e8cbdd3a82da913bfcc4f07d25b27704ab6e3b74f9ea7
Instruction Fuzzy Hash: 134135729102558FCB11DFB6C48879ABBF5FF4A314F1880AAD454AB645E378A181CB92

Function 032943D9 Relevance: 1.6, APIs: 1, Instructions: 85
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0329448B

Memory Dump Source

Source File: 0000000B.00000002.15996296146.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3290000_BingWallpaperApp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 50b29090238bfd08edf0ae862b5be1140a8e92647d9de944c2bf68eb82465d3c
Instruction ID: d2950d6f4912ab6824d2ca86a72a416170d8224325ae0d3fe3837c4a485938cd
Opcode Fuzzy Hash: 50b29090238bfd08edf0ae862b5be1140a8e92647d9de944c2bf68eb82465d3c
Instruction Fuzzy Hash: FA317A71900359DFCB11CFBAD88479ABBF4FF4A310F1880AAD458AB241D378A581CF96

Function 03297702 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0329777B

Memory Dump Source

Source File: 0000000B.00000002.15996296146.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3290000_BingWallpaperApp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0cac3eca1680fbdb90885b8fe5c9eb8a196e637e0f649004ac1d4148541a2435
Instruction ID: d37a106b7d53311b0dbf0ccc7a83a60e3034b88a0fd0ae04095b405453c61760
Opcode Fuzzy Hash: 0cac3eca1680fbdb90885b8fe5c9eb8a196e637e0f649004ac1d4148541a2435
Instruction Fuzzy Hash: 672124B59002499FDB10CFAAD884BEEFBF4FF49320F14842AE458A7251D378A544CFA5

Function 03297708 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0329777B

Memory Dump Source

Source File: 0000000B.00000002.15996296146.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3290000_BingWallpaperApp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d4521a8bb4d79c10cf6c3defb448f8c809647ea6d70f92c1c71841e1177d9db1
Instruction ID: 8e6cadcac624a4110a8d83ed98def5b8d7466602b1620898bdd288ccbb36e53a
Opcode Fuzzy Hash: d4521a8bb4d79c10cf6c3defb448f8c809647ea6d70f92c1c71841e1177d9db1
Instruction Fuzzy Hash: D221F6B59003499FDB10DF9AD884BDEFBF4FB48320F14842AE858A7250D378A654CFA5

Function 03294418 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0329448B

Memory Dump Source

Source File: 0000000B.00000002.15996296146.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3290000_BingWallpaperApp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7f2fdc05062b5949f587845f1d67516cbcd47bff066d8533e18c47d65ff19274
Instruction ID: 0147309f8d45254eb01b4aa3e8d5cf9750f7d9fffb71ad8a9eb28f7725b509c9
Opcode Fuzzy Hash: 7f2fdc05062b5949f587845f1d67516cbcd47bff066d8533e18c47d65ff19274
Instruction Fuzzy Hash: 6A21F6B59002499FDB10DF9AD884BDEFBF4FB48320F14842AE858A7650D378A645CFA5

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BWCStartMSI.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\7d3d2a.rbs

C:\Users\user\AppData\Local\Microsoft\BGAHelperLib\BrowserSettings.dll

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BWAConfig.bin

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\DispatchQueue.dll

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241206.jpg

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241207.jpg

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241208.jpg

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241209.jpg

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241210.jpg

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241211.jpg

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241212.jpg

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\20241213.jpg

C:\Users\user\AppData\Local\Microsoft\BingWallpaperApp\WPImages\WPPrefs.bin

Windows Analysis Report
BWCStartMSI.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre